Cyrus IMAP 3.4.1 Release Notes

Download from GitHub:

Changes since 3.4.0

Security fixes:

  • Fixed CVE-2021-32056: Remote authenticated users could bypass intended access restrictions on certain server annotations. Additionally, a long-standing bug in replication did not allow server annotations to be replicated. Combining these two bugs, a remote authenticated user could stall replication, requiring administrator intervention.

Build changes

  • Fixed Issue #3462: using GLIBC-only macro to check for GCC features (thanks Andy Fiddaman)

Bug fixes

  • Fixed Issue #3456: per-server annotations were unable to replicate

  • Fixed Issue #3468: ctl_cyrusdb -r assertion on startup when mboxlist_db configured to "skiplist" (thanks Felix J. Ogris)

  • Fixed: JMAP email updates must result in non-empty mailboxIds

  • Fixed: output JMAP dates as Dates, not UTCDates

Fixes to nonstandard JMAP extensions

(These extensions are not yet formally standardised, and are only available with the jmap_nonstandard_extensions imapd.conf(5) option enabled.)

  • Fixed: JMAP Calendars Extension - gracefully handle empty property values

  • Fixed: JMAP Calendars Extension - ignore empty string default values in events

  • Fixed: JMAP Calendars Extension - do not use Participant.email for scheduling