security advisory regarding cyrus-sasl?

Alexey Melnikov alexey.melnikov at isode.com
Thu Apr 13 08:00:39 EDT 2006


Marcus Meissner wrote:

>>the advisory speaks about cyrus-sasl-2.1.18 and is really vague. Can you
>>tell us when it got fixed and point to an actual patch in the CVS. I
>>assume that this issue has already been fixed in version 2.1.20, but
>>also I might be wrong with this assumption.
>>    
>>
>I found this one:
>
>https://bugzilla.andrew.cmu.edu/cgi-bin/cvsweb.cgi/src/sasl/plugins/digestmd5.c.diff?r1=1.170&r2=1.171
>
>a heap buffer overflow?
>  
>
No, this was a fix to a bug introduced in 1.170. This was never released 
in any official Cyrus SASL version.
So unless somebody was unlucky enough to take a Cyrus SASL snapshot 
including r1.170, there should no be an issue.



More information about the Cyrus-sasl mailing list