cyrus-sasl2 buffer overflow vulnerability: CVE-2009-0688
Bug #383300 reported by
Joel Ebel
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
cyrus-sasl2 (Debian) |
Fix Released
|
Unknown
|
|||
cyrus-sasl2 (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
Dapper |
Fix Released
|
Medium
|
Kees Cook | ||
Hardy |
Fix Released
|
Medium
|
Kees Cook | ||
Intrepid |
Fix Released
|
Medium
|
Kees Cook | ||
Jaunty |
Fix Released
|
Medium
|
Kees Cook | ||
Karmic |
Fix Released
|
Medium
|
Unassigned |
Bug Description
According to CVE-2009-0688: "Multiple buffer overflows in the CMU Cyrus SASL library before 2.1.23 might allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via strings that are used as input to the sasl_encode64 function in lib/saslutil.c." Please consider updating cyrus-sasl2 to 2.1.23, or patching the buffer overflows if possible in all active releases including dapper, hardy, intrepid, jaunty, and karmic.
CVE References
Changed in cyrus-sasl2 (Ubuntu Dapper): | |
status: | New → Triaged |
importance: | Undecided → Medium |
Changed in cyrus-sasl2 (Ubuntu Hardy): | |
status: | New → Triaged |
importance: | Undecided → Medium |
Changed in cyrus-sasl2 (Ubuntu Intrepid): | |
status: | New → Triaged |
importance: | Undecided → Medium |
Changed in cyrus-sasl2 (Ubuntu Jaunty): | |
status: | New → Triaged |
importance: | Undecided → Medium |
Changed in cyrus-sasl2 (Ubuntu Karmic): | |
importance: | Undecided → Medium |
Changed in cyrus-sasl2 (Debian): | |
status: | Unknown → Fix Released |
Changed in cyrus-sasl2 (Ubuntu Dapper): | |
assignee: | nobody → Kees Cook (kees) |
status: | Triaged → Fix Committed |
Changed in cyrus-sasl2 (Ubuntu Hardy): | |
assignee: | nobody → Kees Cook (kees) |
status: | Triaged → Fix Committed |
Changed in cyrus-sasl2 (Ubuntu Intrepid): | |
assignee: | nobody → Kees Cook (kees) |
status: | Triaged → Fix Committed |
To post a comment you must log in.
This appears to be patched in debian lenny, version 2.1.22. dfsg1-23+ lenny1