This bug was fixed in the package cyrus-sasl2 - 2.1.25.dfsg1-6ubuntu0.1
---
cyrus-sasl2 (2.1.25.dfsg1-6ubuntu0.1) raring-security; urgency=low
* SECURITY UPDATE: denial of service via invalid salt (LP: #1187001)
- debian/patches/CVE-2013-4122.patch: properly handle glibc
This bug was fixed in the package cyrus-sasl2 - 2.1.25.dfsg1-6ubuntu0.1
---
cyrus-sasl2 (2.1.25.dfsg1-6ubuntu0.1) raring-security; urgency=low
* SECURITY UPDATE: denial of service via invalid salt (LP: #1187001)
- debian/patches/CVE-2013-4122.patch: properly handle glibc
This issue only affects Raring and newer. Already fixed in saucy.
** Also affects: cyrus-sasl2 (Ubuntu Lucid)
Importance: Undecided
Status: New
** Also affects: cyrus-sasl2 (Ubuntu Precise)
Importance: Undecided
Status: New
** Also affects: cyrus-sasl2 (Ubuntu Quantal)
This issue only affects Raring and newer. Already fixed in saucy.
** Also affects: cyrus-sasl2 (Ubuntu Lucid)
Importance: Undecided
Status: New
** Also affects: cyrus-sasl2 (Ubuntu Precise)
Importance: Undecided
Status: New
** Also affects: cyrus-sasl2 (Ubuntu Quantal)
On 02/10/2013 08:09, Seth Arnold wrote:
Are you confident about multi-threading? I don't see any linker commands
to link against the threading libraries in our build logs:
https://launchpadlibrarian.net/92810645/buildlog_ubuntu-precise-amd64
.cyrus-sasl2_2.1.25.dfsg1-3_BUILDING.txt.gz and I
Hi. This issue was assigned CVE-2013-4122: http://openwall.com/lists
/oss-security/2013/07/13/1
--mancha
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2013-4122
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to
I just updated the upstream bugzilla report to reflect the CVE
assignment and link my point release patches.
https://bugzilla.cyrusimap.org/show_bug.cgi?id=3803
** Bug watch added: bugzilla.cyrusimap.org/ #3803
http://bugzilla.cyrusimap.org/show_bug.cgi?id=3803
--
You received this bug
Mancha, thanks! I'm sorry I overlooked it. (Even worse, I did the triage
way back when I forgot about it in the meantime:
http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4122.html
)
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is
On 02/10/2013 08:09, Seth Arnold wrote:
Are you confident about multi-threading? I don't see any linker commands
to link against the threading libraries in our build logs:
https://launchpadlibrarian.net/92810645/buildlog_ubuntu-precise-amd64
.cyrus-sasl2_2.1.25.dfsg1-3_BUILDING.txt.gz and I
Hi. This issue was assigned CVE-2013-4122: http://openwall.com/lists
/oss-security/2013/07/13/1
--mancha
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2013-4122
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
I just updated the upstream bugzilla report to reflect the CVE
assignment and link my point release patches.
https://bugzilla.cyrusimap.org/show_bug.cgi?id=3803
** Bug watch added: bugzilla.cyrusimap.org/ #3803
http://bugzilla.cyrusimap.org/show_bug.cgi?id=3803
--
You received this bug
Mancha, thanks! I'm sorry I overlooked it. (Even worse, I did the triage
way back when I forgot about it in the meantime:
http://people.canonical.com/~ubuntu-security/cve/2013/CVE-2013-4122.html
)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed
Are you confident about multi-threading? I don't see any linker commands
to link against the threading libraries in our build logs:
https://launchpadlibrarian.net/92810645/buildlog_ubuntu-precise-amd64
.cyrus-sasl2_2.1.25.dfsg1-3_BUILDING.txt.gz and I also see extensive
use of fork(2) in the
I think default THREADS=5 in /etc/default/saslauthd, after these all crash [as
above] then thats the end of SASL working. (at least that is what happened for
me, repeatedly).
Setting this to THREADS=0 has worked around the issue (for me anyway) as it
makes it fork instead.
--
You received
Are you confident about multi-threading? I don't see any linker commands
to link against the threading libraries in our build logs:
https://launchpadlibrarian.net/92810645/buildlog_ubuntu-precise-amd64
.cyrus-sasl2_2.1.25.dfsg1-3_BUILDING.txt.gz and I also see extensive
use of fork(2) in the
I think default THREADS=5 in /etc/default/saslauthd, after these all crash [as
above] then thats the end of SASL working. (at least that is what happened for
me, repeatedly).
Setting this to THREADS=0 has worked around the issue (for me anyway) as it
makes it fork instead.
--
You received
** Information type changed from Public to Public Security
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to cyrus-sasl2 in Ubuntu.
https://bugs.launchpad.net/bugs/1187001
Title:
saslauthd[26791]: segfault at 0 ip b71de6f1 sp bfcd2d9c
I think this hasn't been addressed in part because it didn't get a CVE
number: http://openwall.com/lists/oss-security/2013/07/12/4
Since the service appears to be restarting without qualm, I can see why
it didn't get a CVE, but this does seem less than awesome.
Mancha made a lot of patches for
Hi
Thanks. Also note the use of crypt() in a multithreaded application.
Must be crypt_r().
CU,
Arno
Seth Arnold 1187...@bugs.launchpad.net wrote:
I think this hasn't been addressed in part because it didn't get a CVE
number: http://openwall.com/lists/oss-security/2013/07/12/4
Since the
** Information type changed from Public to Public Security
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1187001
Title:
saslauthd[26791]: segfault at 0 ip b71de6f1 sp bfcd2d9c error 4 in
I think this hasn't been addressed in part because it didn't get a CVE
number: http://openwall.com/lists/oss-security/2013/07/12/4
Since the service appears to be restarting without qualm, I can see why
it didn't get a CVE, but this does seem less than awesome.
Mancha made a lot of patches for
Hi
Thanks. Also note the use of crypt() in a multithreaded application.
Must be crypt_r().
CU,
Arno
Seth Arnold 1187...@bugs.launchpad.net wrote:
I think this hasn't been addressed in part because it didn't get a CVE
number: http://openwall.com/lists/oss-security/2013/07/12/4
Since the
BTW, shouldn't saslauthd use crypt_r(), it being a multi-threaded
beasty? ;o)
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to cyrus-sasl2 in Ubuntu.
https://bugs.launchpad.net/bugs/1187001
Title:
saslauthd[26791]: segfault at 0 ip
Hi all
I can reproduce the problem when I run saslauthd with authmech shadow:
saslauthd -a shadow
and then try to authenticate users that have a crippled /etc/shadow
entry. By crippled I mean ! or * as password entry, as for root, mail,
nobody.
When I run the 2.1.25 stock source with
Hi all
I can reproduce the problem when I run saslauthd with authmech shadow:
saslauthd -a shadow
and then try to authenticate users that have a crippled /etc/shadow
entry. By crippled I mean ! or * as password entry, as for root, mail,
nobody.
When I run the 2.1.25 stock source with
BTW, shouldn't saslauthd use crypt_r(), it being a multi-threaded
beasty? ;o)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1187001
Title:
saslauthd[26791]: segfault at 0 ip b71de6f1 sp bfcd2d9c
if anyone else is suffering this I installed fail2ban as a
workaround, the attacker's IP gets banned before SASL falls over.
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to cyrus-sasl2 in Ubuntu.
if anyone else is suffering this I installed fail2ban as a
workaround, the attacker's IP gets banned before SASL falls over.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1187001
Title:
** Changed in: cyrus-sasl2 (Ubuntu)
Status: New = Confirmed
** Changed in: cyrus-sasl2 (Ubuntu)
Importance: Undecided = High
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to cyrus-sasl2 in Ubuntu.
** Changed in: cyrus-sasl2 (Ubuntu)
Status: New = Confirmed
** Changed in: cyrus-sasl2 (Ubuntu)
Importance: Undecided = High
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1187001
Title:
30 matches
Mail list logo
