Cyrus IMAP 3.0.3 Release Notes

Important

This is a bug-fix release in the stable 3.0 series.

Refer to the Cyrus IMAP 3.0.0 Release Notes for important information about the 3.0 series, including upgrading instructions.

Download from GitHub:

• https://github.com/cyrusimap/cyrus-imapd/releases/download/cyrus-imapd-3.0.3/cyrus-imapd-3.0.3.tar.gz
• https://github.com/cyrusimap/cyrus-imapd/releases/download/cyrus-imapd-3.0.3/cyrus-imapd-3.0.3.tar.gz.sig

Changes Since 3.0.2

Security fixes

An authenticated non-admin IMAP user could overwrite an arbitrary file (subject to cyrus user permissions) with specially crafted SYNCAPPLY, SYNCGET or SYNCRESTORE commands.

This issue was introduced with commit 152f59c and affects all releases from the 3.0 series prior to this. 2.5 and earlier are not affected.

It is fixed by commits 53c4137 and 5edadcf.

Other changes

• Improved JMAP support
• imapd client_id log lines now include the session id

Bug fixes

• Fixed: lmtpd no longer crashes due to uninitialised quotadb
• Fixed Issue #1434: buffer overflow in auth_pts from too-long imapd.conf value
• Fixed Issue #1090: non-standard NO response to ID command
• Fixed: uninitialised buffer in ischedule
• Fixed: replication desyncronisation when only last_uid field changes
• Fixed Issue #2076: IMAP LIST was unnecessarily dependent on PCRE
• Fixed Issue #1437: buffer overflow in mupdate-client from too-long imapd.conf value
• Fixed Issue #2080: crash in cyrdump due to uninitialised mboxname
• Fixed: installed arrayu64.h and strarray.h no longer depend on util.h
• Fixed: backup staging files are now cleaned up on signal shutdown
• Fixed: backup no longer re-uses reserve partition as staging path

Erratum

Earlier release notes from the 3.0 series stated that the default value of the virtdomains option had changed from off to userid. This is not the case: the default is still off, and will remain so for the life of the 3.0 series.