CVSROOT: /cvs
Module name: ports
Changes by: [email protected] 2021/09/01 02:57:18
Modified files:
mail/cyrus-imapd: Tag: OPENBSD_6_9 Makefile distinfo
mail/cyrus-imapd/pkg: Tag: OPENBSD_6_9 PLIST
Log message:
SECURITY update to cyrus-imapd-3.2.8.
Fixed CVE-2021-33582: Certain user inputs are used as hash table keys during
processing. A poorly chosen string hashing algorithm meant that the user could
control which bucket their data was stored in, allowing a malicious user to
direct many inputs to a single bucket. Each subsequent insertion to the same
bucket requires a strcmp of every other entry in it. At tens of thousands of
entries, each new insertion could keep the CPU busy in a strcmp loop for
minutes.
The string hashing algorithm has been replaced with a better one, and now also
uses a random seed per hash table, so malicious inputs cannot be precomputed.
