security advisory regarding cyrus-sasl?

Marcel Holtmann marcel at holtmann.org
Thu Apr 13 09:20:08 EDT 2006


Hi Alexey,

> >>the advisory speaks about cyrus-sasl-2.1.18 and is really vague. Can you
> >>tell us when it got fixed and point to an actual patch in the CVS. I
> >>assume that this issue has already been fixed in version 2.1.20, but
> >>also I might be wrong with this assumption.
> >>    
> >>
> >I found this one:
> >
> >https://bugzilla.andrew.cmu.edu/cgi-bin/cvsweb.cgi/src/sasl/plugins/digestmd5.c.diff?r1=1.170&r2=1.171
> >
> >a heap buffer overflow?
> >  
> >
> No, this was a fix to a bug introduced in 1.170. This was never released 
> in any official Cyrus SASL version.
> So unless somebody was unlucky enough to take a Cyrus SASL snapshot 
> including r1.170, there should no be an issue.

before we continue guessing. Can you please point us to the actual fix
in the CVS.

Regards

Marcel




More information about the Cyrus-sasl mailing list