:tocdepth: 3

===============================
Cyrus IMAP 3.10.3 Release Notes
===============================

Download from GitHub:

    *   https://github.com/cyrusimap/cyrus-imapd/releases/download/cyrus-imapd-3.10.3/cyrus-imapd-3.10.3.tar.gz
    *   https://github.com/cyrusimap/cyrus-imapd/releases/download/cyrus-imapd-3.10.3/cyrus-imapd-3.10.3.tar.gz.sig

.. _relnotes-3.10.3-changes:

Changes since 3.10.2
====================

Security fixes
--------------

* :cve:`CVE-2026-47084` LOCALDELETE bypassed ACL checks

  An authenticated but non-admin user could invoke the admin-only LOCALDELETE
  IMAP command and delete mailboxes for which they had no permissions.

  Reported by: Michael Lynch (mtlynch.io)

* :cve:`CVE-2026-47086` GENURLAUTH issued tokens bypassing ACLs

  Any authenticated user could mint a URLAUTH token (via the GENURLAUTH
  command) for any mailbox they could name, even without read access on it.
  This would allow reading mail from mailboxes despite having no granted
  permissions.

  Reported by: Matthew Horsfall

* :cve:`CVE-2026-47087` URLAUTH does not honor revoked authorizer access

  A URLAUTH URL minted while the authorizer had access continued to work after
  that access was revoked.

  Reported by: Matthew Horsfall

* :cve:`CVE-2026-47081` XAPPLEPUSHSERVICE folder existence oracle and push hijack

  An authenticated IMAP user could probe for the existence of arbitrary
  mailboxes on other users' accounts via the XAPPLEPUSHSERVICE command and
  then create Apple Push Notification Service notifications for new mail in
  those mailboxes to their own APNS device.  This did not leak any data about
  the content of mailboxes.  Instead, a "mailbox has changed" notice would be
  pushed when the mailbox modseq changed.

  Reported by Matthew Horsfall.

* :cve:`CVE-2026-47089` LISTRIGHTS not limited to users with admin access

  An authenticated user could call IMAP LISTRIGHTS against any mailbox they
  could name and learn what principals had what access to it.  (This action
  should have been restricted to users with admin access on the target
  mailbox.)

  Reported by: Matthew Horsfall

* :cve:`CVE-2026-47085` URLAUTH token forgery via missing mboxkey

  If an attacker knew a folder name on the victim's account for which the
  victim had never issued an auth URL, they could forge a working URLAUTH token
  by computing HMAC-SHA1 with a predictable key, allowing them read access to
  the mailbox.

  URLAUTH is an obscure feature, meaning that the odds of any user actually
  being susceptible to this attack are very low.  We are unaware of any clients
  using URLAUTH.

  Reported by: Matthew Horsfall

* :cve:`CVE-2026-47083` ESEARCH cross-user content oracle

  Using the ESEARCH command, an authenticated IMAP user could enumerate folder
  names under any account they could name.  Search would return UIDs of
  messages matching search, creating a content oracle without allowing
  arbitrary reads of the target's content.

  Reported by: Michael Lynch (mtlynch.io)

* :cve:`CVE-2026-47088` Heap exposure in nested MIME comment parsing

  An authenticated IMAP user could specially craft an email containing an RFC
  822 comment ending with a backslash.  When parsing the message, the server
  would read past the message end in memory and read into the heap, returning
  the read content to the user.

  Reported by: Michael Lynch (mtlynch.io).

* :cve:`CVE-2026-47082` Vacation "fcc" skips destination-mailbox ACL

  A user whose vacation Sieve script used :fcc (to save a copy of the sent
  message) could deliver vacation auto-reply copies into any mailbox the script
  could name, regardless of whether the script owner had insert permissions on
  the destination mailbox.

  Reported by: Michael Lynch (mtlynch.io)

Build changes
-------------

* Fixed: :issue:`5262`: fix cunit+valgrind libtool invocation
* Fixed: :issue:`5512`: fix cunit stuff to properly integrate with autotools
* Fixed: :issue:`5646`: update cunit valgrind suppressions
* Fixed: :issue:`5733`: unused parameter warning in cyrdbbench
* Fixed: :issue:`5727`: consolidate cassandane 'other' configuration sections
* Fixed: :issue:`5730`: add ``--with-zoneinfo-dir`` configure option to set
  ``zoneinfo_dir`` at compile time
* Fixed: :issue:`5750`: add min/max other version cassandane magic
* Fixed: :issue:`5313`: update cassandane valgrind suppressions

Bug fixes
---------

* Fixed: :issue:`5436`: fix leaks in imap SELECT and SETQUOTA
* Fixed: :issue:`5437`: don't leak cached TLS sessions
* Fixed: :issue:`5602`: fix proxy of LIST (SUBSCRIBED) to backends
* Fixed: :issue:`3562`: squat crash attempting to search flags (thanks Sven
  Wegener)
* Fixed: :issue:`4787`: VANISHED not working with cyrus proxy
* Fixed: :issue:`5908`: auditlog rename of UUID mailboxes
* Fixed: :issue:`6022`: various memory leaks
