cyrus-imapd is vulnerable to arbitrary code execution. The vulnerability exists as an authenticated user able to create Sieve mail filtering rules could use these flaws to execute arbitrary code with the privileges of the Cyrus IMAP server user.
dovecot.org/list/dovecot-news/2009-September/000135.html
lists.apple.com/archives/security-announce/2010//Mar/msg00001.html
lists.opensuse.org/opensuse-security-announce/2009-10/msg00001.html
secunia.com/advisories/36629
secunia.com/advisories/36632
secunia.com/advisories/36698
secunia.com/advisories/36713
secunia.com/advisories/36904
support.apple.com/kb/HT4077
www.debian.org/security/2009/dsa-1881
www.openwall.com/lists/oss-security/2009/09/14/3
www.osvdb.org/58103
www.redhat.com/security/updates/classification/#important
www.securityfocus.com/bid/36296
www.securityfocus.com/bid/36377
www.ubuntu.com/usn/USN-838-1
www.vupen.com/english/advisories/2009/2559
www.vupen.com/english/advisories/2009/2641
access.redhat.com/errata/RHSA-2009:1459
bugzilla.andrew.cmu.edu/cgi-bin/cvsweb.cgi/src/sieve/script.c.diff?r1=1.62&r2=1.62.2.1&only_with_tag=cyrus-imapd-2_2-tail
lists.andrew.cmu.edu/pipermail/cyrus-cvs/2009-September/001253.html
lists.andrew.cmu.edu/pipermail/cyrus-cvs/2009-September/001254.html
oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10082
www.redhat.com/archives/fedora-package-announce/2009-September/msg00491.html