Ubuntu
cyrus-imapd package

Serious openssl bug crashes imaps sessions

Bug #1780916 reported by Eric Donkersloot
36
This bug affects 7 people
Affects Status Importance Assigned to Milestone
cyrus-imapd (Debian)
Fix Released
Unknown
cyrus-imapd (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

There is a serious bug in the cyrus-imapd 2.5.10 series(https://github.com/cyrusimap/cyrus-imapd/issues/1872) which fortunately is fixed in the 2.5.11 release (https://cyrusimap.org/imap/download/release-notes/2.5/x/2.5.11.html).

Can you please update the cyrus-imapd packages to the 2.5.11 series?

Revision history for this message
Eric Donkersloot (ericd) wrote :

This bug is really annoying, especially if you have lot's of MacOS / iPhone / iPad clients connecting to your server.

Eric Donkersloot (ericd)
summary: - Serious openssl bug affecting Apple hardware
+ Serious openssl bug crashes imaps sessions
Revision history for this message
Ben Polman (ben-polman) wrote :

This is also a real problem for outlook clients, leading to frequent disconnected sessions.
See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863520
for a very small patch to the 2.5.10-3ubuntu version.
I have applied this patch on our mailserver running on ubuntu 18.04 and
it fixes the issue

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in cyrus-imapd (Ubuntu):
status: New → Confirmed
Bug Watch Updater (bug-watch-updater)
Changed in cyrus-imapd (Debian):
status: Unknown → Confirmed
Revision history for this message
Eric Donkersloot (ericd) wrote :

Will the patched version ever land in Ubuntu 18.04? If not, I'll patch the server myself.
I'm a bit surprised (and disappointed - seeing the seriousness of this bug and the wide range of devices it affects) that the package hasn't been updated yet.

Bug Watch Updater (bug-watch-updater)
Changed in cyrus-imapd (Debian):
status: Confirmed → Fix Released
Revision history for this message
Malte Langermann (mlangermann) wrote :

still waiting for an update...
Is there an easy way to get a newer version for Ubuntu 18.04?

Revision history for this message
Malte Langermann (mlangermann) wrote :

a temporary solution is to set
tls_session_timeout: 0
in /etc/imapd.conf to disable tls session caching.

Revision history for this message
Boris Dušek (dusek) wrote :

mlangermann: are there please any drawbacks to the temporary solution you kindly offered (i.e. why did you call it temporary)?

Revision history for this message
Boris Dušek (dusek) wrote :

Please any chance of getting this fixed in the 18.04 LTS (Bionic)? It seems the package is hardly usable without this fixed.

Revision history for this message
jasonmaier (joerg-maier) wrote :

Hi,

Getting the same error in bionic. As this is the latest LTS ubuntu release and no update was done in more recent releases anyway, I patched cyrus-imapd according to the debian docs in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863520.

+1 for updating to 2.5.11 or adding the patch that fixes the issue.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.