Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 129523 - dev-libs/cyrus-sasl: (<2.1.21) DoS during DIGEST-MD5 negociation (CVE-2006-1721)
Summary: dev-libs/cyrus-sasl: (<2.1.21) DoS during DIGEST-MD5 negociation (CVE-2006-1721)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal
Assignee: Gentoo Security
URL: http://archives.neohapsis.com/archive...
Whiteboard: A3 [glsa] Falco
Keywords:
: 130733 (view as bug list)
Depends on:
Blocks:
 
Reported: 2006-04-10 13:40 UTC by Raphael Marichez (Falco) (RETIRED)
Modified: 2006-11-11 20:06 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-04-10 13:40:33 UTC 
"A denial of service condition exists in the SASL authentication library during
DIGEST-MD5 negotiation. This potentially affects multiple products that use
SASL DIGEST-MD5 authentication including OpenLDAP, Sendmail, Postfix, Apple,
etc.
All users of this authentication library are recommended to upgrade to 2.1.21
which fixes these problems."

2.1.21 is now ~arch on every arch.


seen on full-disclosure@
http://archives.neohapsis.com/archives/fulldisclosure/2006-04/0180.html
Comment 1 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-04-10 13:57:32 UTC 
2.1.21 corrects the vuln, while last stable is 2.1.20.

Arches, please test at least one of 2.1.21(-r[12])? and mark stable, thank you.
Comment 2 Fernando J. Pereda (RETIRED) gentoo-dev 2006-04-10 14:54:28 UTC 
-r2 Alpha'lized !
Comment 3 Chris Gianelloni (RETIRED) gentoo-dev 2006-04-11 04:51:00 UTC 
x86 done
Comment 4 Gustavo Zacarias (RETIRED) gentoo-dev 2006-04-11 08:31:31 UTC 
sparc stable.
Comment 5 Markus Rothe (RETIRED) gentoo-dev 2006-04-11 12:31:20 UTC 
stable on ppc64
Comment 6 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-04-14 06:00:54 UTC 
is now CVE-2006-1721

arches, please don't forget this one, thanks. (From http://www.gentoo.org/security/en/vulnerability-policy.xml , adm64, hppa and ppc stabilizations are still needed before closing the bug.)
Comment 7 René Nussbaumer (RETIRED) gentoo-dev 2006-04-14 07:05:55 UTC 
stable on hppa
Comment 8 Thierry Carrez (RETIRED) gentoo-dev 2006-04-15 05:54:29 UTC 
amd64, ppc please test and mark stable
Comment 9 Matti Bickel (RETIRED) gentoo-dev 2006-04-15 07:07:43 UTC 
Compiles and runs the test-server && client on ppc (USE="sample"), any further tests i could do?
Comment 10 Tobias Scherbaum (RETIRED) gentoo-dev 2006-04-15 08:17:15 UTC 
ppc stable
Comment 11 Simon Stelling (RETIRED) gentoo-dev 2006-04-15 10:29:53 UTC 
amd64 done
Comment 12 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-04-20 21:49:23 UTC 
GLSA 200604-09

arm, ia64, mips, s390 don't forget to mark stable to benifit from the GLSA.
Comment 13 Stefan Cornelius (RETIRED) gentoo-dev 2006-04-21 07:55:43 UTC 
*** Bug 130733 has been marked as a duplicate of this bug. ***
Comment 14 Tuan Van (RETIRED) gentoo-dev 2006-04-21 09:36:59 UTC 
(In reply to comment #12)
> GLSA 200604-09
> 
> arm, ia64, mips, s390 don't forget to mark stable to benifit from the GLSA.
> 

I am about to removed all ebuild <2.1.21-r2 and noticed mips has stable keyword in cyrus-sasl-2.1.20.ebuild but has not stable 2.1.21-r2 yet.
Comment 15 Joshua Kinard gentoo-dev 2006-09-03 15:57:01 UTC 
Stable on mips.