Cyrus IMAP 2.5.15 Release Notes

Important

This is a bug-fix release in the stable 2.5 series.

Refer to the Cyrus IMAP 2.5.0 Release Notes for important information about the 2.5 series, including upgrading instructions.

Download via HTTPS:

Changes Since 2.5.14

Release changes

We’re trialing using the Github Releases feature. If you have trouble downloading this release, please report this to the mailing lists. Thanks!

Security fixes

  • Fixed CVE-2019-19783: When creating a missing mailbox as part of a sieve ‘fileinto’ directive, lmtpd would create it as administrator, bypassing ACL checks.

    lmtpd creates missing mailboxes as part of a sieve ‘fileinto’ directive if:

    • (2.5+) the anysievefolder option is enabled (default: not), or
    • (3.0+) the sieve_extensions option has the ‘mailbox’ extension enabled (default: enabled) and the ‘fileinto’ directive contains the ”:create” argument

    Under these conditions, a user with the ability to upload a custom sieve script to their account could use it to create any valid mailbox on the server (with ACL inherited from the parent mailbox as usual).

    lmtpd no longer creates these mailboxes as administrator, so users may no longer use a ‘fileinto’ directive to create a mailbox they couldn’t create otherwise.

Bug fixes

  • Fixed Issue #2913: errors are now logged when maxlogins_per_host, maxlogins_per_user, and popminpoll limits are reached (thanks Sergey)