USN-790-1: Cyrus SASL vulnerability

Ubuntu Security Notice USN-790-1

24th June, 2009

cyrus-sasl2 vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 9.04
  • Ubuntu 8.10
  • Ubuntu 8.04 LTS
  • Ubuntu 6.06 LTS

Software description

  • cyrus-sasl2

Details

James Ralston discovered that the Cyrus SASL base64 encoding function
could be used unsafely. If a remote attacker sent a specially crafted
request to a service that used SASL, it could lead to a loss of privacy,
or crash the application, resulting in a denial of service.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 9.04:
libsasl2-2 2.1.22.dfsg1-23ubuntu3.1
Ubuntu 8.10:
libsasl2-2 2.1.22.dfsg1-21ubuntu2.1
Ubuntu 8.04 LTS:
libsasl2-2 2.1.22.dfsg1-18ubuntu2.1
Ubuntu 6.06 LTS:
libsasl2 2.1.19.dfsg1-0.1ubuntu3.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

After a standard system upgrade you need to restart services using SASL
to effect the necessary changes.

References

CVE-2009-0688