Cyrus IMAP 3.0.13 Release Notes¶
This is a bug-fix release in the stable 3.0 series.
Refer to the Cyrus IMAP 3.0.0 Release Notes for important information about the 3.0 series, including upgrading instructions.
Download via HTTPS:
Changes Since 3.0.12¶
We’re trialing using the Github Releases feature. If you have trouble downloading this release, please report this to the mailing lists. Thanks!
Fixed CVE-2019-19783: When creating a missing mailbox as part of a sieve ‘fileinto’ directive, lmtpd would create it as administrator, bypassing ACL checks.
lmtpd creates missing mailboxes as part of a sieve ‘fileinto’ directive if:
- (2.5+) the anysievefolder option is enabled (default: not), or
- (3.0+) the sieve_extensions option has the ‘mailbox’ extension enabled (default: enabled) and the ‘fileinto’ directive contains the ”:create” argument
Under these conditions, a user with the ability to upload a custom sieve script to their account could use it to create any valid mailbox on the server (with ACL inherited from the parent mailbox as usual).
lmtpd no longer creates these mailboxes as administrator, so users may no longer use a ‘fileinto’ directive to create a mailbox they couldn’t create otherwise.
- configure –disable-http2 can now be used to disable HTTP/2 support, even when libnghttp2 is installed on the system (thanks Дилян Палаузов)
- Fixed Issue #2383: XFER of a single mailbox now works (thanks Anthony Prades)
- Fixed Issue #2914: ctl_backups lock no longer crashes if the backup is already locked
- Fixed Issue #2913: errors are now logged when maxlogins_per_host, maxlogins_per_user, and popminpoll limits are reached (thanks Sergey)
- Fixed: various IOERRORs resulting from bad handling of files >2GB
- Fixed Issue #2920: backup tools now expect admin namespace mboxnames, not internal names
- Fixed Issue #2931: symbol ordering in libcyrus.so no longer depends on shell locale in effect during compilation (thanks Xavier)