Cyrus IMAP 3.0.16 Release Notes

Important

This is a bug-fix release in the 3.0 series.

Refer to the Cyrus IMAP 3.0.0 Release Notes for important information about the 3.0 series, including upgrading instructions.

Download via HTTPS:

• https://github.com/cyrusimap/cyrus-imapd/releases/download/cyrus-imapd-3.0.16/cyrus-imapd-3.0.16.tar.gz

• https://github.com/cyrusimap/cyrus-imapd/releases/download/cyrus-imapd-3.0.16/cyrus-imapd-3.0.16.tar.gz.sig

Changes Since 3.0.15

Security fixes:

• Fixed CVE-2021-33582: Certain user inputs are used as hash table keys during processing. A poorly chosen string hashing algorithm meant that the user could control which bucket their data was stored in, allowing a malicious user to direct many inputs to a single bucket. Each subsequent insertion to the same bucket requires a strcmp of every other entry in it. At tens of thousands of entries, each new insertion could keep the CPU busy in a strcmp loop for minutes.

  The string hashing algorithm has been replaced with a better one, and now also uses a random seed per hash table, so malicious inputs cannot be precomputed.

  Discovered by Matthew Horsfall, Fastmail

Build fixes

• Fixed: expired test certificates caused unit test failures

• Fixed: various warnings raised by newer compilers

Bug fixes

• Fixed: crash when looking up entries in zero-sized hash tables

• Fixed: deduplicated code in hash_del (thanks Дилян Палаузов)

• Fixed Issue #3456: per-server annotations were unable to replicate