CVE-2021-33582

NameCVE-2021-33582
DescriptionCyrus IMAP before 3.4.2 allows remote attackers to cause a denial of service (multiple-minute daemon hang) via input that is mishandled during hash-table interaction. Because there are many insertions into a single bucket, strcmp becomes slow. This is fixed in 3.4.2, 3.2.8, and 3.0.16.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3052-1
Debian Bugs993433

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
cyrus-imapd (PTS)stretch (security), stretch (lts), stretch2.5.10-3+deb9u3fixed
buster, buster (lts)3.0.8-6+deb10u7fixed
buster (security)3.0.8-6+deb10u3vulnerable
bullseye3.2.6-2+deb11u2fixed
bullseye (security)3.2.6-2+deb11u4fixed
bookworm3.6.1-4+deb12u3fixed
bookworm (security)3.6.1-4+deb12u2fixed
sid3.10.0-1fixed
cyrus-imapd-2.4 (PTS)jessie2.4.17+nocaldav-0+deb8u2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
cyrus-imapdsourcestretch2.5.10-3+deb9u3DLA-3052-1
cyrus-imapdsourcebuster3.0.8-6+deb10u6
cyrus-imapdsourcebullseye3.2.6-2+deb11u1
cyrus-imapdsource(unstable)3.4.2-1993433
cyrus-imapd-2.4sourcejessie(unfixed)end-of-life
cyrus-imapd-2.4source(unstable)(unfixed)

Notes

https://cyrus.topicbox.com/groups/announce/T3dde0a2352462975-M1386fc44adf967e072f8df13/cyrus-imap-3-4-2-3-2-8-and-3-0-16-released
https://github.com/cyrusimap/cyrus-imapd/commit/0fb658f1727f4446f7f33adcc428ba4c9eeabe3e (master)
https://github.com/cyrusimap/cyrus-imapd/commit/f63695609c88a3f76129499bb49fb82e8155fb32 (master)
https://github.com/cyrusimap/cyrus-imapd/commit/833c22bd7de5bbb591c2cb3705c9983b6d2b1fee (master)

Search for package or bug name: Reporting problems