The Cyrus team is proud to announce the first release candidate from the new Cyrus IMAP 3.10 series: 3.10.0-rc1
While 3.10 is still in beta, the main https://www.cyrusimap.org/ website will continue to be focused on the stable 3.8 series. The 3.10 website is available at https://www.cyrusimap.org/3.10/
If you're able to try this out and report bugs/provide feedback, please do. Thanks!
This release contains a fix for CVE-2024-34055. From the release notes:
Cyrus-IMAP through 3.8.2 and 3.10.0-beta2 allow authenticated attackers to cause unbounded memory allocation by sending many LITERALs in a single command.The IMAP protocol allows for command arguments to be LITERALs of negotiated length, and for these the server allocates memory to receive the content before instructing the client to proceed. The allocated memory is released when the whole command has been received and processed.The IMAP protocol has a number commands that specify an unlimited number of arguments, for example SEARCH. Each of these arguments can be a LITERAL, for which memory will be allocated and not released until the entire command has been received and processed. This can run a server out of memory, with varying consequences depending on the server's OOM policy.Discovered by Damian Poddebniak.
This issue affects all previous Cyrus IMAP releases, and is fixed in stable versions 3.8.3, 3.6.5, and 3.4.8.
The updated version introduces two new imapd.conf limits (maxargssize, maxliteral) that operators can configure with safe values for their environment. Please see the release notes and other documentation for full details.
Download URLs:
Please consult the release notes and upgrade documentation before upgrading to 3.10:
And join us on Github at https://github.com/cyrusimap/cyrus-imapd to report issues, join in the deliberations of new features for the next Cyrus IMAP release, and to contribute to the documentation.
On behalf of the Cyrus team,
ellie timoney
