Security Information / 2015 / Security Information -- DSA-3368-1 cyrus-sasl2

Debian Security Advisory

DSA-3368-1 cyrus-sasl2 -- security update

Date Reported:

25 Sep 2015

Affected Packages:

cyrus-sasl2

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 784112.
In Mitre's CVE dictionary: CVE-2013-4122.

More information:

It was discovered that cyrus-sasl2, a library implementing the Simple Authentication and Security Layer, does not properly handle certain invalid password salts. A remote attacker can take advantage of this flaw to cause a denial of service.

For the stable distribution (jessie), this problem has been fixed in version 2.1.26.dfsg1-13+deb8u1.

For the unstable distribution (sid), this problem has been fixed in version 2.1.26.dfsg1-14.

We recommend that you upgrade your cyrus-sasl2 packages.