==================================================================== CERT-Renater Note d'Information No. 2019/VULN426 _____________________________________________________________________ DATE : 20/12/2019 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Cyrus IMAP versions prior to 2.5.15, 3.0.13. ===================================================================== https://lists.andrew.cmu.edu/pipermail/cyrus-announce/2019-December/000167.html https://lists.andrew.cmu.edu/pipermail/cyrus-announce/2019-December/000168.html _____________________________________________________________________ The Cyrus team is proud to announce the immediate availability of a new version of Cyrus IMAP: 2.5.15 This release contains a fix for CVE-2019-19783, a privilege escalation vulnerability that permits creation of arbitrary mailboxes using the 'fileinto' directive in user sieve scripts. If you allow your users to upload custom sieve scripts, and if you have the 'anysievefolder' option enabled, you will need this upgrade. I'm trialling hosting the release files using Github's releases feature. Please use the Github download links if possible, and advise if you have any problems! (It may even download faster due to Github's content delivery network.) Download URLs: https://github.com/cyrusimap/cyrus-imapd/releases/download/cyrus-imapd-2.5.15/cyrus-imapd-2.5.15.tar.gz https://github.com/cyrusimap/cyrus-imapd/releases/download/cyrus-imapd-2.5.15/cyrus-imapd-2.5.15.tar.gz.sig https://www.cyrusimap.org/releases/cyrus-imapd-2.5.15.tar.gz https://www.cyrusimap.org/releases/cyrus-imapd-2.5.15.tar.gz.sig Please consult the release notes before upgrading to 2.5.15: https://www.cyrusimap.org/imap/download/release-notes/2.5/x/2.5.15.html And join us on Github at https://github.com/cyrusimap/cyrus-imapd to report issues, join in the deliberations of new features for the next Cyrus IMAP release, and to contribute to the documentation. On behalf of the Cyrus team, Kind regards, ellie timoney _____________________________________________________________________ The Cyrus team is proud to announce the immediate availability of a new version of Cyrus IMAP: 3.0.13 This release contains a fix for CVE-2019-19783, a privilege escalation vulnerability that permits creation of arbitrary mailboxes using the 'fileinto' directive in user sieve scripts. If you allow your users to upload custom sieve scripts, and if you have the 'mailbox' sieve extension or the 'anysievefolder' option enabled, you will need this upgrade. I'm trialling hosting the release files using Github's releases feature. Please use the Github download links if possible, and advise if you have any problems! (It may even download faster due to Github's content delivery network.) Download URLs: https://github.com/cyrusimap/cyrus-imapd/releases/download/cyrus-imapd-3.0.13/cyrus-imapd-3.0.13.tar.gz https://github.com/cyrusimap/cyrus-imapd/releases/download/cyrus-imapd-3.0.13/cyrus-imapd-3.0.13.tar.gz.sig https://www.cyrusimap.org/releases/cyrus-imapd-3.0.13.tar.gz https://www.cyrusimap.org/releases/cyrus-imapd-3.0.13.tar.gz.sig Please consult the release notes and upgrade documentation before upgrading to 3.0.13: https://www.cyrusimap.org/imap/download/release-notes/3.0/x/3.0.13.html https://www.cyrusimap.org/imap/download/upgrade.html And join us on Github at https://github.com/cyrusimap/cyrus-imapd to report issues, join in the deliberations of new features for the next Cyrus IMAP release, and to contribute to the documentation. On behalf of the Cyrus team, Kind regards, ellie timoney ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================