|Category:||Debian Local Security Checks|
|Title:||Debian Security Advisory DSA 563-3 (cyrus-sasl)|
|Summary:||Debian Security Advisory DSA 563-3 (cyrus-sasl)|
|Description:||The remote host is missing an update to cyrus-sasl|
announced via advisory DSA 563-3.
This advisory is an addition to DSA 563-1 and 563-2 which weren't able
to supersede the library on sparc and arm due to a different version
number for them in the stable archive. Other architectures were
updated properly. Another problem was reported in connection with
sendmail, though, which should be fixed with this update as well.
For the stable distribution (woody) this problem has been fixed in
For reference the advisory text follows:
A vulnerability has been discovered in the Cyrus implementation of
the SASL library, the Simple Authentication and Security Layer, a
method for adding authentication support to connection-based
protocols. The library honors the environment variable SASL_PATH
blindly, which allows a local user to link against a malicious
library to run arbitrary code with the privileges of a setuid or
For the unstable distribution (sid) this problem has been fixed in
version 1.5.28-6.2 of cyrus-sasl and in version 2.1.19-1.3 of
We recommend that you upgrade your libsasl packages.
BugTraq ID: 11347|
Common Vulnerability Exposure (CVE) ID: CVE-2004-0884
Debian Security Information: DSA-563 (Google Search)
Debian Security Information: DSA-568 (Google Search)
RedHat Security Advisories: RHSA-2004:546
Bugtraq: 20050128 [OpenPKG-SA-2005.004] OpenPKG Security Advisory (sasl) (Google Search)
Computer Incident Advisory Center Bulletin: P-003
XForce ISS Database: cyrus-sasl-saslpath(17643)
|Copyright||Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com|
|This is only one of 39786 vulnerability tests in our test suite. Find out more about running a complete security audit.|
To run a free test of this vulnerability against your system, register below.