On Tue, Apr 25, 2006 at 11:22:35AM -0700, Dan Nicholson wrote: > On 4/24/06, Archaic <[EMAIL PROTECTED]> wrote: > > > > Does this new sasl version fix the vulnerability with digest-md5? > > This was just checked in. Does it ring a bell? Should I port it back > to 2.1.21? > > https://bugzilla.andrew.cmu.edu/cgi-bin/cvsweb.cgi/src/sasl/plugins/digestmd5.c.diff?r1=1.178&r2=1.179 > > Log entry is "Prevent buffer overrun when DIGEST-MD5 plugin receives a > packet shorter than 16 bytes."
That sounds like the fix. However, http://asg.web.cmu.edu/archive/message.php?mailbox=archive.cyrus-sasl&msg=7766 seems to say that 2.1.21 isn't affected, yet the fix is in the main branch (which is also the only branch I saw). http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1721 also seems to say that 2.1.21 isn't affected, but gentoo says otherwise: http://www.gentoo.org/security/en/glsa/glsa-200604-09.xml I guess seeing if the diff applies is the best answer we could get. -- Archaic Want control, education, and security from your operating system? Hardened Linux From Scratch http://www.linuxfromscratch.org/hlfs -- http://linuxfromscratch.org/mailman/listinfo/blfs-book FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
