Upgrading from 2.3.8
* The default value of the allowplaintext option has been changed to
disabled (0). If you need to allow cleartext passwords on the wire,
then you will have to explicitly enable the allowplaintext option
in imapd.conf.
Security: Fix possible single byte overflow in mailbox handling code.
Security: Fix possible single byte overflows in the imapd annotate
extension.
Security: Fix stack buffer overflows in fetchnews (exploitable by
peer news server), backend (exploitable by admin), and in
imapd (exploitable by users though only on platforms where
a filename may be larger than a mailbox name).
* Change ACLs correctly when renaming a user
* Do not abandon std{in,out,err} file descriptors; syslog assumes it
can use stderr if syslogd isn't running.
* Clean up imap magic plus to avoid buffer overrun (CAN-2004-1011)
* Fix lack of bounds checking in PARTIAL and FETCH (CAN-2004-1012,
CAN-2004-1013)
* Do not attempt to reuse a freed connection in lmtpproxyd.
* Allow login without authentication with -N switch in proxyd.
* Fix use of xrealloc and fold pointers in lmtpengine.
- Fix build problem with WITH_SNMP_5 on FreeBSD 4.X with
perl5.8 installed. Though we need 5.8's libperl.so,
/usr/lib/libperl.so was linked. [1]
Reported by: Thomas Vogt <tv@solnet.ch> [1]
Since there are some issue to upgrading from 2.2.0-ALPHA,
you should read /usr/local/share/doc/cyrus-imapd22/install-upgrade.html
before upgrading your server.
The release has two security fixes:
- Fixed some potential buffer overflows in the sieve code
- Fixed a pre-login buffer overflow in the IMAP parsing code
Approved by: portmgr
- IPv6 patch was updated to 20010709 version.
(Now, reconfig by SIGHUP should work. However, since master is
running without root privilege, re-bind to privileged port still
fails. I believe it is original problem.)
security/cyrus-sasl port. Fix deliver.c so it uses the correct location
of sendmail (/usr/sbin/sendmail vs. /usr/lib/sendmail). Open the port up
to the world after previous maintainer showed no interest in the port for
nearly 2 years.
PR: 22791, 22465
Submitted by: Martti Kuparinen <martti.kuparinen@piuha.net>
Scot W. Hetzel <hetzels@westbend.net>
