Debian 3.0 DSA 563-3 Critical: cyrus-sasl Local Input Threat
debian
October 14, 2004
This advisory is an addition to DSA 563-1 and 563-2 which weren't ableto supersede the library on sparc and arm due to a different versionnumber for them in the stable archive.
Summary
This advisory is an addition to DSA 563-1 and 563-2 which weren't able
to supersede the library on sparc and arm due to a different version
number for them in the stable archive. Other architectures were
updated properly. Another problem was reported in connection with
sendmail, though, which should be fixed with this update as well.
For the stable distribution (woody) this problem has been fixed in
version 1.5.27-3.1woody5.
For reference the advisory text follows:
A vulnerability has been discovered in the Cyrus implementation of
the SASL library, the Simple Authentication and Security Layer, a
method for adding authentication support to connection-based
protocols. The library honors the environment variable SASL_PATH
blindly, which allows a local user to link against a malicious
library to run arbitrary code with the privileges of a setuid or
setgid application.
For the unstable distribution (sid) this problem has been fixed in
version 1.5.28-6.2 of cyrus-sasl and in version ...
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Package: cyrus-sasl
CVE ID: CAN-2004-0884
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!