Univention Bugzilla – Bug 50682
cyrus-imapd: Multiple issues (4.4)
Last modified: 2020-01-15 17:00:05 CET
New Debian cyrus-imapd 2.5.10-3+deb9u2 fixes: This update addresses the following issue: * An issue was discovered in Cyrus IMAP before 2.5.15, 3.0.x before 3.0.13, and 3.1.x through 3.1.8. If sieve script uploading is allowed (3.x) or certain non-default sieve options are enabled (2.x), a user with a mail account on the service can use a sieve script containing a fileinto directive to create any mailbox with administrator privileges, because of folder mishandling in autosieve_createfolder() in imap/lmtp_sieve.c. (CVE-2019-19783)
--- mirror/ftp/4.4/unmaintained/4.4-1/source/cyrus-imapd_2.5.10-3+deb9u1.dsc +++ apt/ucs_4.4-0-errata4.4-3/source/cyrus-imapd_2.5.10-3+deb9u2.dsc @@ -1,3 +1,8 @@ +2.5.10-3+deb9u2 [Mon, 16 Dec 2019 19:50:02 +0100] Xavier Guimard <yadd@debian.org>: + + * Add patch to avoid mailbox creation as administrator + (Closes: #CVE-2019-19783) + 2.5.10-3+deb9u1 [Fri, 07 Jun 2019 07:22:52 +0200] Xavier Guimard <yadd@debian.org>: * Add patch to fix arbitrary code execution via CalDAV <http://10.200.17.11/4.4-3/#2940016564962025345>
OK: yaml OK: announce_errata OK: patch ~OK: piuparts files remain after purging [4.4-3] 3643b47783 Bug #50682: cyrus-imapd 2.5.10-3+deb9u2 doc/errata/staging/cyrus-imapd.yaml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) [4.4-3] f2247e32a3 Bug #50682: cyrus-imapd 2.5.10-3+deb9u2 doc/errata/staging/cyrus-imapd.yaml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+)
<http://errata.software-univention.de/ucs/4.4/414.html>