Re: cyrus-sasl security update seemed to fail (solved)

To: Debian User <debian-user@lists.debian.org>
Subject: Re: cyrus-sasl security update seemed to fail (solved)
From: Oliver Fuchs <oliverfuchs@onlinehome.de>
Date: Thu, 14 Oct 2004 21:00:40 +0200
Message-id: <[🔎] 20041014190040.GB1547@oliverfuchs.ath.cx>
Mail-followup-to: Debian User <debian-user@lists.debian.org>
In-reply-to: <[🔎] 20041014082307.GA3594@oliverfuchs.ath.cx>
References: <[🔎] 20041014082307.GA3594@oliverfuchs.ath.cx>

On Thu, 14 Oct 2004, Oliver Fuchs wrote:

> Hi,
> 
> I have updated my debian woody box via dselect (update) with the latest
> cyrus-sasl update:
> 
> [...]
> cyrus-sasl (1.5.27-3woody3) stable-security; urgency=high
>   * Non-maintainer upload by the Security Team
>   * Corrected the assignment to path which is a char *, not a char
>  -- Martin Schulze <joey@infodrom.org>  Tue, 12 Oct 2004 15:54:04 +0200
> cyrus-sasl (1.5.27-3woody2) stable-security; urgency=high
>   * Non-maintainer upload by the Security Team
>   * Added special detection routine for big/little endianess on MIPS since
>     the line "byteorder : {big|little} endian" from /proc/cpuinfo was
>     removed as of Linux 2.4.20, resulting in the mipsel buildd being
>     unable to build this package.
>  -- Martin Schulze <joey@infodrom.org>  Mon, 11 Oct 2004 16:28:45 +0200
> cyrus-sasl (1.5.27-3woody1) stable-security; urgency=high
>   * Non-maintainer upload by the Security Team
>   * Applied upstream patch to not blindly trust SASL_PATH blindly anymore
>     [lib/common.c, CAN-2004-0884]
> 
>  -- Martin Schulze <joey@infodrom.org>  Fri,  8 Oct 2004 16:45:19 +0200
> [...]
> 
> In my sendmail.mc I am using: 
> define(`SMART_HOST',	`[smtp.memyselfandI.de]')dnl
> FEATURE(`authinfo')dnl
> 
> My authinfo looks like this:
> AuthInfo:smtp.memyselfandI.de "U:whoareyou" "P:donttellanyone"
> 
> Before the security update everything worked o.k ... I could use the
> SMTP-AUTH without any problems.
> 
> Doing a 
> telnet localhost smtp
> ehlo locahost
> 
> shows me
> 
> 250 AUTH DIGEST-MD5 PLAIN LOGIN GSSAPI CRAM-MD5
> 
> Since the security update the sendmail SMTP-AUTH is not working anymore
> instead I reveive a
> 
> temporary auth failure
> 
> in my sendmail logs. The telnet localhost smtp command does not show any 
> 
> 250 AUTH
> 
> message anymore.
> 
> I do not know exactly if I am missing something but I think that this
> security-update 
> 
> Package        : cyrus-sasl
> Vulnerability  : unsanitised input
> Problem-Type   : local
> Debian-specific: no
> CVE ID         : CAN-2004-0884
> Debian Bug     : 275498
> 
> is not running without errors.
> 
> Oliver
> -- 
> ... don't touch the bang bang fruit
> 


See security update:

[SECURITY] [DSA 563-3] New cyrus-sasl packages fix arbitrary
code execution on sparc and arm

Package        : cyrus-sasl
Vulnerability  : unsanitised input
Problem-Type   : local
Debian-specific: no
CVE ID         : CAN-2004-0884
Debian Bug     : 275498

Oliver
-- 
... don't touch the bang bang fruit

Reply to:

References:
- cyrus-sasl security update seemed to fail
  - From: Oliver Fuchs <oliverfuchs@onlinehome.de>

Prev by Date: ALSA with vi82xx loading and static problems
Next by Date: Re: printer won't stop
Previous by thread: cyrus-sasl security update seemed to fail
Next by thread: adding a non-packaged extension to mozilla-firefox
Index(es):
- Date
- Thread