Debian Security Advisory

DSA-5087-1 cyrus-sasl2 -- security update

Date Reported:
25 Feb 2022
Affected Packages:
Security database references:
In Mitre's CVE dictionary: CVE-2022-24407.
More information:

It was discovered that the SQL plugin in cyrus-sasl2, a library implementing the Simple Authentication and Security Layer, is prone to a SQL injection attack. An authenticated remote attacker can take advantage of this flaw to execute arbitrary SQL commands and for privilege escalation.

For the oldstable distribution (buster), this problem has been fixed in version 2.1.27+dfsg-1+deb10u2.

For the stable distribution (bullseye), this problem has been fixed in version 2.1.27+dfsg-2.1+deb11u1.

We recommend that you upgrade your cyrus-sasl2 packages.

For the detailed security status of cyrus-sasl2 please refer to its security tracker page at: