Errata overview
Errata ID 414
Date 2020-01-15
Source package cyrus-imapd
Fixed in version 2.5.10-3+deb9u2
This update addresses the following issue:
* An issue was discovered in Cyrus IMAP. If sieve script uploading is allowed
  (3.x) or certain non-default sieve options are enabled (2.x), a user with a
  mail account on the service can use a sieve script containing a fileinto
  directive to create any mailbox with administrator privileges, because of
  folder mishandling in autosieve_createfolder() in imap/lmtp_sieve.c.
Additional notes
CVE ID CVE-2019-19783
UCS Bug number #50682