USN-790-1: Cyrus SASL vulnerability

24 June 2009

cyrus-sasl2 vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 9.04
  • Ubuntu 8.10
  • Ubuntu 8.04 LTS
  • Ubuntu 6.06 LTS

Software Description

  • cyrus-sasl2

Details

James Ralston discovered that the Cyrus SASL base64 encoding function could be used unsafely. If a remote attacker sent a specially crafted request to a service that used SASL, it could lead to a loss of privacy, or crash the application, resulting in a denial of service.

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 9.04
libsasl2-2 - 2.1.22.dfsg1-23ubuntu3.1
Ubuntu 8.10
libsasl2-2 - 2.1.22.dfsg1-21ubuntu2.1
Ubuntu 8.04 LTS
libsasl2-2 - 2.1.22.dfsg1-18ubuntu2.1
Ubuntu 6.06 LTS
libsasl2 - 2.1.19.dfsg1-0.1ubuntu3.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system upgrade you need to restart services using SASL to effect the necessary changes.

References