A security fix in 2.4.18 version appeared that handles urlfetch range starting outside message range, causing information disclosure (out of bounds heap read). Upstream patch: https://cyrus.foundation/cyrus-imapd/commit/?id=07de4ff1bf2fa340b9d77b8e7de8d43d47a33921 Later there appeared another related commit: https://cyrus.foundation/cyrus-imapd/commit/?id=c21e179c1f6b968fe69bebe079176714e511587b CVE request: http://seclists.org/oss-sec/2015/q3/646
Created cyrus-imapd tracking bugs for this issue: Affects: fedora-all [bug 1267871]
CVE assignment: http://seclists.org/oss-sec/2015/q4/223
cyrus-imapd-2.4.18-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
cyrus-imapd-2.4.18-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
cyrus-imapd-2.4.18-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.