CVE-2024-34055

NameCVE-2024-34055
DescriptionCyrus IMAP before 3.8.3 and 3.10.x before 3.10.0-rc1 allows authenticated attackers to cause unbounded memory allocation by sending many LITERALs in a single command.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-5708-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
cyrus-imapd (PTS)buster3.0.8-6+deb10u6vulnerable
buster (security)3.0.8-6+deb10u3vulnerable
bullseye3.2.6-2+deb11u2vulnerable
bookworm3.6.1-4+deb12u1vulnerable
bookworm (security)3.6.1-4+deb12u2fixed
sid3.8.3-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
cyrus-imapdsourcebookworm3.6.1-4+deb12u2DSA-5708-1
cyrus-imapdsource(unstable)3.8.3-1

Notes

[bullseye] - cyrus-imapd <ignored> (Too intrusive to backport)
[buster] - cyrus-imapd <ignored> (Too intrusive to backport)
https://cyrus.topicbox.com/groups/announce/Ta8e3998446caf7f8/cyrus-imap-3-8-3-3-6-5-and-3-4-8-released

Search for package or bug name: Reporting problems