security advisory regarding cyrus-sasl?

Alexey Melnikov alexey.melnikov at isode.com
Wed Apr 19 12:58:16 EDT 2006


Marcus Meissner wrote:

>On Thu, Apr 13, 2006 at 04:05:56PM +0200, Marcel Holtmann wrote:
>  
>
>>Hi Alexey,
>>    
>>
>>>>the advisory speaks about cyrus-sasl-2.1.18 and is really vague. Can you
>>>>tell us when it got fixed and point to actual patch in the CVS. I assume
>>>>that this issue has already been fixed in version 2.1.20, but I might be
>>>>wrong.
>>>>        
>>>>
>>>Yes, 2.1.20 should do. 2.1.21 doesn't segfault. I didn't test any 
>>>versions in between.
>>>      
>>>
>>can you point us to the fix in the CVS for this problem, it would be
>>terrific to know for sure how it has been fixed.
>>    
>>
>It is apparently:
>
>https://bugzilla.andrew.cmu.edu/cgi-bin/cvsweb.cgi/src/sasl/plugins/digestmd5.c.diff?r1=1.173&r2=1.175
>  
>
Correct.
Note, that all versions up to and including 2.1.20 are vulnerable to 
this problem.



More information about the Cyrus-sasl mailing list