Cyrus IMAP 3.4.2, 3.2.8, and 3.0.16 released

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

The Cyrus team is proud to announce the immediate availability of new versions of Cyrus IMAP: 3.4.2, 3.2.8, and 3.0.16

These releases contain a fix for CVE-2021-33582.  From the release notes:

> Certain user inputs are used as hash table keys during processing.  A poorly chosen string hashing algorithm meant that the user could control which bucket their data was stored in, allowing a malicious user to direct many inputs to a single bucket.  Each subsequent insertion to the same bucket requires a strcmp of every other entry in it.  At tens of thousands of entries, each new insertion could keep the CPU busy in a strcmp loop for minutes.
> 
> The string hashing algorithm has been replaced with a better one, and now also uses a random seed per hash table, so malicious inputs cannot be precomputed.
> 
> Discovered by Matthew Horsfall, Fastmail

This CVE affects all previous releases of Cyrus IMAP.  Corresponding fixes have been applied to the cyrus-imapd-2.4 and cyrus-imapd-2.5 branches.  If you are still running 2.4 or 2.5 you should consider applying these patches.

Release notes:

    https://www.cyrusimap.org/imap/download/release-notes/3.4/x/3.4.2.html
    https://www.cyrusimap.org/imap/download/release-notes/3.2/x/3.2.8.html
    https://www.cyrusimap.org/imap/download/release-notes/3.0/x/3.0.16.html

Download URLs:

    https://github.com/cyrusimap/cyrus-imapd/releases/download/cyrus-imapd-3.4.2/cyrus-imapd-3.4.2.tar.gz
    https://github.com/cyrusimap/cyrus-imapd/releases/download/cyrus-imapd-3.4.2/cyrus-imapd-3.4.2.tar.gz.sig    

    https://github.com/cyrusimap/cyrus-imapd/releases/download/cyrus-imapd-3.2.8/cyrus-imapd-3.2.8.tar.gz
    https://github.com/cyrusimap/cyrus-imapd/releases/download/cyrus-imapd-3.2.8/cyrus-imapd-3.2.8.tar.gz.sig    

    https://github.com/cyrusimap/cyrus-imapd/releases/download/cyrus-imapd-3.0.16/cyrus-imapd-3.0.16.tar.gz
    https://github.com/cyrusimap/cyrus-imapd/releases/download/cyrus-imapd-3.0.16/cyrus-imapd-3.0.16.tar.gz.sig    

On behalf of the Cyrus team,

Kind regards,

ellie timoney

------------------------------------------
Cyrus: Info
Permalink: https://cyrus.topicbox.com/groups/info/T3dde0a2352462975-Mac2dd3c2592f2267046c3442
Delivery options: https://cyrus.topicbox.com/groups/info/subscription
[Index of Archives]     [Cyrus SASL]     [Squirrel Mail]     [Asterisk PBX]     [Video For Linux]     [Photo]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux