Debian Local Security Checks : Debian Security Advisory DSA 563-3 (cyrus-sasl)

Price/Feature Summary | Order | New Vulnerabilities | Confidentiality | Vulnerability Search

Vulnerability Search		Search 61204 CVE descriptions and 32582 test descriptions, access 10,000+ cross references.
	Tests CVE All

Test ID: 1.3.6.1.4.1.25623.1.0.53256

Category: Debian Local Security Checks

Title: Debian Security Advisory DSA 563-3 (cyrus-sasl)

Summary: Debian Security Advisory DSA 563-3 (cyrus-sasl)

Description: The remote host is missing an update to cyrus-sasl
announced via advisory DSA 563-3.

This advisory is an addition to DSA 563-1 and 563-2 which weren't able
to supersede the library on sparc and arm due to a different version
number for them in the stable archive. Other architectures were
updated properly. Another problem was reported in connection with
sendmail, though, which should be fixed with this update as well.

For the stable distribution (woody) this problem has been fixed in
version 1.5.27-3.1woody5.

For reference the advisory text follows:

A vulnerability has been discovered in the Cyrus implementation of
the SASL library, the Simple Authentication and Security Layer, a
method for adding authentication support to connection-based
protocols. The library honors the environment variable SASL_PATH
blindly, which allows a local user to link against a malicious
library to run arbitrary code with the privileges of a setuid or
setgid application.

For the unstable distribution (sid) this problem has been fixed in
version 1.5.28-6.2 of cyrus-sasl and in version 2.1.19-1.3 of
cyrus-sasl2.

We recommend that you upgrade your libsasl packages.

Solution:
http://www.securityspace.com/smysecure/catid.html?in=DSA%20563-3

Cross-Ref: BugTraq ID: 11347
Common Vulnerability Exposure (CVE) ID: CVE-2004-0884
http://lists.apple.com/archives/security-announce/2005/Mar/msg00000.html
Debian Security Information: DSA-563 (Google Search)
http://www.debian.org/security/2004/dsa-563
Debian Security Information: DSA-568 (Google Search)
http://www.debian.org/security/2004/dsa-568
https://bugzilla.fedora.us/show_bug.cgi?id=2137
http://www.gentoo.org/security/en/glsa/glsa-200410-05.xml
http://www.mandriva.com/security/advisories?name=MDKSA-2004:106
RedHat Security Advisories: RHSA-2004:546
http://rhn.redhat.com/errata/RHSA-2004-546.html
http://www.trustix.net/errata/2004/0053/
Bugtraq: 20050128 [OpenPKG-SA-2005.004] OpenPKG Security Advisory (sasl) (Google Search)
http://marc.theaimsgroup.com/?l=bugtraq&m=110693126007214&w=2
Computer Incident Advisory Center Bulletin: P-003
http://www.ciac.org/ciac/bulletins/p-003.shtml
http://www.securityfocus.com/bid/11347
http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:11678
XForce ISS Database: cyrus-sasl-saslpath(17643)
http://xforce.iss.net/xforce/xfdb/17643

Copyright Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com

This is only one of 32582 vulnerability tests in our test suite. Find out more about running a complete security audit.
To run a free test of this vulnerability against your system, register below.

New User Registration
Email:

UserID:

Passwd:

Please email me your monthly newsletters, informing the latest services, improvements & surveys.

Please email me a vulnerability test announcement whenever a new test is added.

Privacy

Registered User Login

UserID:

Passwd:

Forgot userid or passwd?

Email/Userid:

Test ID:	1.3.6.1.4.1.25623.1.0.53256
Category:	Debian Local Security Checks
Title:	Debian Security Advisory DSA 563-3 (cyrus-sasl)
Summary:	Debian Security Advisory DSA 563-3 (cyrus-sasl)
Description:	The remote host is missing an update to cyrus-sasl announced via advisory DSA 563-3. This advisory is an addition to DSA 563-1 and 563-2 which weren't able to supersede the library on sparc and arm due to a different version number for them in the stable archive. Other architectures were updated properly. Another problem was reported in connection with sendmail, though, which should be fixed with this update as well. For the stable distribution (woody) this problem has been fixed in version 1.5.27-3.1woody5. For reference the advisory text follows: A vulnerability has been discovered in the Cyrus implementation of the SASL library, the Simple Authentication and Security Layer, a method for adding authentication support to connection-based protocols. The library honors the environment variable SASL_PATH blindly, which allows a local user to link against a malicious library to run arbitrary code with the privileges of a setuid or setgid application. For the unstable distribution (sid) this problem has been fixed in version 1.5.28-6.2 of cyrus-sasl and in version 2.1.19-1.3 of cyrus-sasl2. We recommend that you upgrade your libsasl packages. Solution: http://www.securityspace.com/smysecure/catid.html?in=DSA%20563-3
Cross-Ref:	BugTraq ID: 11347 Common Vulnerability Exposure (CVE) ID: CVE-2004-0884 http://lists.apple.com/archives/security-announce/2005/Mar/msg00000.html Debian Security Information: DSA-563 (Google Search) http://www.debian.org/security/2004/dsa-563 Debian Security Information: DSA-568 (Google Search) http://www.debian.org/security/2004/dsa-568 https://bugzilla.fedora.us/show_bug.cgi?id=2137 http://www.gentoo.org/security/en/glsa/glsa-200410-05.xml http://www.mandriva.com/security/advisories?name=MDKSA-2004:106 RedHat Security Advisories: RHSA-2004:546 http://rhn.redhat.com/errata/RHSA-2004-546.html http://www.trustix.net/errata/2004/0053/ Bugtraq: 20050128 [OpenPKG-SA-2005.004] OpenPKG Security Advisory (sasl) (Google Search) http://marc.theaimsgroup.com/?l=bugtraq&m=110693126007214&w=2 Computer Incident Advisory Center Bulletin: P-003 http://www.ciac.org/ciac/bulletins/p-003.shtml http://www.securityfocus.com/bid/11347 http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:11678 XForce ISS Database: cyrus-sasl-saslpath(17643) http://xforce.iss.net/xforce/xfdb/17643
Copyright	Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com