1:tocdepth: 3 2 3============================== 4Cyrus IMAP 3.2.8 Release Notes 5============================== 6 7Download from GitHub: 8 9 * https://github.com/cyrusimap/cyrus-imapd/releases/download/cyrus-imapd-3.2.8/cyrus-imapd-3.2.8.tar.gz 10 * https://github.com/cyrusimap/cyrus-imapd/releases/download/cyrus-imapd-3.2.8/cyrus-imapd-3.2.8.tar.gz.sig 11 12.. _relnotes-3.2.8-changes: 13 14Changes since 3.2.7 15=================== 16 17Security fixes: 18--------------- 19 20* Fixed CVE-2021-33582_: Certain user inputs are used as hash table keys during 21 processing. A poorly chosen string hashing algorithm meant that the user 22 could control which bucket their data was stored in, allowing a malicious 23 user to direct many inputs to a single bucket. Each subsequent insertion to 24 the same bucket requires a strcmp of every other entry in it. At tens of 25 thousands of entries, each new insertion could keep the CPU busy in a strcmp 26 loop for minutes. 27 28 The string hashing algorithm has been replaced with a better one, and now 29 also uses a random seed per hash table, so malicious inputs cannot be 30 precomputed. 31 32 Discovered by Matthew Horsfall, Fastmail 33 34.. _CVE-2021-33582: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33582 35 36Bug fixes 37--------- 38 39* Fixed: missing CY namespace in some DAV responses 40