-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- Debian Security Advisory DSA 563-2 security@xxxxxxxxxx http://www.debian.org/security/ Martin Schulze October 12th, 2004 http://www.debian.org/security/faq - -------------------------------------------------------------------------- Package : cyrus-sasl Vulnerability : unsanitised input Problem-Type : local Debian-specific: no CVE ID : CAN-2004-0884 Debian Bug : 275498 This advisory corrects DSA 563-1 which contained a library that caused other programs to fail unindented. For the stable distribution (woody) this problem has been fixed in version 1.5.27-3woody3. For reference the advisory text follows: A vulnerability has been discovered in the Cyrus implementation of the SASL library, the Simple Authentication and Security Layer, a method for adding authentication support to connection-based protocols. The library honors the environment variable SASL_PATH blindly, which allows a local user to link against a malicious library to run arbitrary code with the privileges of a setuid or setgid application. For the unstable distribution (sid) this problem has been fixed in version 1.5.28-6.2 of cyrus-sasl and in version 2.1.19-1.3 of cyrus-sasl2. We recommend that you upgrade your libsasl packages. Upgrade Instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.0 alias woody - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/c/cyrus-sasl/cyrus-sasl_1.5.27-3woody3.dsc Size/MD5 checksum: 711 91b4d0c36b104620ec5d67a95908da5a http://security.debian.org/pool/updates/main/c/cyrus-sasl/cyrus-sasl_1.5.27-3woody3.diff.gz Size/MD5 checksum: 40428 56130ac3dde75943d2f5d594881d4f31 http://security.debian.org/pool/updates/main/c/cyrus-sasl/cyrus-sasl_1.5.27.orig.tar.gz Size/MD5 checksum: 528252 76ea426e2e2da3b8d2e3a43af5488f3b Alpha architecture: http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-dev_1.5.27-3woody3_alpha.deb Size/MD5 checksum: 76226 7450c31b1634f789234dcd045c72ba1c http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-digestmd5-plain_1.5.27-3woody3_alpha.deb Size/MD5 checksum: 19100 80dff5ceced2b6902557e2f2753b2c10 http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-modules-plain_1.5.27-3woody3_alpha.deb Size/MD5 checksum: 14944 1ebe9da02e5fa969591472fc1d7d86a2 http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl7_1.5.27-3woody3_alpha.deb Size/MD5 checksum: 172332 d4c236501921a441e5bdbe97f18e3818 http://security.debian.org/pool/updates/main/c/cyrus-sasl/sasl-bin_1.5.27-3woody3_alpha.deb Size/MD5 checksum: 13422 43012f7ffc98161bf238d1eccd124c1b ARM architecture: http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-dev_1.5.27-3woody3_arm.deb Size/MD5 checksum: 70170 d4cdf775981a8f4bb41f4aec28562862 http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-digestmd5-plain_1.5.27-3woody3_arm.deb Size/MD5 checksum: 15038 c34c52e62a3ecd1099daca1146a2c325 http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-modules-plain_1.5.27-3woody3_arm.deb Size/MD5 checksum: 12450 8cc784fd0e7a9f6c3fc8c85440f5d0da http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl7_1.5.27-3woody3_arm.deb Size/MD5 checksum: 165914 32d2be1e5f58283b36d65904857c38d7 http://security.debian.org/pool/updates/main/c/cyrus-sasl/sasl-bin_1.5.27-3woody3_arm.deb Size/MD5 checksum: 10850 bba9b1694a4ea2bbbc533a029b589b26 Intel IA-32 architecture: http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-dev_1.5.27-3woody3_i386.deb Size/MD5 checksum: 65292 91c7e706fbc6d6bf211960d8e4811eb2 http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-digestmd5-plain_1.5.27-3woody3_i386.deb Size/MD5 checksum: 13298 433d2d981444495e6ca5e216543c8943 http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-modules-plain_1.5.27-3woody3_i386.deb Size/MD5 checksum: 11754 c97a58448542f29a1067291b52b94780 http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl7_1.5.27-3woody3_i386.deb Size/MD5 checksum: 162896 3b0e73e6f1425d9c5fad18377961d84b http://security.debian.org/pool/updates/main/c/cyrus-sasl/sasl-bin_1.5.27-3woody3_i386.deb Size/MD5 checksum: 11078 ab906f86340a0b5c5f0bb3df8cdd5c9b Intel IA-64 architecture: http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-dev_1.5.27-3woody3_ia64.deb Size/MD5 checksum: 83792 05302af9b91315c201c9c92cd5fe61ff http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-digestmd5-plain_1.5.27-3woody3_ia64.deb Size/MD5 checksum: 23252 c86b8f1bc3b75a25e05c5c63738c3e4e http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-modules-plain_1.5.27-3woody3_ia64.deb Size/MD5 checksum: 19964 75a969bda18dbd3b6d9b8a5a257ed71e http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl7_1.5.27-3woody3_ia64.deb Size/MD5 checksum: 180990 d03f4ab68d2e9934561ed1852671df3d http://security.debian.org/pool/updates/main/c/cyrus-sasl/sasl-bin_1.5.27-3woody3_ia64.deb Size/MD5 checksum: 14238 133ec7ac7d983036bd0b098856239272 HP Precision architecture: http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-dev_1.5.27-3woody3_hppa.deb Size/MD5 checksum: 75324 0b802ea7f227d06d0de2b1d6c255d3ba http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-digestmd5-plain_1.5.27-3woody3_hppa.deb Size/MD5 checksum: 18286 2ee50c0ea3d8d2904d737edbf6f51736 http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-modules-plain_1.5.27-3woody3_hppa.deb Size/MD5 checksum: 15470 ab652ce834c1a1946009402886a940bb http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl7_1.5.27-3woody3_hppa.deb Size/MD5 checksum: 171242 d83593d56f74ee92998a804dbb2cf67c http://security.debian.org/pool/updates/main/c/cyrus-sasl/sasl-bin_1.5.27-3woody3_hppa.deb Size/MD5 checksum: 11904 9484fe5429cda40dc6083537dd17426b Motorola 680x0 architecture: http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-dev_1.5.27-3woody3_m68k.deb Size/MD5 checksum: 64738 a4b399d98655e6ee77241227ee86c2e2 http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-digestmd5-plain_1.5.27-3woody3_m68k.deb Size/MD5 checksum: 13102 1c3e8fa88d42d621420fb9d8e1607573 http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-modules-plain_1.5.27-3woody3_m68k.deb Size/MD5 checksum: 11804 0608eb94698ee5fc87159f686f34d039 http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl7_1.5.27-3woody3_m68k.deb Size/MD5 checksum: 162838 ba3d43e64daec7da2a2eeb47c394db8a http://security.debian.org/pool/updates/main/c/cyrus-sasl/sasl-bin_1.5.27-3woody3_m68k.deb Size/MD5 checksum: 10908 8f70e837ed7167d96b5ca9e4fd55c9e9 Big endian MIPS architecture: http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-dev_1.5.27-3woody3_mips.deb Size/MD5 checksum: 72916 8c174e6a6e519114662ee701f4200936 http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-digestmd5-plain_1.5.27-3woody3_mips.deb Size/MD5 checksum: 15946 b18ecabdb2e35db13beffca809e23487 http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-modules-plain_1.5.27-3woody3_mips.deb Size/MD5 checksum: 13346 d1764e156b4ed3c1e5f7eaf2a559bcf0 http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl7_1.5.27-3woody3_mips.deb Size/MD5 checksum: 165812 960d06d45f9740419f9c0b73b593c3bd http://security.debian.org/pool/updates/main/c/cyrus-sasl/sasl-bin_1.5.27-3woody3_mips.deb Size/MD5 checksum: 11318 11682f55a6c99e156d6314f92dd4aa0b Little endian MIPS architecture: http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-dev_1.5.27-3woody3_mipsel.deb Size/MD5 checksum: 72966 c9b7a298d89d3c7d9c7e36ee7f463ad9 http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-digestmd5-plain_1.5.27-3woody3_mipsel.deb Size/MD5 checksum: 16262 fd4ca17e75656bfe0e49686fc746ca54 http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-modules-plain_1.5.27-3woody3_mipsel.deb Size/MD5 checksum: 13292 3bf13fa11ea13520fda7491ec27948df http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl7_1.5.27-3woody3_mipsel.deb Size/MD5 checksum: 165918 76d312c85fb2393fe6c2d0ffbf6689e3 http://security.debian.org/pool/updates/main/c/cyrus-sasl/sasl-bin_1.5.27-3woody3_mipsel.deb Size/MD5 checksum: 11280 3e3bda9496b303fc6e1e053b9fb723de PowerPC architecture: http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-dev_1.5.27-3woody3_powerpc.deb Size/MD5 checksum: 70918 6eee1277a09b70eb561aec3eff80111a http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-digestmd5-plain_1.5.27-3woody3_powerpc.deb Size/MD5 checksum: 16076 592393749a7d6475d8cb5cf5d5d901cf http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-modules-plain_1.5.27-3woody3_powerpc.deb Size/MD5 checksum: 13468 83bc3efbfd45d77fdd7a6d93c9417a90 http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl7_1.5.27-3woody3_powerpc.deb Size/MD5 checksum: 166594 ecb898c16ad7b6350ac0aadb369320d6 http://security.debian.org/pool/updates/main/c/cyrus-sasl/sasl-bin_1.5.27-3woody3_powerpc.deb Size/MD5 checksum: 11002 402a89f71a142ba2ccb5189211d8a12e IBM S/390 architecture: http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-dev_1.5.27-3woody3_s390.deb Size/MD5 checksum: 67026 9b21bb28b3a4c8cee9de0b35da4f7cf0 http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-digestmd5-plain_1.5.27-3woody3_s390.deb Size/MD5 checksum: 14410 72ab4e29865eb17710ec25189c5f535d http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-modules-plain_1.5.27-3woody3_s390.deb Size/MD5 checksum: 12392 a5a3dc484a9733e0b3e404d2589f8915 http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl7_1.5.27-3woody3_s390.deb Size/MD5 checksum: 165406 3f8dec1387c80bfeaf8d2878f3f8acbc http://security.debian.org/pool/updates/main/c/cyrus-sasl/sasl-bin_1.5.27-3woody3_s390.deb Size/MD5 checksum: 11626 d08b68882e58c36950a998a081a3b5d5 Sun Sparc architecture: http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-dev_1.5.27-3woody3_sparc.deb Size/MD5 checksum: 68252 52186d78b3ad3fb76c5fe707d77d9b75 http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-digestmd5-plain_1.5.27-3woody3_sparc.deb Size/MD5 checksum: 14802 d2b0a39fa2e4dac6836ff1cc4b179838 http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl-modules-plain_1.5.27-3woody3_sparc.deb Size/MD5 checksum: 11908 3e58d976ae3867e9e8829b5956f2271a http://security.debian.org/pool/updates/main/c/cyrus-sasl/libsasl7_1.5.27-3woody3_sparc.deb Size/MD5 checksum: 164874 9632f56622cd4cb1f0489b8188da45dd http://security.debian.org/pool/updates/main/c/cyrus-sasl/sasl-bin_1.5.27-3woody3_sparc.deb Size/MD5 checksum: 13556 fb4002c8597e495fef0c3ff410442534 These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@xxxxxxxxxxxxxxxx Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux) iD8DBQFBbAw/W5ql+IAeqTIRAmI/AJ93/EAbszDfBgPQRAXbkwssEmGEoACfb8GN pAAIxEg1AX0aH76w374vyiw= =zDRq -----END PGP SIGNATURE-----
