Cyrus IMAP 2.5.15 Release Notes¶
This is a bug-fix release in the stable 2.5 series.
Refer to the Cyrus IMAP 2.5.0 Release Notes for important information about the 2.5 series, including upgrading instructions.
Download via HTTPS:
Changes Since 2.5.14¶
We’re trialing using the Github Releases feature. If you have trouble downloading this release, please report this to the mailing lists. Thanks!
Fixed CVE-2019-19783: When creating a missing mailbox as part of a sieve ‘fileinto’ directive, lmtpd would create it as administrator, bypassing ACL checks.
lmtpd creates missing mailboxes as part of a sieve ‘fileinto’ directive if:
(2.5+) the anysievefolder option is enabled (default: not), or
(3.0+) the sieve_extensions option has the ‘mailbox’ extension enabled (default: enabled) and the ‘fileinto’ directive contains the “:create” argument
Under these conditions, a user with the ability to upload a custom sieve script to their account could use it to create any valid mailbox on the server (with ACL inherited from the parent mailbox as usual).
lmtpd no longer creates these mailboxes as administrator, so users may no longer use a ‘fileinto’ directive to create a mailbox they couldn’t create otherwise.