Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

MDKSA-2004:106 - Updated cyrus-sasl packages fix local vulnerability
From: Mandrake Linux Security Team <security () linux-mandrake com>
Date: 7 Oct 2004 19:53:16 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

                 Mandrakelinux Security Update Advisory
 _______________________________________________________________________

 Package name:           cyrus-sasl
 Advisory ID:            MDKSA-2004:106
 Date:                   October 7th, 2004

 Affected versions:      10.0, 9.2, Corporate Server 2.1
 ______________________________________________________________________

 Problem Description:

 A vulnerability was discovered in the libsasl library of cyrus-sasl.
 libsasl honors the SASL_PATH environment variable blindly, which
 could allow a local user to create a malicious "library" that would
 get executed with the effective ID of SASL when anything calls
 libsasl.
 
 The provided packages are patched to protect against this
 vulnerability.
 _______________________________________________________________________

 References:

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0884
 ______________________________________________________________________

 Updated Packages:
  
 Mandrakelinux 10.0:
 5e5d9e126e0bf03a9c7dc7def1213c4e  10.0/RPMS/cyrus-sasl-2.1.15-10.1.100mdk.i586.rpm
 8562e1d0be93b26ea84d0b025644cea1  10.0/RPMS/libsasl2-2.1.15-10.1.100mdk.i586.rpm
 533a72fdd6edc830d9217dd984da3aac  10.0/RPMS/libsasl2-devel-2.1.15-10.1.100mdk.i586.rpm
 d736f6e8f20741c34e95637d43486471  10.0/RPMS/libsasl2-plug-anonymous-2.1.15-10.1.100mdk.i586.rpm
 b62cd043af5fa4dac25c3789b66849c5  10.0/RPMS/libsasl2-plug-crammd5-2.1.15-10.1.100mdk.i586.rpm
 e588f90d705706d284a6688dd4b9b136  10.0/RPMS/libsasl2-plug-digestmd5-2.1.15-10.1.100mdk.i586.rpm
 1f6c4d7f481b6ff91b8d614648e98be5  10.0/RPMS/libsasl2-plug-gssapi-2.1.15-10.1.100mdk.i586.rpm
 286f311f343c2f21df4c9fbfd6809d79  10.0/RPMS/libsasl2-plug-login-2.1.15-10.1.100mdk.i586.rpm
 eaea38b6454677074aff221769a06ee1  10.0/RPMS/libsasl2-plug-ntlm-2.1.15-10.1.100mdk.i586.rpm
 7e48e4c3631c7017a6eb492d09b2a10f  10.0/RPMS/libsasl2-plug-otp-2.1.15-10.1.100mdk.i586.rpm
 da6cc786bda3e4e297c753708fa25d45  10.0/RPMS/libsasl2-plug-plain-2.1.15-10.1.100mdk.i586.rpm
 555eab832bf1b6e6a230a896542475c1  10.0/RPMS/libsasl2-plug-sasldb-2.1.15-10.1.100mdk.i586.rpm
 0c2992258fcea6a83a1a421f2e8bcb57  10.0/RPMS/libsasl2-plug-srp-2.1.15-10.1.100mdk.i586.rpm
 efdc07d417c7ebba707bc7bd5b13f829  10.0/SRPMS/cyrus-sasl-2.1.15-10.1.100mdk.src.rpm

 Mandrakelinux 10.0/AMD64:
 74fff1da23dab6e2ea936663bde4754f  amd64/10.0/RPMS/cyrus-sasl-2.1.15-10.1.100mdk.amd64.rpm
 4ae7d79a0035264b4991844061155b22  amd64/10.0/RPMS/lib64sasl2-2.1.15-10.1.100mdk.amd64.rpm
 ec042bcd47406ce77ca6270baaa3e30d  amd64/10.0/RPMS/lib64sasl2-devel-2.1.15-10.1.100mdk.amd64.rpm
 90bf0467dd3a84ad4bda4191e7beeda6  amd64/10.0/RPMS/lib64sasl2-plug-anonymous-2.1.15-10.1.100mdk.amd64.rpm
 0b592508b84e2b59c6d92b67bc9acc7d  amd64/10.0/RPMS/lib64sasl2-plug-crammd5-2.1.15-10.1.100mdk.amd64.rpm
 6c165b6f5a153268c090bf48867e1c16  amd64/10.0/RPMS/lib64sasl2-plug-digestmd5-2.1.15-10.1.100mdk.amd64.rpm
 80cc5dc58b8096708f136b26707a9979  amd64/10.0/RPMS/lib64sasl2-plug-gssapi-2.1.15-10.1.100mdk.amd64.rpm
 e31d97544c17cf3627c96ba30bab4566  amd64/10.0/RPMS/lib64sasl2-plug-login-2.1.15-10.1.100mdk.amd64.rpm
 c2cf0e4bf0a16bfa0f12804a38d72086  amd64/10.0/RPMS/lib64sasl2-plug-ntlm-2.1.15-10.1.100mdk.amd64.rpm
 adc938ecf528ec25ce15a42eaa0b42cc  amd64/10.0/RPMS/lib64sasl2-plug-otp-2.1.15-10.1.100mdk.amd64.rpm
 c1ea1fbea28db51ab5dc79ccd515c3ac  amd64/10.0/RPMS/lib64sasl2-plug-plain-2.1.15-10.1.100mdk.amd64.rpm
 cafbef0aa82c2a38cfcac103931536fe  amd64/10.0/RPMS/lib64sasl2-plug-sasldb-2.1.15-10.1.100mdk.amd64.rpm
 21cc68617893b2d63b3b0afc466c09b9  amd64/10.0/RPMS/lib64sasl2-plug-srp-2.1.15-10.1.100mdk.amd64.rpm
 efdc07d417c7ebba707bc7bd5b13f829  amd64/10.0/SRPMS/cyrus-sasl-2.1.15-10.1.100mdk.src.rpm

 Corporate Server 2.1:
 66cb444f56bb4217df77428198527b7f  corporate/2.1/RPMS/cyrus-sasl-1.5.27-5.1.C21mdk.i586.rpm
 ad6d0411ebddc8f0c760297cfd20c282  corporate/2.1/RPMS/libsasl7-1.5.27-5.1.C21mdk.i586.rpm
 20a039725daa6aa3a8e4140922b1a123  corporate/2.1/RPMS/libsasl7-devel-1.5.27-5.1.C21mdk.i586.rpm
 9a16c82b1de4fbaccc370e26764620ec  corporate/2.1/RPMS/libsasl7-plug-anonymous-1.5.27-5.1.C21mdk.i586.rpm
 798328f930b8262188e745fcfbd7cb43  corporate/2.1/RPMS/libsasl7-plug-crammd5-1.5.27-5.1.C21mdk.i586.rpm
 227b3b14966c940870415ed8e1590dc8  corporate/2.1/RPMS/libsasl7-plug-digestmd5-1.5.27-5.1.C21mdk.i586.rpm
 c17b0582d7bfcc49feaf98a9650458fc  corporate/2.1/RPMS/libsasl7-plug-login-1.5.27-5.1.C21mdk.i586.rpm
 455d4ae2174dad7622337bf2531e012f  corporate/2.1/RPMS/libsasl7-plug-plain-1.5.27-5.1.C21mdk.i586.rpm
 a3ea8b441b6454eda5dbf4e9f7a0e126  corporate/2.1/SRPMS/cyrus-sasl-1.5.27-5.1.C21mdk.src.rpm

 Corporate Server 2.1/x86_64:
 d00de6225fcc2afb91ea13017738de9a  x86_64/corporate/2.1/RPMS/cyrus-sasl-1.5.27-5.1.C21mdk.x86_64.rpm
 49bd78a963695b794cc5f0a7d8285447  x86_64/corporate/2.1/RPMS/libsasl7-1.5.27-5.1.C21mdk.x86_64.rpm
 44c9864023686e7f4f492a4ac2e0fe53  x86_64/corporate/2.1/RPMS/libsasl7-devel-1.5.27-5.1.C21mdk.x86_64.rpm
 7d90d8f1ce6e5874996c048676a73ecd  x86_64/corporate/2.1/RPMS/libsasl7-plug-anonymous-1.5.27-5.1.C21mdk.x86_64.rpm
 f8dc759136397b2444baa4f4233c07ae  x86_64/corporate/2.1/RPMS/libsasl7-plug-crammd5-1.5.27-5.1.C21mdk.x86_64.rpm
 9d91a8842db34d9e4486736007e459c4  x86_64/corporate/2.1/RPMS/libsasl7-plug-digestmd5-1.5.27-5.1.C21mdk.x86_64.rpm
 4e82d378ad868a4f24de02d31de580f6  x86_64/corporate/2.1/RPMS/libsasl7-plug-login-1.5.27-5.1.C21mdk.x86_64.rpm
 7cef5720f54436d7b1af6d6c817a3a72  x86_64/corporate/2.1/RPMS/libsasl7-plug-plain-1.5.27-5.1.C21mdk.x86_64.rpm
 a3ea8b441b6454eda5dbf4e9f7a0e126  x86_64/corporate/2.1/SRPMS/cyrus-sasl-1.5.27-5.1.C21mdk.src.rpm

 Mandrakelinux 9.2:
 61fd385bb6c9a096d9799df48d1ee82f  9.2/RPMS/cyrus-sasl-2.1.15-4.1.92mdk.i586.rpm
 3c3514ca12a7fdd2e570aa591f455e13  9.2/RPMS/libsasl2-2.1.15-4.1.92mdk.i586.rpm
 6ba003f5d656d14144dc8d49083db212  9.2/RPMS/libsasl2-devel-2.1.15-4.1.92mdk.i586.rpm
 f86b5496c34adc514066f37b05128cf9  9.2/RPMS/libsasl2-plug-anonymous-2.1.15-4.1.92mdk.i586.rpm
 7ac83050851d59918b27ebd32f060245  9.2/RPMS/libsasl2-plug-crammd5-2.1.15-4.1.92mdk.i586.rpm
 f74524d4fa09ce1c57b64b3fa8d78c28  9.2/RPMS/libsasl2-plug-digestmd5-2.1.15-4.1.92mdk.i586.rpm
 66bd5dce305693ff83fac906d8856371  9.2/RPMS/libsasl2-plug-gssapi-2.1.15-4.1.92mdk.i586.rpm
 32aa5d36b1f3305c68cf94f98031003f  9.2/RPMS/libsasl2-plug-login-2.1.15-4.1.92mdk.i586.rpm
 6c4014739c88a866c4fbee477c619724  9.2/RPMS/libsasl2-plug-ntlm-2.1.15-4.1.92mdk.i586.rpm
 fcf63deaecb78df0821c100ba2916514  9.2/RPMS/libsasl2-plug-otp-2.1.15-4.1.92mdk.i586.rpm
 27d0589f02db89408ae4598f5cf36051  9.2/RPMS/libsasl2-plug-plain-2.1.15-4.1.92mdk.i586.rpm
 6f3ba42ebce674dc797a042dd6377b64  9.2/RPMS/libsasl2-plug-sasldb-2.1.15-4.1.92mdk.i586.rpm
 bd6a6af7f73fa380ed7b7712acced412  9.2/RPMS/libsasl2-plug-srp-2.1.15-4.1.92mdk.i586.rpm
 cc2e67e7a7df460932c8c97bbf9d79b6  9.2/SRPMS/cyrus-sasl-2.1.15-4.1.92mdk.src.rpm

 Mandrakelinux 9.2/AMD64:
 e932be9d60a9990f28f0cc9514c33123  amd64/9.2/RPMS/cyrus-sasl-2.1.15-4.1.92mdk.amd64.rpm
 1dda4f42fee8f8480f8a6274c533f929  amd64/9.2/RPMS/lib64sasl2-2.1.15-4.1.92mdk.amd64.rpm
 e4cd66b10b8940507ed766e3bae72b38  amd64/9.2/RPMS/lib64sasl2-devel-2.1.15-4.1.92mdk.amd64.rpm
 8c4426cf876b988cf8883db132497ae8  amd64/9.2/RPMS/lib64sasl2-plug-anonymous-2.1.15-4.1.92mdk.amd64.rpm
 02f3fc6d31ebb7c000d7060c99e63884  amd64/9.2/RPMS/lib64sasl2-plug-crammd5-2.1.15-4.1.92mdk.amd64.rpm
 a7b4c37fb6ee6bc53e315dede91e2696  amd64/9.2/RPMS/lib64sasl2-plug-digestmd5-2.1.15-4.1.92mdk.amd64.rpm
 e3f1b44b40e8ad0511c814ef6d703835  amd64/9.2/RPMS/lib64sasl2-plug-gssapi-2.1.15-4.1.92mdk.amd64.rpm
 f2cd6a80bdb93a4b345ac60cc9975e72  amd64/9.2/RPMS/lib64sasl2-plug-login-2.1.15-4.1.92mdk.amd64.rpm
 54b04103e38be7f9ac7982044d72dd83  amd64/9.2/RPMS/lib64sasl2-plug-ntlm-2.1.15-4.1.92mdk.amd64.rpm
 87d5b714dae7284efb6024ed92b83aa8  amd64/9.2/RPMS/lib64sasl2-plug-otp-2.1.15-4.1.92mdk.amd64.rpm
 eb37724460418bbe7c3f24f915c97e1d  amd64/9.2/RPMS/lib64sasl2-plug-plain-2.1.15-4.1.92mdk.amd64.rpm
 82470db324565a79a16401512fd01281  amd64/9.2/RPMS/lib64sasl2-plug-sasldb-2.1.15-4.1.92mdk.amd64.rpm
 d2ea27f377fa52e5d651b354ebf20657  amd64/9.2/RPMS/lib64sasl2-plug-srp-2.1.15-4.1.92mdk.amd64.rpm
 cc2e67e7a7df460932c8c97bbf9d79b6  amd64/9.2/SRPMS/cyrus-sasl-2.1.15-4.1.92mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrakeUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandrakesoft for security.  You can obtain
 the GPG public key of the Mandrakelinux Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandrakelinux at:

  http://www.mandrakesoft.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_linux-mandrake.com

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Linux Mandrake Security Team
  <security linux-mandrake.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFBZZ6smqjQ0CJFipgRAqklAKCy85zvubFuHcjCjE65k1kylu25hwCgtgSu
P5+Ffklyg+/6K51R1aH92aI=
=gbCH
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
  • MDKSA-2004:106 - Updated cyrus-sasl packages fix local vulnerability Mandrake Linux Security Team (Oct 07)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]