[SECURITY] [DSA 6271-1] gsasl security update

To: debian-security-announce@lists.debian.org
Subject: [SECURITY] [DSA 6271-1] gsasl security update
From: Moritz Muehlenhoff <jmm@debian.org>
Date: Thu, 14 May 2026 14:38:27 +0000
Message-id: <[🔎] agXeY95D0g13sz7i@seger.debian.org>
Reply-to: debian-security-announce-request@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian Security Advisory DSA-6271-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
May 14, 2026                          https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : gsasl
CVE ID         : not yet available

It was discovered that missing input sanitising in the DIGEST-MD5 parser
of the GNU SASL library could result in denial of service.

For the oldstable distribution (bookworm), this problem has been fixed
in version 2.2.0-1+deb12u1.

For the stable distribution (trixie), this problem has been fixed in
version 2.2.2-1.1+deb13u1.

We recommend that you upgrade your gsasl packages.

For the detailed security status of gsasl please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/gsasl

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmoF3gwACgkQEMKTtsN8
TjZNcA/+M8SUrM+6GWUX101Asox+ywwP9XzeHAtJF929nDZ2TUiCftAOMheiQrlQ
Qo/ABJ5W8e/HoAGL6Oywfm27KAPzN/1HbLL1IdJYkbm2s2gWUEef1hSwdH+0AXeU
rA5j+gO/6JgqysDkXab05cDnzPpPCCCfL6+LysvtcDm0sQTkXUvno5NUEjX8AKrQ
zAJ5mgpPOmmGBPrkOWyWEyrFyFjcJDzPmmd1mz2XrvHMz/YSPpiqSaEWKC3rVptV
w6DY9lfGOCeQ10Cr9mJzD8VMIFRRCF4QdvxAPPncLKFkLLlOAGmys+qSUPQuwNqh
+Q7UsPoSoVjShtinTsRtZP+jtMJy/9hVrGnG8Oq/kdNAtsZ868TTSwxw+JTyjVE4
9jXUBoGk0bBCYm6I62lkdS+CU3CdtFTz3/ySGShjXetlOMd2rJ7nJgAjw+Pf/vXb
d00Qw5FUe6t63Q0R0qZw/UIR10Yl7Z2Us04+1CUcZAmOx5ePMCunvSg9f1mnOq68
FHPRn/TYGFZKWfx5s8UBga5zX/TNTqVbDLzX56vF/Z6vdal5kUw6/IpMRByQWC/S
FUNNZu8v5arUe8HogLmrGTE4IUdIKjG83+11kgMiYxuA3WyTHM20Y9k1V/Ckh+ti
gW9wK+I7A4nqxMlXLSlSQRjnq9SG4PUyhZlazJNIlgYelM6EtYw=
=QNTN
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DSA 6270-1] postgresql-17 security update
Next by Date: [SECURITY] [DSA 6272-1] nodejs security update
Previous by thread: [SECURITY] [DSA 6270-1] postgresql-17 security update
Next by thread: [SECURITY] [DSA 6272-1] nodejs security update
Index(es):
- Date
- Thread