> (un-CCed CERT, they don't care!) > > On Wed, Sep 09, 2009 at 10:20:33PM +0200, Simon Matter wrote: >> > I'd like to announce the releases of Cyrus IMAPd 2.2.13p1 and 2.3.15. >> > These releases should both be considered production quality. These >> > releases are being made at this time to fix the potential buffer >> > overflow vulnerability described in CERT VU#336053: >> > http://www.kb.cert.org/vuls/id/336053 >> > >> > The 2.2.13p1 release is no different from 2.2.13 other than the buffer >> > overflow fix. The 2.3.15 release contains several other non-critical >> > bugfixes and feature enhancements. For full details, please see >> > doc/changes.html and doc/install-upgrade.html which are included in >> the >> > distribution. >> > >> > I'd personally like to thank Bron Gondwana of Fastmail.fm for finding >> > and fixing the buffer overflow, as well as his numerous other >> > contributions to the 2.3.15 release. >> >> Hello Cyrus IMAP team, >> >> Thanks for the new release. While upgrading our RPMs I found two small >> issues: >> >> 1) Old (ancient) GCC doesn't like some of the new code. A patch to fix >> the >> issue is attached. > > Applied to my git tree - I'll push it back to CVS. Thanks. Great, thanks. > >> 2) Old (ancient) zlib doesn't have the deflateBound() function. Looks >> like >> at least zlib >= 1.2.x is needed. Maybe the zlib detection could also >> check the version of the deflateBound() function? > > It shouldn't be too hard to rewrite it to not use deflateBound() at all. > I'll have a look at that. Sounds good, I was sure it could be done but not by me. If I try it nobody will be happy with the result :( > > Who still has ancient zlib? RH 7.3? Yes, or RHEL2.1, which is now EOL. Really, it's low priority but still nice to have as much compatibility as possible which makes life of packagers easier. Just let me know if you have patches to test... > >> For those interested, the package is available in the usual place >> http://www.invoca.ch/pub/packages/cyrus-imapd/ > > Cool :) I don't actually have a redhat machine to test things on, but > it's good to have these packages out there. > > Bron ( not everyone wants to be hand-building Cyrus all the time! ) Some years back I did quite a number of Cyrus installs for companies around the world. That's gone now because of my own packages which have even be included in RedHat EL. Regards, Simon ---- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html