CVE-2019-19906

Опубликовано: 19 дек. 2019

Источник: debian

EPSS Низкий

Описание

cyrus-sasl (aka Cyrus SASL) 2.1.27 has an out-of-bounds write leading to unauthenticated remote denial-of-service in OpenLDAP via a malformed LDAP packet. The OpenLDAP crash is ultimately caused by an off-by-one error in _sasl_add_string in common.c in cyrus-sasl.

Пакеты

Пакет	Статус	Версия исправления	Релиз	Тип
cyrus-sasl2	fixed	2.1.27+dfsg-2		package

Примечания

https://github.com/cyrusimap/cyrus-sasl/issues/587
Fixed by: https://github.com/cyrusimap/cyrus-sasl/commit/dcc9f51cbd4ed622cfb0f9b1c141eb2ffe3b12f1 (master)
Fixed by: https://github.com/cyrusimap/cyrus-sasl/commit/f96ba043fb9ffd30f7089564164203136506e7ab (master)
Fixed by: https://github.com/cyrusimap/cyrus-sasl/commit/332b8c591b662bce4a2dae55cad9784e15096908 (cyrus-sasl-2.1.28)
Fixed by: https://github.com/cyrusimap/cyrus-sasl/commit/5ac1beeb574cd9d0a518d72330b19d2460688089 (cyrus-sasl-2.1.28)
https://www.openldap.org/its/index.cgi/Incoming?id=9123
https://www.cyrusimap.org/sasl/sasl/release-notes/2.1/index.html#new-in-2-1-28
DSA-4591-1 applied only the first part of the fix which was incomplete (but can be
considered a functional incomplete fix, thus not warranting a CVE):
https://github.com/cyrusimap/cyrus-sasl/pull/655
The functional incomplete fix was already addressed in unstable with 2.1.27+dfsg2-1

EPSS

Процентиль: 60%

0.00396

Низкий

Связанные уязвимости

CVE-2019-19906

CVSS3: 7.5

ubuntu

почти 6 лет назад

CVE-2019-19906

CVSS3: 7.5

redhat

около 6 лет назад

CVE-2019-19906

CVSS3: 7.5

nvd

почти 6 лет назад

CVE-2019-19906

CVSS3: 7.5

msrc

больше 5 лет назад

Описание отсутствует

SUSE-SU-2022:3549-1

suse-cvrf

около 3 лет назад

Security update for cyrus-sasl

EPSS

Процентиль: 60%

0.00396

Низкий