Re: [SECURITY] [DSA 1807-1] New cyrus-sasl2/cyrus-sasl2-heimdal packages fix arbitrary code execution

View: New views

4 Messages — Rating Filter: Alert me

	Re: [SECURITY] [DSA 1807-1] New cyrus-sasl2/cyrus-sasl2-heimdal packages fix arbitrary code execution by jmdh :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Mon, Jun 01, 2009 at 02:42:10PM +0200, Nico Golde wrote: > James Ralston discovered that the sasl_encode64() function of cyrus-sasl2, > a free library implementing the Simple Authentication and Security Layer, > suffers from a missing null termination in certain situations. This causes > several buffer overflows in situations where cyrus-sasl2 itself requires > the string to be null terminated which can lead to denial of service or > arbitrary code execution. > For the oldstable distribution (etch), this problem will be fixed soon. 2.1.22.dfsg1-8+etch1 has now appeared in the security archive which appears to fix this problem, but no subsequent advisory has been released. Is this an oversight? Cheers, Dominic. -- Dominic Hargreaves \| http://www.larted.org.uk/~dom/ PGP key 5178E2A5 from the.earth.li (keyserver,web,email) -- To UNSUBSCRIBE, email to debian-security-REQUEST@... with a subject of "unsubscribe". Trouble? Contact listmaster@...
	Re: [SECURITY] [DSA 1807-1] New cyrus-sasl2/cyrus-sasl2-heimdal packages fix arbitrary code execution by Thijs Kinkhorst-4 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Mon, June 15, 2009 16:42, Dominic Hargreaves wrote: >> For the oldstable distribution (etch), this problem will be fixed soon. >> > > 2.1.22.dfsg1-8+etch1 has now appeared in the security archive which > appears to fix this problem, but no subsequent advisory has been released. > Is this an oversight? I'm not sure - the advisory tells us that the updated packages will be released soon, and that's exactly what happened. Point is that we don't have fixed rules for which events lead to a "-2" DSA mail and which don't. Some cases are clear: when we update packages for a regression. In others its always a tradeoff: would a "-2" add more information for our users? We could send such an update mail strictly for each and every change, but this would also add a lot of noise. cheers, Thijs -- To UNSUBSCRIBE, email to debian-security-REQUEST@... with a subject of "unsubscribe". Trouble? Contact listmaster@...
	Re: [SECURITY] [DSA 1807-1] New cyrus-sasl2/cyrus-sasl2-heimdal packages fix arbitrary code execution by Nico Golde-9 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Hi, * Thijs Kinkhorst <thijs@...> [2009-06-15 17:39]: > On Mon, June 15, 2009 16:42, Dominic Hargreaves wrote: > >> For the oldstable distribution (etch), this problem will be fixed soon. > >> > > > > 2.1.22.dfsg1-8+etch1 has now appeared in the security archive which > > appears to fix this problem, but no subsequent advisory has been released. > > Is this an oversight? > > I'm not sure - the advisory tells us that the updated packages will be > released soon, and that's exactly what happened. Point is that we don't > have fixed rules for which events lead to a "-2" DSA mail and which don't. Yes, exactly the reason why I didn't release another advisory. Cheers Nico -- Nico Golde - http://www.ngolde.de - nion@... - GPG: 0xA0A0AAAA For security reasons, all text in this mail is double-rot13 encrypted. attachment0 (852 bytes) Download Attachment
	Re: [SECURITY] [DSA 1807-1] New cyrus-sasl2/cyrus-sasl2-heimdal packages fix arbitrary code execution by jmdh :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Mon, Jun 15, 2009 at 06:10:29PM +0200, Nico Golde wrote: > Hi, > * Thijs Kinkhorst <thijs@...> [2009-06-15 17:39]: > > On Mon, June 15, 2009 16:42, Dominic Hargreaves wrote: > > >> For the oldstable distribution (etch), this problem will be fixed soon. > > >> > > > > > > 2.1.22.dfsg1-8+etch1 has now appeared in the security archive which > > > appears to fix this problem, but no subsequent advisory has been released. > > > Is this an oversight? > > > > I'm not sure - the advisory tells us that the updated packages will be > > released soon, and that's exactly what happened. Point is that we don't > > have fixed rules for which events lead to a "-2" DSA mail and which don't. > > Yes, exactly the reason why I didn't release another > advisory. I'm not convinced by that reasoning; the lack of follow-up advisory that people relying on the advisories for notification of package updates had no way to tell that the packages were available, and would have had to check on the offchance every so often; also that the package lists and MD5sums weren't available for those files. Anyway, I can see that there are arguments for both ways so I won't push it :) Cheers, Dominic. -- Dominic Hargreaves \| http://www.larted.org.uk/~dom/ PGP key 5178E2A5 from the.earth.li (keyserver,web,email) -- To UNSUBSCRIBE, email to debian-security-REQUEST@... with a subject of "unsubscribe". Trouble? Contact listmaster@...

	Re: [SECURITY] [DSA 1807-1] New cyrus-sasl2/cyrus-sasl2-heimdal packages fix arbitrary code execution by jmdh :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Mon, Jun 01, 2009 at 02:42:10PM +0200, Nico Golde wrote: > James Ralston discovered that the sasl_encode64() function of cyrus-sasl2, > a free library implementing the Simple Authentication and Security Layer, > suffers from a missing null termination in certain situations. This causes > several buffer overflows in situations where cyrus-sasl2 itself requires > the string to be null terminated which can lead to denial of service or > arbitrary code execution. > For the oldstable distribution (etch), this problem will be fixed soon. 2.1.22.dfsg1-8+etch1 has now appeared in the security archive which appears to fix this problem, but no subsequent advisory has been released. Is this an oversight? Cheers, Dominic. -- Dominic Hargreaves \| http://www.larted.org.uk/~dom/ PGP key 5178E2A5 from the.earth.li (keyserver,web,email) -- To UNSUBSCRIBE, email to debian-security-REQUEST@... with a subject of "unsubscribe". Trouble? Contact listmaster@...
	Re: [SECURITY] [DSA 1807-1] New cyrus-sasl2/cyrus-sasl2-heimdal packages fix arbitrary code execution by Thijs Kinkhorst-4 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Mon, June 15, 2009 16:42, Dominic Hargreaves wrote: >> For the oldstable distribution (etch), this problem will be fixed soon. >> > > 2.1.22.dfsg1-8+etch1 has now appeared in the security archive which > appears to fix this problem, but no subsequent advisory has been released. > Is this an oversight? I'm not sure - the advisory tells us that the updated packages will be released soon, and that's exactly what happened. Point is that we don't have fixed rules for which events lead to a "-2" DSA mail and which don't. Some cases are clear: when we update packages for a regression. In others its always a tradeoff: would a "-2" add more information for our users? We could send such an update mail strictly for each and every change, but this would also add a lot of noise. cheers, Thijs -- To UNSUBSCRIBE, email to debian-security-REQUEST@... with a subject of "unsubscribe". Trouble? Contact listmaster@...
	Re: [SECURITY] [DSA 1807-1] New cyrus-sasl2/cyrus-sasl2-heimdal packages fix arbitrary code execution by Nico Golde-9 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Hi, * Thijs Kinkhorst <thijs@...> [2009-06-15 17:39]: > On Mon, June 15, 2009 16:42, Dominic Hargreaves wrote: > >> For the oldstable distribution (etch), this problem will be fixed soon. > >> > > > > 2.1.22.dfsg1-8+etch1 has now appeared in the security archive which > > appears to fix this problem, but no subsequent advisory has been released. > > Is this an oversight? > > I'm not sure - the advisory tells us that the updated packages will be > released soon, and that's exactly what happened. Point is that we don't > have fixed rules for which events lead to a "-2" DSA mail and which don't. Yes, exactly the reason why I didn't release another advisory. Cheers Nico -- Nico Golde - http://www.ngolde.de - nion@... - GPG: 0xA0A0AAAA For security reasons, all text in this mail is double-rot13 encrypted. attachment0 (852 bytes) Download Attachment
	Re: [SECURITY] [DSA 1807-1] New cyrus-sasl2/cyrus-sasl2-heimdal packages fix arbitrary code execution by jmdh :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Mon, Jun 15, 2009 at 06:10:29PM +0200, Nico Golde wrote: > Hi, > * Thijs Kinkhorst <thijs@...> [2009-06-15 17:39]: > > On Mon, June 15, 2009 16:42, Dominic Hargreaves wrote: > > >> For the oldstable distribution (etch), this problem will be fixed soon. > > >> > > > > > > 2.1.22.dfsg1-8+etch1 has now appeared in the security archive which > > > appears to fix this problem, but no subsequent advisory has been released. > > > Is this an oversight? > > > > I'm not sure - the advisory tells us that the updated packages will be > > released soon, and that's exactly what happened. Point is that we don't > > have fixed rules for which events lead to a "-2" DSA mail and which don't. > > Yes, exactly the reason why I didn't release another > advisory. I'm not convinced by that reasoning; the lack of follow-up advisory that people relying on the advisories for notification of package updates had no way to tell that the packages were available, and would have had to check on the offchance every so often; also that the package lists and MD5sums weren't available for those files. Anyway, I can see that there are arguments for both ways so I won't push it :) Cheers, Dominic. -- Dominic Hargreaves \| http://www.larted.org.uk/~dom/ PGP key 5178E2A5 from the.earth.li (keyserver,web,email) -- To UNSUBSCRIBE, email to debian-security-REQUEST@... with a subject of "unsubscribe". Trouble? Contact listmaster@...