CVE-2021-33582

NameCVE-2021-33582
DescriptionCyrus IMAP before 3.4.2 allows remote attackers to cause a denial of service (multiple-minute daemon hang) via input that is mishandled during hash-table interaction. Because there are many insertions into a single bucket, strcmp becomes slow. This is fixed in 3.4.2, 3.2.8, and 3.0.16.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium
Debian Bugs993433

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
cyrus-imapd (PTS)stretch (security), stretch2.5.10-3+deb9u2vulnerable
buster3.0.8-6+deb10u5vulnerable
buster (security)3.0.8-6+deb10u3vulnerable
bullseye3.2.6-2vulnerable
bookworm3.4.2-1fixed
sid3.4.2-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
cyrus-imapdsource(unstable)3.4.2-1993433
cyrus-imapd-2.4source(unstable)(unfixed)

Notes

[bullseye] - cyrus-imapd <no-dsa> (Minor issue; pending fix via point release)
[buster] - cyrus-imapd <no-dsa> (Minor issue; can be fixed via point release)
[stretch] - cyrus-imapd <no-dsa> (Minor issue; can be fixed via point release)
https://cyrus.topicbox.com/groups/announce/T3dde0a2352462975-M1386fc44adf967e072f8df13/cyrus-imap-3-4-2-3-2-8-and-3-0-16-released
https://github.com/cyrusimap/cyrus-imapd/commit/0fb658f1727f4446f7f33adcc428ba4c9eeabe3e (master)
https://github.com/cyrusimap/cyrus-imapd/commit/f63695609c88a3f76129499bb49fb82e8155fb32 (master)
https://github.com/cyrusimap/cyrus-imapd/commit/833c22bd7de5bbb591c2cb3705c9983b6d2b1fee (master)

Search for package or bug name: Reporting problems