CVE-2009-0688
Published: 15 May 2009
Multiple buffer overflows in the CMU Cyrus SASL library before 2.1.23 might allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via strings that are used as input to the sasl_encode64 function in lib/saslutil.c.
Notes
| Author | Note |
|---|---|
| jdstrand | applying upstream patch could break existing applications |
| mdeslaur | since the change breaks ABI, redhat updated applications that used cyrus-sasl2 improperly instead. They have released a cyrus-imapd update. See redhat bug for more info. sendmail: https://bugzilla.redhat.com/show_bug.cgi?id=504186 |
| kees | cyrus-imapd-2.2: https://bugzilla.redhat.com/show_bug.cgi?id=504207 |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
cyrus-sasl2 Launchpad, Ubuntu, Debian |
upstream |
Released
(2.1.23)
|
| dapper |
Released
(2.1.19.dfsg1-0.1ubuntu3.1)
|
|
| hardy |
Released
(2.1.22.dfsg1-18ubuntu2.1)
|
|
| intrepid |
Released
(2.1.22.dfsg1-21ubuntu2.1)
|
|
| jaunty |
Released
(2.1.22.dfsg1-23ubuntu3.1)
|
|
|
Patches: vendor: http://www.debian.org/security/2009/dsa-1807 upstream: https://bugzilla.andrew.cmu.edu/cgi-bin/cvsweb.cgi/src/sasl/lib/saslutil.c.diff?r1=1.48;r2=1.49 |
||