Package: cyrus-murder Version: 3.6.1-4+deb12u2 Severity: grave Tags: patch, fixed-upstream
The patch for CVE-2024-34055 breaks the implementation of the mupdate protocol. This causes "ctl_mboxlist -m" to fail, which is by default executed on the start of cyrus-imapd in a clustered setup. Therefore, the current version of the cyrus-murder package is in an unusable state. Non-clustered setups shouldn't be affected. The cause and the fix (applied to recent versions only) are discussed here https://github.com/cyrusimap/cyrus-imapd/issues/4932 The fixes have not (yet?) been backported to the 3.6 branch. A more simple patch is given here: https://github.com/cyrusimap/cyrus-imapd/pull/4937#issuecomment-2178372505 I've come to a similar approach as I was unaware of the Github issue when encountering the problems and can confirm that the two-line-fix also resolves the issue. It is very likely that the regression also applies to the Bullseye package. Regards Matthias