cyradm-3.8.4-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2025:16030 Final 1 1 2025-04-04T00:00:00Z current 2025-04-04T00:00:00Z 2025-04-04T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z cyradm-3.8.4-1.1 on GA media These are all security issues fixed in the cyradm-3.8.4-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2025-16030 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2019-11356/ SUSE CVE CVE-2019-11356 page https://www.suse.com/security/cve/CVE-2019-18928/ SUSE CVE CVE-2019-18928 page https://www.suse.com/security/cve/CVE-2019-19783/ SUSE CVE CVE-2019-19783 page https://www.suse.com/security/cve/CVE-2024-34055/ SUSE CVE CVE-2024-34055 page openSUSE Tumbleweed cyradm-3.8.4-1.1 cyrus-imapd-3.8.4-1.1 cyrus-imapd-devel-3.8.4-1.1 cyrus-imapd-snmp-3.8.4-1.1 cyrus-imapd-snmp-mibs-3.8.4-1.1 cyrus-imapd-utils-3.8.4-1.1 libcyrus0-3.8.4-1.1 perl-Cyrus-Annotator-3.8.4-1.1 perl-Cyrus-IMAP-3.8.4-1.1 perl-Cyrus-SIEVE-managesieve-3.8.4-1.1 cyradm-3.8.4-1.1 as a component of openSUSE Tumbleweed cyrus-imapd-3.8.4-1.1 as a component of openSUSE Tumbleweed cyrus-imapd-devel-3.8.4-1.1 as a component of openSUSE Tumbleweed cyrus-imapd-snmp-3.8.4-1.1 as a component of openSUSE Tumbleweed cyrus-imapd-snmp-mibs-3.8.4-1.1 as a component of openSUSE Tumbleweed cyrus-imapd-utils-3.8.4-1.1 as a component of openSUSE Tumbleweed libcyrus0-3.8.4-1.1 as a component of openSUSE Tumbleweed perl-Cyrus-Annotator-3.8.4-1.1 as a component of openSUSE Tumbleweed perl-Cyrus-IMAP-3.8.4-1.1 as a component of openSUSE Tumbleweed perl-Cyrus-SIEVE-managesieve-3.8.4-1.1 as a component of openSUSE Tumbleweed The CalDAV feature in httpd in Cyrus IMAP 2.5.x through 2.5.12 and 3.0.x through 3.0.9 allows remote attackers to execute arbitrary code via a crafted HTTP PUT operation for an event with a long iCalendar property name. CVE-2019-11356 openSUSE Tumbleweed:cyradm-3.8.4-1.1 openSUSE Tumbleweed:cyrus-imapd-3.8.4-1.1 openSUSE Tumbleweed:cyrus-imapd-devel-3.8.4-1.1 openSUSE Tumbleweed:cyrus-imapd-snmp-3.8.4-1.1 openSUSE Tumbleweed:cyrus-imapd-snmp-mibs-3.8.4-1.1 openSUSE Tumbleweed:cyrus-imapd-utils-3.8.4-1.1 openSUSE Tumbleweed:libcyrus0-3.8.4-1.1 openSUSE Tumbleweed:perl-Cyrus-Annotator-3.8.4-1.1 openSUSE Tumbleweed:perl-Cyrus-IMAP-3.8.4-1.1 openSUSE Tumbleweed:perl-Cyrus-SIEVE-managesieve-3.8.4-1.1 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-11356.html CVE-2019-11356 https://bugzilla.suse.com/1137190 SUSE Bug 1137190 Cyrus IMAP 2.5.x before 2.5.14 and 3.x before 3.0.12 allows privilege escalation because an HTTP request may be interpreted in the authentication context of an unrelated previous request that arrived over the same connection. CVE-2019-18928 openSUSE Tumbleweed:cyradm-3.8.4-1.1 openSUSE Tumbleweed:cyrus-imapd-3.8.4-1.1 openSUSE Tumbleweed:cyrus-imapd-devel-3.8.4-1.1 openSUSE Tumbleweed:cyrus-imapd-snmp-3.8.4-1.1 openSUSE Tumbleweed:cyrus-imapd-snmp-mibs-3.8.4-1.1 openSUSE Tumbleweed:cyrus-imapd-utils-3.8.4-1.1 openSUSE Tumbleweed:libcyrus0-3.8.4-1.1 openSUSE Tumbleweed:perl-Cyrus-Annotator-3.8.4-1.1 openSUSE Tumbleweed:perl-Cyrus-IMAP-3.8.4-1.1 openSUSE Tumbleweed:perl-Cyrus-SIEVE-managesieve-3.8.4-1.1 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-18928.html CVE-2019-18928 An issue was discovered in Cyrus IMAP before 2.5.15, 3.0.x before 3.0.13, and 3.1.x through 3.1.8. If sieve script uploading is allowed (3.x) or certain non-default sieve options are enabled (2.x), a user with a mail account on the service can use a sieve script containing a fileinto directive to create any mailbox with administrator privileges, because of folder mishandling in autosieve_createfolder() in imap/lmtp_sieve.c. CVE-2019-19783 openSUSE Tumbleweed:cyradm-3.8.4-1.1 openSUSE Tumbleweed:cyrus-imapd-3.8.4-1.1 openSUSE Tumbleweed:cyrus-imapd-devel-3.8.4-1.1 openSUSE Tumbleweed:cyrus-imapd-snmp-3.8.4-1.1 openSUSE Tumbleweed:cyrus-imapd-snmp-mibs-3.8.4-1.1 openSUSE Tumbleweed:cyrus-imapd-utils-3.8.4-1.1 openSUSE Tumbleweed:libcyrus0-3.8.4-1.1 openSUSE Tumbleweed:perl-Cyrus-Annotator-3.8.4-1.1 openSUSE Tumbleweed:perl-Cyrus-IMAP-3.8.4-1.1 openSUSE Tumbleweed:perl-Cyrus-SIEVE-managesieve-3.8.4-1.1 moderate 3.5 AV:N/AC:M/Au:S/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-19783.html CVE-2019-19783 https://bugzilla.suse.com/1161711 SUSE Bug 1161711 Cyrus IMAP before 3.8.3 and 3.10.x before 3.10.0-rc1 allows authenticated attackers to cause unbounded memory allocation by sending many LITERALs in a single command. CVE-2024-34055 openSUSE Tumbleweed:cyradm-3.8.4-1.1 openSUSE Tumbleweed:cyrus-imapd-3.8.4-1.1 openSUSE Tumbleweed:cyrus-imapd-devel-3.8.4-1.1 openSUSE Tumbleweed:cyrus-imapd-snmp-3.8.4-1.1 openSUSE Tumbleweed:cyrus-imapd-snmp-mibs-3.8.4-1.1 openSUSE Tumbleweed:cyrus-imapd-utils-3.8.4-1.1 openSUSE Tumbleweed:libcyrus0-3.8.4-1.1 openSUSE Tumbleweed:perl-Cyrus-Annotator-3.8.4-1.1 openSUSE Tumbleweed:perl-Cyrus-IMAP-3.8.4-1.1 openSUSE Tumbleweed:perl-Cyrus-SIEVE-managesieve-3.8.4-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-34055.html CVE-2024-34055 https://bugzilla.suse.com/1225990 SUSE Bug 1225990