Bug#947043: marked as done (cyrus-sasl2: CVE-2019-19906: Off-by-one in _sasl_add_string function)

[Debian Bug Tracking System]

Your message dated Sat, 21 Dec 2019 16:33:40 +0000
with message-id <e1iihhe-0006bc...@fasolo.debian.org>
and subject line Bug#947043: fixed in cyrus-sasl2 
2.1.27~101-g0780600+dfsg-3+deb9u1
has caused the Debian Bug report #947043,
regarding cyrus-sasl2: CVE-2019-19906: Off-by-one in _sasl_add_string function
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
947043: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947043
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: cyrus-sasl2
Version: 2.1.27+dfsg-1
Severity: grave
Tags: security upstream
Forwarded: https://github.com/cyrusimap/cyrus-sasl/issues/587
Control: found -1 2.1.27~101-g0780600+dfsg-3

Hi,

The following vulnerability was published for cyrus-sasl2.

CVE-2019-19906[0]:
Off by one in _sasl_add_string function

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-19906
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19906
[1] https://github.com/cyrusimap/cyrus-sasl/issues/587

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: cyrus-sasl2
Source-Version: 2.1.27~101-g0780600+dfsg-3+deb9u1

We believe that the bug you reported is fixed in the latest version of
cyrus-sasl2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 947...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <car...@debian.org> (supplier of updated cyrus-sasl2 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 19 Dec 2019 23:13:43 +0100
Source: cyrus-sasl2
Architecture: source
Version: 2.1.27~101-g0780600+dfsg-3+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Debian Cyrus SASL Team 
<pkg-cyrus-sasl2-debian-de...@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <car...@debian.org>
Closes: 947043
Changes:
 cyrus-sasl2 (2.1.27~101-g0780600+dfsg-3+deb9u1) stretch-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Off-by-one in _sasl_add_string function (CVE-2019-19906) (Closes: #947043)
Checksums-Sha1: 
 dc9b60273777b625263abd376136cf5c2b19cc84 3381 
cyrus-sasl2_2.1.27~101-g0780600+dfsg-3+deb9u1.dsc
 627ff1c0d62984d60f7f98d6b14f6c36d6a9b0d9 1143888 
cyrus-sasl2_2.1.27~101-g0780600+dfsg.orig.tar.xz
 d48a36988dc3604eeb198ea7b554e342cb9bfde6 94992 
cyrus-sasl2_2.1.27~101-g0780600+dfsg-3+deb9u1.debian.tar.xz
Checksums-Sha256: 
 a331441098ece65be5bf13d871b486115af68daf06a0145adf6cda8ef71d73e4 3381 
cyrus-sasl2_2.1.27~101-g0780600+dfsg-3+deb9u1.dsc
 69f34971f768e7ee6a6b647ec2d16a5a72a854ecd4602b019d5f79ba61063fdc 1143888 
cyrus-sasl2_2.1.27~101-g0780600+dfsg.orig.tar.xz
 be1ba4b3bfcc4740354342686deac73ca2e46c4871219599229efe8cfe98df6f 94992 
cyrus-sasl2_2.1.27~101-g0780600+dfsg-3+deb9u1.debian.tar.xz
Files: 
 71db97fd10e2727beddc112439fbe256 3381 libs standard 
cyrus-sasl2_2.1.27~101-g0780600+dfsg-3+deb9u1.dsc
 4ca5bf3e08c62df06c3a5ffadcd9ab13 1143888 libs standard 
cyrus-sasl2_2.1.27~101-g0780600+dfsg.orig.tar.xz
 e88a9640371f49af4f8e95a42ba9ed21 94992 libs standard 
cyrus-sasl2_2.1.27~101-g0780600+dfsg-3+deb9u1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl3792RfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89E7BsP/08u143qVzZdjR/Gs9AjgRd5W2CAWMyL
WMvJb9ITtiHtDHXEgJ6N0XdjqRhGCUHWWVrJ+c5pTl1Y5HukXeEVZgGB3zO8MwMz
xW5UNL09mZcQ6fhXgHB7DSarrG9mupgHDBnmojzIz84VQDyECS9CGy3g8KPraqpv
/o70Xm2opBpt/2v6jJy+cGe5HMw2dVuSGiwKOrhQ7qSkfYLjON7CwDVNXTcqD3JS
xg6fkmGsxktdPV88at1INOF9Xb+kOklrRj1HqVEo+NmvwqR/wg64xj4StHGchNjX
C+vDDgbJhQ0M2YImFMsicbCKV7wxt2CY0gF/ruyc0mPR5EnUsAyuEICzIRNVePwb
616HIjnxQ3IBvrMhdZTwLP3X6yvxsgVKacXwROpgEuo3MuyolTWXT1Ds9b9o5oCA
mJOoghSkpQd+zUwLWqp37pKtIG5hVK2XfwDCN8Tw3OlZAKZRRErslp8mCgLdUS0P
wEFc+rwH3+NzKk67Q5HgymzmlACR//RM3cOu6wZQt6IyA86rn6WRatA8CJbQWl2H
Ljjz+borrD/hPFDdBRijq0k5q9RrQ2yrhi4z8iH99qGbNK7dMb5wXqoSwTvAD2iM
RrWamA4tHAZ+S+AfDN7jkdMYzKMgyPgFbST0vov8gRgrswHRTqIcOOyb5Q0xjJIc
Ao/Sm2HTJVdq
=pspV
-----END PGP SIGNATURE-----

--- End Message ---