Fedora has issued an advisory on February 19: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/WJZB45QBUN7CZFGOWCZYUYACNBTX7LVS/ The issues are fixed upstream in 3.0.16 and 3.2.8. The first CVE may not affect us (it's not entirely clear), but the second one definitely does. Mageia 8 is also affected.
Status comment: (none) => Fixed upstream in 3.0.16Whiteboard: (none) => MGA8TOO
No particular packager evident, so assigning this globally.
Assignee: bugsquad => pkg-bugs
Debian-LTS has issued an advisory for the second issue today (June 20): https://www.debian.org/lts/security/2022/dla-3052
Hi, At least, Debian, OpenSUSE and upstream say CVE-2021-32056 only affects 3.2.x and above: https://security-tracker.debian.org/tracker/CVE-2021-32056 https://github.com/cyrusimap/cyrus-imapd/commit/621f9e41465b521399f691c241181300fab55995#commitcomment-50693076 Best regards, Nico.
CC: (none) => nicolas.salguero
Suggested advisory: ======================== The updated packages fix a security vulnerability: Cyrus IMAP before 3.4.2 allows remote attackers to cause a denial of service (multiple-minute daemon hang) via input that is mishandled during hash-table interaction. Because there are many insertions into a single bucket, strcmp becomes slow. (CVE-2021-33582) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33582 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/WJZB45QBUN7CZFGOWCZYUYACNBTX7LVS/ https://www.debian.org/lts/security/2022/dla-3052 ======================== Updated packages in core/updates_testing: ======================== cyrus-imapd-2.5.15-3.1.mga8 lib(64)cyrus-imapd0-2.5.15-3.1.mga lib(64)cyrus-imapd-devel-2.5.15-3.1.mga8 perl-Cyrus-2.5.15-3.1.mga8 from SRPM: cyrus-imapd-2.5.15-3.1.mga8.src.rpm
Assignee: pkg-bugs => qa-bugsVersion: Cauldron => 8Whiteboard: MGA8TOO => (none)Status comment: Fixed upstream in 3.0.16 => (none)Status: NEW => ASSIGNEDCVE: (none) => CVE-2021-33582
Regarding CVE-2021-32056, when I looked at the code, I did not find the affected code so I also think that CVE does not affect us.
Selecting all four packages in QARepo gives: lib64cyrus-imapd0-2.5.15-3.1.mga not found in the remote repository
CC: (none) => herman.viaene
There should be an 8 at the end of that name (mga8).
MGA8-64 Plasma on Acer Aspire 5253 No installation issues. Ref bug 25913 for testing # systemctl start cyrus-imapd.service # systemctl -l status cyrus-imapd.service ● cyrus-imapd.service - Cyrus-imapd IMAP/POP3 email server Loaded: loaded (/usr/lib/systemd/system/cyrus-imapd.service; disabled; vendor preset: disabled) Active: active (running) since Thu 2022-06-30 10:19:53 CEST; 16s ago Process: 16530 ExecStartPre=/usr/lib/cyrus-imapd/cyr_systemd_helper start (code=exited, status=0/SUCCESS) Main PID: 16588 (cyrus-master) Tasks: 23 (limit: 4364) Memory: 34.9M CPU: 684ms CGroup: /system.slice/cyrus-imapd.service ├─16588 /usr/lib/cyrus-imapd/cyrus-master ├─16592 idled ├─16594 imapd ├─16595 imapd ├─16596 imapd ├─16597 imapd ├─16599 imapd ├─16600 imapd -s ├─16603 pop3d ├─16604 pop3d ├─16605 pop3d ├─16608 pop3d -s ├─16609 lmtpd ├─16610 imapd ├─16611 imapd ├─16612 imapd ├─16617 imapd ├─16618 imapd ├─16619 imapd -s ├─16620 pop3d ├─16621 pop3d ├─16622 pop3d └─16623 pop3d -s Jun 30 10:19:52 mach7.hviaene.thuis systemd[1]: Starting Cyrus-imapd IMAP/POP3 email server... and then $ telnet localhost 143 Trying ::1... Connected to localhost (::1). Escape character is '^]'. * OK [CAPABILITY IMAP4rev1 LITERAL+ ID ENABLE STARTTLS LOGINDISABLED] mach7.hviaene.thuis Cyrus IMAP 2.5.15-Kolab-2.5.15-3.1.mga8 server ready Looks good
Whiteboard: (none) => MGA8-64-OK
Validating. Advisory in Comment 4.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0247.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED