Hi Alexey, > >>the advisory speaks about cyrus-sasl-2.1.18 and is really vague. Can you > >>tell us when it got fixed and point to an actual patch in the CVS. I > >>assume that this issue has already been fixed in version 2.1.20, but > >>also I might be wrong with this assumption. > >> > >> > >I found this one: > > > >https://bugzilla.andrew.cmu.edu/cgi-bin/cvsweb.cgi/src/sasl/plugins/digestmd5.c.diff?r1=1.170&r2=1.171 > > > >a heap buffer overflow? > > > > > No, this was a fix to a bug introduced in 1.170. This was never released > in any official Cyrus SASL version. > So unless somebody was unlucky enough to take a Cyrus SASL snapshot > including r1.170, there should no be an issue. before we continue guessing. Can you please point us to the actual fix in the CVS. Regards Marcel
