Package: cyrus-sasl2 Severity: serious Tags: security
Hi, The following vulnerability has been published for Cyrus SASL: Cyrus SASL library buffer overflow vulnerability Overview The Cyrus SASL library contains a buffer overflow vulnerability that could allow an attacker to execute code or cause a vulnerable program to crash. I. Description SASL (Simple Authentication and Security Layer) is a method for adding authentication support to various protocols. SASL is commonly used by mail servers to request authentication from clients and by clients to authenticate to servers. The sasl_encode64() function converts a string into base64. The Cyrus SASL library contains buffer overflows that occur because of unsafe use of the sasl_encode64() function. II. Impact A remote attacker might be able to execute code, or cause any programs relying on SASL to crash or be unavailable. III. Solution: Upgrade Cyrus SASL 2.1.23 has been released to address this issue. Before releasing fixed binaries, maintainers are encouraged to review the Cyrus vendor statement associated with this note. See also: http://www.kb.cert.org/vuls/id/RGII-7RYLZQ This is CVE-2009-0688 and VU#238019. Please mention these references in your changelogs. Can you provide updated packages for sid, and assess whether etch/lenny are affected? thanks, Thijs -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
