| Descripción: | Description:
The remote host is missing updates announced in
advisory RHSA-2007:0795.
The cyrus-sasl package contains the Cyrus implementation of SASL. SASL is
the Simple Authentication and Security Layer, a method for adding
authentication support to connection-based protocols.
A bug was found in cyrus-sasl's DIGEST-MD5 authentication mechanism. As
part of the DIGEST-MD5 authentication exchange, the client is expected to
send a specific set of information to the server. If one of these items
(the realm) was not sent or was malformed, it was possible for a remote
unauthenticated attacker to cause a denial of service (segmentation fault)
on the server. (CVE-2006-1721)
This errata also fixes the following bugs:
* the Kerberos 5 library included in Red Hat Enterprise Linux 4 was not
thread safe. This update adds functionality which allows it to be used
safely in a threaded application.
* several memory leak bugs were fixed in cyrus-sasl's DIGEST-MD5
authentication plug-in.
* /dev/urandom is now used by default on systems which don't support
hwrandom. Previously, dev/random was the default.
* cyrus-sasl needs zlib-devel to build properly. This dependency
information is now included in the package.
Users are advised to upgrade to this updated cyrus-sasl package, which
resolves these issues.
Solution:
Please note that this update is available via
Red Hat Network. To use Red Hat Network, launch the Red
Hat Update Agent with the following command: up2date
http://rhn.redhat.com/errata/RHSA-2007-0795.html
http://www.redhat.com/security/updates/classification/#moderate
Risk factor : Medium
CVSS Score:
2.6
|
