Hello all. Sorry about following up to my own email, but I think I understand the changes now to 2.4.18 in order to make it CVE compliant. As best I can understand, if I apply the two commits from Ellie Timoney on 10/26/2015, 2.4.18 would be "secure" once recompiled. These two commits appear to be these:
https://cyrus.foundation/cyrus-imapd/commit/?h=cyrus-imapd-2.4&id=538359e5a7c978e2f27c80124c8bd1282c7661a9 https://cyrus.foundation/cyrus-imapd/commit/?h=cyrus-imapd-2.4&id=0142e98fa90f02a030f93469523ac64f91ae7a9f If someone can confirm that I'm correct on this, it would be very appreciated! Thanks in advance. Tim On Mon, Dec 14, 2015 at 11:04 AM, Tim Champ <ch...@umbc.edu> wrote: > Hello all. > > We're trying to sort through our path here with patching for the > CVE/commits that were released in 2.5.7, but also relevant to 2.4.18. > We're currently on 2.4 series, and I was wondering what the plans were for > a 2.4 release to address these security fixes. While moving to 2.5 is in > the plans, I always despise a quick upgrade of anything before major > holiday periods! > > My other concern was that, honestly, I'm not all that sure what the true > risk and capability to exploit is for these bugs. I've read the CVE's, and > associated discussions on the a few lists - but it hasn't enlightened me as > much as I've hoped. > > Any help, or answers, for either issue is appreciated. Thanks! > > Tim > > -- > Tim Champ > Coordinator of Unix Infrastructure > UMBC - Division of Information Technology > -- Tim Champ Coordinator of Unix Infrastructure UMBC - Division of Information Technology
---- Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
