The Cyrus team is proud to announce the first release candidate from the new Cyrus IMAP 3.10 series: 3.10.0-rc1
While 3.10 is still in beta, the main https://www.cyrusimap.org/ website will continue to be focused on the stable 3.8 series. The 3.10 website is available at https://www.cyrusimap.org/3.10/ If you're able to try this out and report bugs/provide feedback, please do. Thanks! This release contains a fix for CVE-2024-34055 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-34055>. From the release notes: > Cyrus-IMAP through 3.8.2 and 3.10.0-beta2 allow authenticated attackers to > cause unbounded memory allocation by sending many LITERALs in a single > command. > > The IMAP protocol allows for command arguments to be LITERALs of negotiated > length, and for these the server allocates memory to receive the content > before instructing the client to proceed. The allocated memory is released > when the whole command has been received and processed. > > The IMAP protocol has a number commands that specify an unlimited number of > arguments, for example SEARCH. Each of these arguments can be a LITERAL, for > which memory will be allocated and not released until the entire command has > been received and processed. This can run a server out of memory, with > varying consequences depending on the server's OOM policy. > > Discovered by Damian Poddebniak. This issue affects all previous Cyrus IMAP releases, and is fixed in stable versions 3.8.3, 3.6.5, and 3.4.8. The updated version introduces two new imapd.conf limits (maxargssize, maxliteral) that operators can configure with safe values for their environment. Please see the release notes and other documentation for full details. Download URLs: https://github.com/cyrusimap/cyrus-imapd/releases/download/cyrus-imapd-3.10.0-rc1/cyrus-imapd-3.10.0-rc1.tar.gz https://github.com/cyrusimap/cyrus-imapd/releases/download/cyrus-imapd-3.10.0-rc1/cyrus-imapd-3.10.0-rc1.tar.gz.sig Please consult the release notes and upgrade documentation before upgrading to 3.10: https://www.cyrusimap.org/3.10/imap/download/release-notes/3.10/x/3.10.0-rc1.html https://www.cyrusimap.org/3.10/imap/download/upgrade.html And join us on Github at https://github.com/cyrusimap/cyrus-imapd to report issues, join in the deliberations of new features for the next Cyrus IMAP release, and to contribute to the documentation. On behalf of the Cyrus team, ellie timoney ------------------------------------------ Cyrus: Info Permalink: https://cyrus.topicbox.com/groups/info/Tfe8b20a0abb3c16c-Mdff7ba8906d4377f45544d60 Delivery options: https://cyrus.topicbox.com/groups/info/subscription
