MGASA-2020-0010 - Updated cyrus-imapd packages fix security vulnerability

Publication date: 05 Jan 2020
URL: https://advisories.mageia.org/MGASA-2020-0010.html
Type: security
Affected Mageia releases: 7
CVE: CVE-2019-19783

Updated cyrus-imapd packages fix security vulnerability:

It was discovered that the lmtpd component of the Cyrus IMAP server
created mailboxes with administrator privileges if the "fileinto" was
used, bypassing ACL checks (CVE-2019-19783).

References:
- https://bugs.mageia.org/show_bug.cgi?id=25913
- https://www.cyrusimap.org/imap/download/release-notes/2.5/x/2.5.12.html
- https://www.cyrusimap.org/imap/download/release-notes/2.5/x/2.5.13.html
- https://www.cyrusimap.org/imap/download/release-notes/2.5/x/2.5.14.html
- https://www.cyrusimap.org/imap/download/release-notes/2.5/x/2.5.15.html
- https://lists.fedoraproject.org/archives/list/[email protected]/thread/PHV3TUU53WCKJ3BBRK2EHAF44MSZEFK6/
- https://www.debian.org/security/2019/dsa-4590
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19783

SRPMS:
- 7/core/cyrus-imapd-2.5.15-1.mga7