I ran across this: http://marc.theaimsgroup.com/?l=full-disclosure&m=114821239014171&w=2 The popsubfolders option seems to have been added after 2.3, FC5 may be affected. I ran the exploit against a copy of FC5, I got this in the log file: May 21 20:26:51 bowser pop3[5075]: buffer overflow while canonicalizing If someone who knows cyrus-imapd a little better could take a look at this it would be appreciated. It's possible this is a 2.3.2 only issue (we ship 2.3.1 in FC5). If nobody else gets to this, I'll try to take a better look tomorrow. -- JB
