On Mon, Jun 01, 2009 at 02:42:10PM +0200, Nico Golde wrote: > James Ralston discovered that the sasl_encode64() function of cyrus-sasl2, > a free library implementing the Simple Authentication and Security Layer, > suffers from a missing null termination in certain situations. This causes > several buffer overflows in situations where cyrus-sasl2 itself requires > the string to be null terminated which can lead to denial of service or > arbitrary code execution.
> For the oldstable distribution (etch), this problem will be fixed soon. 2.1.22.dfsg1-8+etch1 has now appeared in the security archive which appears to fix this problem, but no subsequent advisory has been released. Is this an oversight? Cheers, Dominic. -- Dominic Hargreaves | http://www.larted.org.uk/~dom/ PGP key 5178E2A5 from the.earth.li (keyserver,web,email) -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org