File: 3.2.8.rst.txt

package info (click to toggle)
cyrus-imapd 3.6.1-4%2Bdeb12u3
  • links: PTS, VCS
  • area: main
  • in suites: bookworm
  • size: 80,688 kB
  • sloc: ansic: 255,928; perl: 97,730; javascript: 9,266; sh: 5,537; yacc: 2,651; cpp: 2,128; makefile: 2,099; lex: 660; xml: 621; python: 388; awk: 303; asm: 262
file content (39 lines) | stat: -rw-r--r-- 1,310 bytes parent folder | download | duplicates (16) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
 
:tocdepth: 3

==============================
Cyrus IMAP 3.2.8 Release Notes
==============================

Download from GitHub:

    *   https://github.com/cyrusimap/cyrus-imapd/releases/download/cyrus-imapd-3.2.8/cyrus-imapd-3.2.8.tar.gz
    *   https://github.com/cyrusimap/cyrus-imapd/releases/download/cyrus-imapd-3.2.8/cyrus-imapd-3.2.8.tar.gz.sig

.. _relnotes-3.2.8-changes:

Changes since 3.2.7
===================

Security fixes:
---------------

* Fixed CVE-2021-33582_: Certain user inputs are used as hash table keys during
  processing.  A poorly chosen string hashing algorithm meant that the user
  could control which bucket their data was stored in, allowing a malicious
  user to direct many inputs to a single bucket.  Each subsequent insertion to
  the same bucket requires a strcmp of every other entry in it.  At tens of
  thousands of entries, each new insertion could keep the CPU busy in a strcmp
  loop for minutes.

  The string hashing algorithm has been replaced with a better one, and now
  also uses a random seed per hash table, so malicious inputs cannot be
  precomputed.

  Discovered by Matthew Horsfall, Fastmail

.. _CVE-2021-33582: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33582

Bug fixes
---------

* Fixed: missing CY namespace in some DAV responses