[SECURITY] [DSA 4590-1] cyrus-imapd security update

Type debian
Reporter Debian
Modified 2019-12-19T22:54:18


Debian Security Advisory DSA-4590-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff December 19, 2019 https://www.debian.org/security/faq

Package : cyrus-imapd CVE ID : CVE-2019-19783

It was discovered that the lmtpd component of the Cyrus IMAP server created mailboxes with administrator privileges if the "fileinto" was used, bypassing ACL checks.

For the oldstable distribution (stretch), this problem has been fixed in version 2.5.10-3+deb9u2.

For the stable distribution (buster), this problem has been fixed in version 3.0.8-6+deb10u3.

We recommend that you upgrade your cyrus-imapd packages.

For the detailed security status of cyrus-imapd please refer to its security tracker page at: https://security-tracker.debian.org/tracker/cyrus-imapd

Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org