Re: cyrus-sasl security update seemed to fail (solved)
On Thu, 14 Oct 2004, Oliver Fuchs wrote:
> Hi,
>
> I have updated my debian woody box via dselect (update) with the latest
> cyrus-sasl update:
>
> [...]
> cyrus-sasl (1.5.27-3woody3) stable-security; urgency=high
> * Non-maintainer upload by the Security Team
> * Corrected the assignment to path which is a char *, not a char
> -- Martin Schulze <joey@infodrom.org> Tue, 12 Oct 2004 15:54:04 +0200
> cyrus-sasl (1.5.27-3woody2) stable-security; urgency=high
> * Non-maintainer upload by the Security Team
> * Added special detection routine for big/little endianess on MIPS since
> the line "byteorder : {big|little} endian" from /proc/cpuinfo was
> removed as of Linux 2.4.20, resulting in the mipsel buildd being
> unable to build this package.
> -- Martin Schulze <joey@infodrom.org> Mon, 11 Oct 2004 16:28:45 +0200
> cyrus-sasl (1.5.27-3woody1) stable-security; urgency=high
> * Non-maintainer upload by the Security Team
> * Applied upstream patch to not blindly trust SASL_PATH blindly anymore
> [lib/common.c, CAN-2004-0884]
>
> -- Martin Schulze <joey@infodrom.org> Fri, 8 Oct 2004 16:45:19 +0200
> [...]
>
> In my sendmail.mc I am using:
> define(`SMART_HOST', `[smtp.memyselfandI.de]')dnl
> FEATURE(`authinfo')dnl
>
> My authinfo looks like this:
> AuthInfo:smtp.memyselfandI.de "U:whoareyou" "P:donttellanyone"
>
> Before the security update everything worked o.k ... I could use the
> SMTP-AUTH without any problems.
>
> Doing a
> telnet localhost smtp
> ehlo locahost
>
> shows me
>
> 250 AUTH DIGEST-MD5 PLAIN LOGIN GSSAPI CRAM-MD5
>
> Since the security update the sendmail SMTP-AUTH is not working anymore
> instead I reveive a
>
> temporary auth failure
>
> in my sendmail logs. The telnet localhost smtp command does not show any
>
> 250 AUTH
>
> message anymore.
>
> I do not know exactly if I am missing something but I think that this
> security-update
>
> Package : cyrus-sasl
> Vulnerability : unsanitised input
> Problem-Type : local
> Debian-specific: no
> CVE ID : CAN-2004-0884
> Debian Bug : 275498
>
> is not running without errors.
>
> Oliver
> --
> ... don't touch the bang bang fruit
>
See security update:
[SECURITY] [DSA 563-3] New cyrus-sasl packages fix arbitrary
code execution on sparc and arm
Package : cyrus-sasl
Vulnerability : unsanitised input
Problem-Type : local
Debian-specific: no
CVE ID : CAN-2004-0884
Debian Bug : 275498
Oliver
--
... don't touch the bang bang fruit
Reply to: