lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20041008113713.GA3574@tsunami.trustix.net>
Date: Fri, 8 Oct 2004 13:37:13 +0200
From: Trustix Security Advisor <tsl@...stix.org>
To: bugtraq@...urityfocus.com
Subject: TSLSA-2004-0053 - cyrus-sasl


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Trustix Secure Linux Security Advisory #2004-0053

Package name:      cyrus-sasl
Summary:           Insecure handling of environment variable
Date:              2004-10-08
Affected versions: Trustix Secure Linux 2.0
                   Trustix Secure Linux 2.1
                   Trustix Operating System - Enterprise Server 2

- --------------------------------------------------------------------------
Package description:
  The cyrus-sasl package contains the Cyrus implementation of SASL.
  SASL is the Simple Authentication and Security Layer, a method for
  adding authentication support to connection-based protocols.

Problem description:
  Kurt Lieber <klieber at gentoo dot org> reported that libsasl honors the
  environment variable SASL_PATH blindly, allowing a local user to compile a
  "library" locally that is executed with the EID of SASL.

  The Common Vulnerabilities and Exposures project (cve.mitre.org) has
  assigned the name CAN-2004-0884 to this issue.


Action:
  We recommend that all systems with this package installed be upgraded.
  Please note that if you do not need the functionality provided by this
  package, you may want to remove it from your system.


Location:
  All Trustix Secure Linux updates are available from
  <URI:http://http.trustix.org/pub/trustix/updates/>
  <URI:ftp://ftp.trustix.org/pub/trustix/updates/>


About Trustix Secure Linux:
  Trustix Secure Linux is a small Linux distribution for servers. With focus
  on security and stability, the system is painlessly kept safe and up to
  date from day one using swup, the automated software updater.


Automatic updates:
  Users of the SWUP tool can enjoy having updates automatically
  installed using 'swup --upgrade'.


Questions?
  Check out our mailing lists:
  <URI:http://www.trustix.org/support/>


Verification:
  This advisory along with all Trustix packages are signed with the
  TSL sign key.
  This key is available from:
  <URI:http://www.trustix.org/TSL-SIGN-KEY>

  The advisory itself is available from the errata pages at
  <URI:http://www.trustix.org/errata/trustix-2.0/> and
  <URI:http://www.trustix.org/errata/trustix-2.1/>
  or directly at
  <URI:http://www.trustix.org/errata/2004/0053/>


MD5sums of the packages:
- --------------------------------------------------------------------------
4af05e282564f6fe2607050dc74e9069  2.1/rpms/cyrus-sasl-2.1.15-8tr.i586.rpm
695f42006b0a6c75cd65e3dd6138d7e5  2.1/rpms/cyrus-sasl-devel-2.1.15-8tr.i586.rpm
6409b2efc33c634058e57550ff92b227  2.1/rpms/cyrus-sasl-md5-2.1.15-8tr.i586.rpm
a59a6f63291b9fcbe16f2b89465d723d  2.1/rpms/cyrus-sasl-mysql-2.1.15-8tr.i586.rpm
3fc625bd28e59db1b78b79fd428e65a7  2.1/rpms/cyrus-sasl-otp-2.1.15-8tr.i586.rpm
7e2e781deab55846d0c59cb859c26349  2.1/rpms/cyrus-sasl-plain-2.1.15-8tr.i586.rpm
b8074dad5e817bacdf25c601fc2096d8  2.1/rpms/cyrus-sasl-utils-2.1.15-8tr.i586.rpm

e19a5ef6d7c6fe7127a3b3f222d48377  2.0/rpms/cyrus-sasl-2.1.15-5tr.i586.rpm
75328d33529e51ca323d219c59bd14fe  2.0/rpms/cyrus-sasl-devel-2.1.15-5tr.i586.rpm
00968a1ae5592795c340fd44b6561f0e  2.0/rpms/cyrus-sasl-md5-2.1.15-5tr.i586.rpm
6342fda511daf5cfe3c61d3652863a26  2.0/rpms/cyrus-sasl-mysql-2.1.15-5tr.i586.rpm
7492025aba5fae1f60f2a86da37fb4cc  2.0/rpms/cyrus-sasl-otp-2.1.15-5tr.i586.rpm
9cdfab8c8b4f4578d29a6b2e7b32254f  2.0/rpms/cyrus-sasl-plain-2.1.15-5tr.i586.rpm
e664d84f1661270d06fa1e6b3b089208  2.0/rpms/cyrus-sasl-utils-2.1.15-5tr.i586.rpm

6efcf6483076aa1db6a25ff6f3962222  e-2/rpms/cyrus-sasl-2.1.15-8tr.i586.rpm
9f3778e984587f4f9b053adfc09d84f1  e-2/rpms/cyrus-sasl-devel-2.1.15-8tr.i586.rpm
dc9a9ec47f9082378214523c07fe680f  e-2/rpms/cyrus-sasl-md5-2.1.15-8tr.i586.rpm
86a4defb48589ebbd8e4631bf4547023  e-2/rpms/cyrus-sasl-mysql-2.1.15-8tr.i586.rpm
2f1c114260d1657f46dcd27a96e97bc7  e-2/rpms/cyrus-sasl-otp-2.1.15-8tr.i586.rpm
a4e581f397453cbd9011f61791f177fb  e-2/rpms/cyrus-sasl-plain-2.1.15-8tr.i586.rpm
0f5fdc476c7de211efce071166691775  e-2/rpms/cyrus-sasl-utils-2.1.15-8tr.i586.rpm
- --------------------------------------------------------------------------


Trustix Security Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQFBZnu5i8CEzsK9IksRAjevAJ43J5l2zyJ03Jz1edKQyMVOsU8nrgCfTRrf
GgOZQ0CItjCX33nVIy7G36M=
=NA/g
-----END PGP SIGNATURE-----


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ