Cyrus IMAP 3.4.2, 3.2.8, and 3.0.16 released

Tue, 31 Aug 2021 22:21:46 -0700 

The Cyrus team is proud to announce the immediate availability of new versions 
of Cyrus IMAP: 3.4.2, 3.2.8, and 3.0.16

These releases contain a fix for CVE-2021-33582.  From the release notes:

> Certain user inputs are used as hash table keys during processing.  A poorly 
> chosen string hashing algorithm meant that the user could control which 
> bucket their data was stored in, allowing a malicious user to direct many 
> inputs to a single bucket.  Each subsequent insertion to the same bucket 
> requires a strcmp of every other entry in it.  At tens of thousands of 
> entries, each new insertion could keep the CPU busy in a strcmp loop for 
> minutes.
> 
> The string hashing algorithm has been replaced with a better one, and now 
> also uses a random seed per hash table, so malicious inputs cannot be 
> precomputed.
> 
> Discovered by Matthew Horsfall, Fastmail

This CVE affects all previous releases of Cyrus IMAP.  Corresponding fixes have 
been applied to the cyrus-imapd-2.4 and cyrus-imapd-2.5 branches.  If you are 
still running 2.4 or 2.5 you should consider applying these patches.

Release notes:

    https://www.cyrusimap.org/imap/download/release-notes/3.4/x/3.4.2.html
    https://www.cyrusimap.org/imap/download/release-notes/3.2/x/3.2.8.html
    https://www.cyrusimap.org/imap/download/release-notes/3.0/x/3.0.16.html

Download URLs:

    
https://github.com/cyrusimap/cyrus-imapd/releases/download/cyrus-imapd-3.4.2/cyrus-imapd-3.4.2.tar.gz
    
https://github.com/cyrusimap/cyrus-imapd/releases/download/cyrus-imapd-3.4.2/cyrus-imapd-3.4.2.tar.gz.sig
    

    
https://github.com/cyrusimap/cyrus-imapd/releases/download/cyrus-imapd-3.2.8/cyrus-imapd-3.2.8.tar.gz
    
https://github.com/cyrusimap/cyrus-imapd/releases/download/cyrus-imapd-3.2.8/cyrus-imapd-3.2.8.tar.gz.sig
    

    
https://github.com/cyrusimap/cyrus-imapd/releases/download/cyrus-imapd-3.0.16/cyrus-imapd-3.0.16.tar.gz
    
https://github.com/cyrusimap/cyrus-imapd/releases/download/cyrus-imapd-3.0.16/cyrus-imapd-3.0.16.tar.gz.sig
    

On behalf of the Cyrus team,

Kind regards,

ellie timoney

------------------------------------------
Cyrus: Info
Permalink: 
https://cyrus.topicbox.com/groups/info/T3dde0a2352462975-Mac2dd3c2592f2267046c3442
Delivery options: https://cyrus.topicbox.com/groups/info/subscription

Reply via email to