Cyrus IMAP 2.5.15 Release Notes
*******************************

Important: This is a bug-fix release in the stable 2.5 series.Refer
  to the Cyrus IMAP 2.5.0 Release Notes for important information
  about the 2.5 series, including upgrading instructions.

Download via HTTPS:

   * https://github.com/cyrusimap/cyrus-
     imapd/releases/download/cyrus- imapd-2.5.15/cyrus-
     imapd-2.5.15.tar.gz

   * https://github.com/cyrusimap/cyrus-
     imapd/releases/download/cyrus- imapd-2.5.15/cyrus-
     imapd-2.5.15.tar.gz.sig


Changes Since 2.5.14
====================


Release changes
---------------

We’re trialing using the Github Releases feature. If you have trouble
downloading this release, please report this to the mailing lists.
Thanks!


Security fixes
--------------

* Fixed CVE-2019-19783: When creating a missing mailbox as part of a
  sieve ‘fileinto’ directive, lmtpd would create it as administrator,
  bypassing ACL checks.

  lmtpd creates missing mailboxes as part of a sieve ‘fileinto’
  directive if:

  * (2.5+) the *anysievefolder* option is enabled (default: not), or

  * (3.0+) the *sieve_extensions* option has the ‘mailbox’ extension
    enabled (default: enabled) and the ‘fileinto’ directive contains
    the “:create” argument

  Under these conditions, a user with the ability to upload a custom
  sieve script to their account could use it to create any valid
  mailbox on the server (with ACL inherited from the parent mailbox as
  usual).

  lmtpd no longer creates these mailboxes as administrator, so users
  may no longer use a ‘fileinto’ directive to create a mailbox they
  couldn’t create otherwise.


Bug fixes
---------

* Fixed Issue #2913: errors are now logged when
  *maxlogins_per_host*, *maxlogins_per_user*, and *popminpoll* limits
  are reached (thanks Sergey)
