On Mon, Jun 01, 2009 at 02:42:10PM +0200, Nico Golde wrote:
> James Ralston discovered that the sasl_encode64() function of cyrus-sasl2,
> a free library implementing the Simple Authentication and Security Layer,
> suffers from a missing null termination in certain situations. This causes
> several buffer overflows in situations where cyrus-sasl2 itself requires
> the string to be null terminated which can lead to denial of service or
> arbitrary code execution.
> For the oldstable distribution (etch), this problem will be fixed soon.
2.1.22.dfsg1-8+etch1 has now appeared in the security archive which
appears to fix this problem, but no subsequent advisory has been released.
Is this an oversight?
Cheers,
Dominic.
--
Dominic Hargreaves |
http://www.larted.org.uk/~dom/PGP key 5178E2A5 from the.earth.li (keyserver,web,email)
--
To UNSUBSCRIBE, email to
debian-security-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact
listmaster@...
