Bug 50680 - cyrus-sasl2: Multiple issues (4.3)
cyrus-sasl2: Multiple issues (4.3)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.3
All Linux
: P5 normal (vote)
: UCS 4.3-5-errata
Assigned To: Quality Assurance
Philipp Hahn
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-01-06 08:10 CET by Quality Assurance
Modified: 2020-01-15 17:20 CET (History)
0 users

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted after Product Owner Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score: 0.0 () NVD


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Quality Assurance univentionstaff 2020-01-06 08:10:12 CET
New Debian cyrus-sasl2 2.1.27~101-g0780600+dfsg-3+deb9u1 fixes:
This update addresses the following issue:
* cyrus-sasl (aka Cyrus SASL) 2.1.27 has an out-of-bounds write leading to  unauthenticated remote denial-of-service in OpenLDAP via a malformed LDAP  packet. The OpenLDAP crash is ultimately caused by an off-by-one error in  _sasl_add_string in common.c in cyrus-sasl. (CVE-2019-19906)
Comment 1 Quality Assurance univentionstaff 2020-01-06 09:00:21 CET
--- mirror/ftp/4.3/unmaintained/4.3-0/source/cyrus-sasl2_2.1.27~101-g0780600+dfsg-3.dsc
+++ apt/ucs_4.3-0-errata4.3-5/source/cyrus-sasl2_2.1.27~101-g0780600+dfsg-3+deb9u1.dsc
@@ -1,3 +1,8 @@
+2.1.27~101-g0780600+dfsg-3+deb9u1 [Thu, 19 Dec 2019 23:13:43 +0100] Salvatore Bonaccorso <carnil@debian.org>:
+
+  * Non-maintainer upload by the Security Team.
+  * Off-by-one in _sasl_add_string function (CVE-2019-19906) (Closes: #947043)
+
 2.1.27~101-g0780600+dfsg-3 [Sun, 19 Mar 2017 12:30:33 +0000] Holger Levsen <holger@debian.org>:
 
   [ Holger Levsen ]

<http://10.200.17.11/4.3-5/#2883985749128941646>
Comment 2 Philipp Hahn univentionstaff 2020-01-06 17:10:20 CET
OK: yaml
OK: announce_errata
OK: patch
~OK: piuparts
 Ignore error purging /usr/lib/sasl2/

[4.3-5] bd8b2ac764 Bug #50680: cyrus-sasl2 2.1.27~101-g0780600+dfsg-3+deb9u1
 doc/errata/staging/cyrus-sasl2.yaml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

[4.3-5] dc86aa9e91 Bug #50680: cyrus-sasl2 2.1.27~101-g0780600+dfsg-3+deb9u1
 doc/errata/staging/cyrus-sasl2.yaml | 15 +++++++++++++++
 1 file changed, 15 insertions(+)
Comment 3 Erik Damrose univentionstaff 2020-01-15 17:20:56 CET
<http://errata.software-univention.de/ucs/4.3/628.html>