(un-CCed CERT, they don't care!) On Wed, Sep 09, 2009 at 10:20:33PM +0200, Simon Matter wrote: > > I'd like to announce the releases of Cyrus IMAPd 2.2.13p1 and 2.3.15. > > These releases should both be considered production quality. These > > releases are being made at this time to fix the potential buffer > > overflow vulnerability described in CERT VU#336053: > > http://www.kb.cert.org/vuls/id/336053 > > > > The 2.2.13p1 release is no different from 2.2.13 other than the buffer > > overflow fix. The 2.3.15 release contains several other non-critical > > bugfixes and feature enhancements. For full details, please see > > doc/changes.html and doc/install-upgrade.html which are included in the > > distribution. > > > > I'd personally like to thank Bron Gondwana of Fastmail.fm for finding > > and fixing the buffer overflow, as well as his numerous other > > contributions to the 2.3.15 release. > > Hello Cyrus IMAP team, > > Thanks for the new release. While upgrading our RPMs I found two small > issues: > > 1) Old (ancient) GCC doesn't like some of the new code. A patch to fix the > issue is attached. Applied to my git tree - I'll push it back to CVS. Thanks. > 2) Old (ancient) zlib doesn't have the deflateBound() function. Looks like > at least zlib >= 1.2.x is needed. Maybe the zlib detection could also > check the version of the deflateBound() function? It shouldn't be too hard to rewrite it to not use deflateBound() at all. I'll have a look at that. Who still has ancient zlib? RH 7.3? > For those interested, the package is available in the usual place > http://www.invoca.ch/pub/packages/cyrus-imapd/ Cool :) I don't actually have a redhat machine to test things on, but it's good to have these packages out there. Bron ( not everyone wants to be hand-building Cyrus all the time! ) ---- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
