Cyrus IMAP 3.0.3 Release Notes¶
Important
This is a bug-fix release in the stable 3.0 series.
Refer to the Cyrus IMAP 3.0.0 Release Notes for important information about the 3.0 series, including upgrading instructions.
Download from GitHub:
Changes Since 3.0.2¶
Security fixes¶
An authenticated non-admin IMAP user could overwrite an arbitrary file (subject to cyrus user permissions) with specially crafted SYNCAPPLY, SYNCGET or SYNCRESTORE commands.
This issue was introduced with commit 152f59c and affects all releases from the 3.0 series prior to this. 2.5 and earlier are not affected.
Other changes¶
- Improved JMAP support 
- imapd client_id log lines now include the session id 
Bug fixes¶
- Fixed: lmtpd no longer crashes due to uninitialised quotadb 
- Fixed Issue #1434: buffer overflow in auth_pts from too-long imapd.conf value 
- Fixed Issue #1090: non-standard NO response to ID command 
- Fixed: uninitialised buffer in ischedule 
- Fixed: replication desyncronisation when only last_uid field changes 
- Fixed Issue #2076: IMAP LIST was unnecessarily dependent on PCRE 
- Fixed Issue #1437: buffer overflow in mupdate-client from too-long imapd.conf value 
- Fixed Issue #2080: crash in cyrdump due to uninitialised mboxname 
- Fixed: installed arrayu64.h and strarray.h no longer depend on util.h 
- Fixed: backup staging files are now cleaned up on signal shutdown 
- Fixed: backup no longer re-uses reserve partition as staging path 
Erratum¶
Earlier release notes from the 3.0 series stated that the default value of
the virtdomains option had changed from off to userid.  This is
not the case: the default is still off, and will remain so for the life
of the 3.0 series.