CVE-2021-33582

NameCVE-2021-33582
DescriptionCyrus IMAP before 3.4.2 allows remote attackers to cause a denial of service (multiple-minute daemon hang) via input that is mishandled during hash-table interaction. Because there are many insertions into a single bucket, strcmp becomes slow. This is fixed in 3.4.2, 3.2.8, and 3.0.16.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3052-1
Debian Bugs993433

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
cyrus-imapd (PTS)buster3.0.8-6+deb10u6fixed
buster (security)3.0.8-6+deb10u3vulnerable
bullseye3.2.6-2+deb11u2fixed
bookworm, sid3.6.0~rc2-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
cyrus-imapdsourcestretch2.5.10-3+deb9u3DLA-3052-1
cyrus-imapdsourcebuster3.0.8-6+deb10u6
cyrus-imapdsourcebullseye3.2.6-2+deb11u1
cyrus-imapdsource(unstable)3.4.2-1993433
cyrus-imapd-2.4source(unstable)(unfixed)

Notes

https://cyrus.topicbox.com/groups/announce/T3dde0a2352462975-M1386fc44adf967e072f8df13/cyrus-imap-3-4-2-3-2-8-and-3-0-16-released
https://github.com/cyrusimap/cyrus-imapd/commit/0fb658f1727f4446f7f33adcc428ba4c9eeabe3e (master)
https://github.com/cyrusimap/cyrus-imapd/commit/f63695609c88a3f76129499bb49fb82e8155fb32 (master)
https://github.com/cyrusimap/cyrus-imapd/commit/833c22bd7de5bbb591c2cb3705c9983b6d2b1fee (master)

Search for package or bug name: Reporting problems