CVE-2004-0884
CVSS7.2
发布时间 :2005-01-27 00:00:00
修订时间 :2016-10-17 22:49:40
NMCOPS    

[原文]The (1) libsasl and (2) libsasl2 libraries in Cyrus-SASL 2.1.18 and earlier trust the SASL_PATH environment variable to find all available SASL plug-ins, which allows local users to execute arbitrary code by modifying the SASL_PATH to point to malicious programs.


[CNNVD]CyrusSASL SASL_PATH 代码执行漏洞(CNNVD-200501-282)

        Cyrus SASL是一款用于安全认证的开源代码。
        Cyrus-SASL 2.1.18及之前版本中对libsasl和libsasl2中存在代码执行漏洞。
        由于信任SASL_PATH环境变量,并在该环境变量制定路径下寻找所有可用对SASL插件,本地用户可通过修改SASL_PATH,将其改为指向恶意程序,就可以执行任意代码。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:cyrus:sasl:1.5.28
cpe:/o:conectiva:linux:10.0Conectiva Linux 10.0
cpe:/a:cyrus:sasl:2.1.18
cpe:/a:cyrus:sasl:1.5.24
cpe:/a:cyrus:sasl:2.1.15
cpe:/a:cyrus:sasl:2.1.9
cpe:/a:cyrus:sasl:1.5.27
cpe:/o:conectiva:linux:9.0Conectiva Linux 9.0
cpe:/a:cyrus:sasl:2.1.17
cpe:/a:cyrus:sasl:2.1.14
cpe:/a:cyrus:sasl:2.1.11
cpe:/a:cyrus:sasl:2.1.16
cpe:/a:cyrus:sasl:2.1.18_r1
cpe:/a:cyrus:sasl:2.1.13
cpe:/a:cyrus:sasl:2.1.10
cpe:/a:cyrus:sasl:2.1.12

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:11678The (1) libsasl and (2) libsasl2 libraries in Cyrus-SASL 2.1.18 and earlier trust the SASL_PATH environment variable to find all available S...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0884
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0884
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200501-282
(官方数据源) CNNVD

- 其它链接及资源

http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=134657
(UNKNOWN)  CONFIRM  http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=134657
http://lists.apple.com/archives/security-announce/2005/Mar/msg00000.html
(UNKNOWN)  APPLE  APPLE-SA-2005-03-21
http://marc.info/?l=bugtraq&m=110693126007214&w=2
(UNKNOWN)  BUGTRAQ  20050128 [OpenPKG-SA-2005.004] OpenPKG Security Advisory (sasl)
http://rhn.redhat.com/errata/RHSA-2004-546.html
(UNKNOWN)  REDHAT  RHSA-2004:546
http://www.ciac.org/ciac/bulletins/p-003.shtml
(UNKNOWN)  CIAC  P-003
http://www.debian.org/security/2004/dsa-563
(VENDOR_ADVISORY)  DEBIAN  DSA-563
http://www.debian.org/security/2004/dsa-568
(UNKNOWN)  DEBIAN  DSA-568
http://www.gentoo.org/security/en/glsa/glsa-200410-05.xml
(UNKNOWN)  GENTOO  GLSA-200410-05
http://www.mandriva.com/security/advisories?name=MDKSA-2004:106
(UNKNOWN)  MANDRAKE  MDKSA-2004:106
http://www.securityfocus.com/bid/11347
(VENDOR_ADVISORY)  BID  11347
http://www.trustix.net/errata/2004/0053/
(UNKNOWN)  TRUSTIX  2004-0053
http://xforce.iss.net/xforce/xfdb/17643
(VENDOR_ADVISORY)  XF  cyrus-sasl-saslpath(17643)
https://bugzilla.fedora.us/show_bug.cgi?id=2137
(UNKNOWN)  FEDORA  FLSA:2137

- 漏洞信息

CyrusSASL SASL_PATH 代码执行漏洞
高危 边界条件错误
2005-01-27 00:00:00 2005-10-20 00:00:00
远程※本地  
        Cyrus SASL是一款用于安全认证的开源代码。
        Cyrus-SASL 2.1.18及之前版本中对libsasl和libsasl2中存在代码执行漏洞。
        由于信任SASL_PATH环境变量,并在该环境变量制定路径下寻找所有可用对SASL插件,本地用户可通过修改SASL_PATH,将其改为指向恶意程序,就可以执行任意代码。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:
        http://cyrusimap.web.cmu.edu/downloads.html#sasl

- 漏洞信息 (F34671)

Debian Linux Security Advisory 568-1 (PacketStormID:F34671)
2004-10-16 00:00:00
Debian  debian.org
advisory,arbitrary,local,protocol
linux,debian
CVE-2004-0884
[点击下载]

Debian Security Advisory DSA 568-1 - A vulnerability has been discovered in the Cyrus implementation of the SASL library, the Simple Authentication and Security Layer, a method for adding authentication support to connection-based protocols. The library honors the environment variable SASL_PATH blindly, which allows a local user to link against a malicious library to run arbitrary code with the privileges of a setuid or setgid application.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 568-1                     security@debian.org
http://www.debian.org/security/                             Martin Schulze
October 16th, 2004                      http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : cyrus-sasl-mit
Vulnerability  : unsanitised input
Problem-Type   : local
Debian-specific: no
CVE ID         : CAN-2004-0884
Debian Bug     : 275498

A vulnerability has been discovered in the Cyrus implementation of the
SASL library, the Simple Authentication and Security Layer, a method
for adding authentication support to connection-based protocols.  The
library honors the environment variable SASL_PATH blindly, which
allows a local user to link against a malicious library to run
arbitrary code with the privileges of a setuid or setgid application.

The MIT version of the Cyrus implementation of the SASL library 
provides bindings against MIT GSSAPI and MIT Kerberos4.

For the stable distribution (woody) this problem has been fixed in
version 1.5.24-15woody3.

For the unstable distribution (sid) this problem will be fixed soon.

We recommend that you upgrade your libsasl packages.


Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.0 alias woody
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/c/cyrus-sasl-mit/cyrus-sasl-mit_1.5.24-15woody3.dsc
      Size/MD5 checksum:      737 c28b9688bbb9de9f920594ba8ac2b9d5
    http://security.debian.org/pool/updates/main/c/cyrus-sasl-mit/cyrus-sasl-mit_1.5.24-15woody3.diff.gz
      Size/MD5 checksum:   125280 324fed374135082dce487d78f46db72f
    http://security.debian.org/pool/updates/main/c/cyrus-sasl-mit/cyrus-sasl-mit_1.5.24.orig.tar.gz
      Size/MD5 checksum:   494457 ac3837c071c258b80021325936db2583

  Alpha architecture:

    http://security.debian.org/pool/updates/main/c/cyrus-sasl-mit/libsasl-gssapi-mit_1.5.24-15woody3_alpha.deb
      Size/MD5 checksum:    38780 daa298d1425c5381e5d223c04fd16312
    http://security.debian.org/pool/updates/main/c/cyrus-sasl-mit/libsasl-krb4-mit_1.5.24-15woody3_alpha.deb
      Size/MD5 checksum:    30282 d6b4f4eb7a96a320094ea8ff698a68bd

  ARM architecture:

    http://security.debian.org/pool/updates/main/c/cyrus-sasl-mit/libsasl-gssapi-mit_1.5.24-15woody3_arm.deb
      Size/MD5 checksum:    37270 85d60315293f4115f5b8469262a8e839
    http://security.debian.org/pool/updates/main/c/cyrus-sasl-mit/libsasl-krb4-mit_1.5.24-15woody3_arm.deb
      Size/MD5 checksum:    28368 834ab3c7b7db63e7b6420986ecbcfe02

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/c/cyrus-sasl-mit/libsasl-gssapi-mit_1.5.24-15woody3_i386.deb
      Size/MD5 checksum:    37012 0a70a5abb8a75f9407a492f7342360be
    http://security.debian.org/pool/updates/main/c/cyrus-sasl-mit/libsasl-krb4-mit_1.5.24-15woody3_i386.deb
      Size/MD5 checksum:    28188 8e472ccc4076d9ce7596363e53c4401f

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/c/cyrus-sasl-mit/libsasl-gssapi-mit_1.5.24-15woody3_ia64.deb
      Size/MD5 checksum:    41274 fa2ef8e398ca8c1cf733ea86f017a8ea
    http://security.debian.org/pool/updates/main/c/cyrus-sasl-mit/libsasl-krb4-mit_1.5.24-15woody3_ia64.deb
      Size/MD5 checksum:    32360 4933dc10dcc21dd22968a7eb9ecee6a7

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/c/cyrus-sasl-mit/libsasl-gssapi-mit_1.5.24-15woody3_hppa.deb
      Size/MD5 checksum:    38502 07c04f8e1709650cfc8a9dcf06dcca82
    http://security.debian.org/pool/updates/main/c/cyrus-sasl-mit/libsasl-krb4-mit_1.5.24-15woody3_hppa.deb
      Size/MD5 checksum:    29204 fa6282350f600ab5aacc0cdc9c1ee808

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/c/cyrus-sasl-mit/libsasl-gssapi-mit_1.5.24-15woody3_m68k.deb
      Size/MD5 checksum:    36788 bad1e3f4176662fba63453703e211257
    http://security.debian.org/pool/updates/main/c/cyrus-sasl-mit/libsasl-krb4-mit_1.5.24-15woody3_m68k.deb
      Size/MD5 checksum:    27630 628baec08c7e6a80aff4488a51f02cad

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/c/cyrus-sasl-mit/libsasl-gssapi-mit_1.5.24-15woody3_mips.deb
      Size/MD5 checksum:    37782 c2f35e650480997a46e5b4c1cc296e7e
    http://security.debian.org/pool/updates/main/c/cyrus-sasl-mit/libsasl-krb4-mit_1.5.24-15woody3_mips.deb
      Size/MD5 checksum:    28908 ff69ef3da95dbfd5cf864ade8dac62f0

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/c/cyrus-sasl-mit/libsasl-gssapi-mit_1.5.24-15woody3_mipsel.deb
      Size/MD5 checksum:    37832 b31c15dd670ad1904774a57dd095f415
    http://security.debian.org/pool/updates/main/c/cyrus-sasl-mit/libsasl-krb4-mit_1.5.24-15woody3_mipsel.deb
      Size/MD5 checksum:    29040 bc88918a756dd4377b48be517ccea2a7

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/c/cyrus-sasl-mit/libsasl-gssapi-mit_1.5.24-15woody3_powerpc.deb
      Size/MD5 checksum:    37638 7396523c424cd0b03d58d63e7ca536cb
    http://security.debian.org/pool/updates/main/c/cyrus-sasl-mit/libsasl-krb4-mit_1.5.24-15woody3_powerpc.deb
      Size/MD5 checksum:    28244 7e39eabb00f2233e62e7bdefca914700

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/c/cyrus-sasl-mit/libsasl-gssapi-mit_1.5.24-15woody3_s390.deb
      Size/MD5 checksum:    37572 c9e5305655d96d335c215b4536c0f32f
    http://security.debian.org/pool/updates/main/c/cyrus-sasl-mit/libsasl-krb4-mit_1.5.24-15woody3_s390.deb
      Size/MD5 checksum:    28434 ff0cff9f384c417691d0203514c36b73

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/c/cyrus-sasl-mit/libsasl-gssapi-mit_1.5.24-15woody3_sparc.deb
      Size/MD5 checksum:    36976 ab2a53ba08000123584eb0ccbaeeb07f
    http://security.debian.org/pool/updates/main/c/cyrus-sasl-mit/libsasl-krb4-mit_1.5.24-15woody3_sparc.deb
      Size/MD5 checksum:    27950 abd92b81a11ac1bdd3cc585c961b3ba6


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBcNuPW5ql+IAeqTIRAsiiAJ9cqURvNpsrcdGYO98lXrVYAMA91gCeKxPL
T/M8o+OE2EVq07pcY77lAwg=
=1Z/H
-----END PGP SIGNATURE-----


    

- 漏洞信息 (F34614)

Gentoo Linux Security Advisory 200410-5 (PacketStormID:F34614)
2004-10-13 00:00:00
Gentoo  security.gentoo.org
advisory,vulnerability
linux,gentoo
CVE-2004-0884
[点击下载]

Gentoo Linux Security Advisory GLSA 200410-05 - Cyrus-SASL contains two vulnerabilities that might allow an attacker to completely compromise the vulnerable system.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200410-05
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: High
     Title: Cyrus-SASL: Buffer overflow and SASL_PATH vulnerabilities
      Date: October 07, 2004
      Bugs: #56016
        ID: 200410-05

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Cyrus-SASL contains two vulnerabilities that might allow an attacker to
completely compromise the vulnerable system.

Background
==========

Cyrus-SASL is an implementation of the Simple Authentication and
Security Layer.

Affected packages
=================

    -------------------------------------------------------------------
     Package              /   Vulnerable   /                Unaffected
    -------------------------------------------------------------------
  1  dev-libs/cyrus-sasl     <= 2.1.18-r1                 >= 2.1.18-r2

Description
===========

Cyrus-SASL contains a remote buffer overflow in the digestmda5.c file.
Additionally, under certain conditions it is possible for a local user
to exploit a vulnerability in the way the SASL_PATH environment
variable is honored (CAN-2004-0884).

Impact
======

An attacker might be able to execute arbitrary code with the Effective
ID of the application calling the Cyrus-SASL libraries.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Cyrus-SASL users should upgrade to the latest stable version:

    # emerge sync

    # emerge -pv ">=dev-libs/cyrus-sasl-2.1.18-r2"
    # emerge ">=dev-libs/cyrus-sasl-2.1.18-r2"

References
==========

  [ 1 ] CAN-2004-0884
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0884

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200410-05.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2004 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/1.0
    

- 漏洞信息

10555
Cyrus SASL SASL_PATH Variable Overflow
Input Manipulation
Loss of Integrity

- 漏洞描述

Unknown or Incomplete

- 时间线

2004-10-08 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Cyrus SASL Multiple Remote And Local Vulnerabilities
Boundary Condition Error 11347
Yes Yes
2004-10-07 12:00:00 2009-07-12 07:06:00
The individual or individuals responsible for disclosure of these issues are currently unknown; these issues were disclosed in the referenced Gentoo advisory.

- 受影响的程序版本

S.u.S.E. Linux Personal 9.2 x86_64
S.u.S.E. Linux Personal 9.2
S.u.S.E. Linux Personal 9.1 x86_64
S.u.S.E. Linux Personal 9.1
S.u.S.E. Linux Personal 9.0 x86_64
S.u.S.E. Linux Personal 9.0
S.u.S.E. Linux Personal 8.2
S.u.S.E. Linux Enterprise Server 9
S.u.S.E. Linux Desktop 1.0
S.u.S.E. Linux 8.1
S.u.S.E. Linux 8.0 i386
S.u.S.E. Linux 8.0
S.u.S.E. cvsup-16.1h-36.i586.rpm
+ S.u.S.E. Linux Personal 9.0
Red Hat Fedora Core1
OpenPKG OpenPKG 2.2
OpenPKG OpenPKG 2.1
Cyrus SASL 2.1.18 -r1
+ Gentoo Linux 1.4
Cyrus SASL 2.1.18
Cyrus SASL 2.1.17
Cyrus SASL 2.1.16
Cyrus SASL 2.1.15
Cyrus SASL 2.1.14
Cyrus SASL 2.1.13
Cyrus SASL 2.1.12
Cyrus SASL 2.1.11
Cyrus SASL 2.1.10
Cyrus SASL 2.1.9
+ RedHat Linux 8.0 i386
+ RedHat Linux 8.0
Cyrus SASL 1.5.28
Cyrus SASL 1.5.27
+ MandrakeSoft Corporate Server 2.1 x86_64
+ MandrakeSoft Corporate Server 2.1
Cyrus SASL 1.5.24
+ Red Hat Enterprise Linux AS 2.1
+ RedHat Advanced Workstation for the Itanium Processor 2.1 IA64
+ RedHat Advanced Workstation for the Itanium Processor 2.1
+ RedHat Enterprise Linux ES 2.1
+ RedHat Enterprise Linux WS 2.1
+ RedHat Linux Advanced Work Station 2.1
Conectiva Linux 10.0
Conectiva Linux 9.0
Apple Mac OS X Server 10.3.8
Apple Mac OS X Server 10.3.7
Apple Mac OS X Server 10.3.6
Apple Mac OS X Server 10.3.5
Apple Mac OS X Server 10.3.4
Apple Mac OS X Server 10.3.3
Apple Mac OS X Server 10.3.2
Apple Mac OS X Server 10.3.1
Apple Mac OS X Server 10.3
Apple Mac OS X Server 10.2.8
Apple Mac OS X Server 10.2.7
Apple Mac OS X Server 10.2.6
Apple Mac OS X Server 10.2.5
Apple Mac OS X Server 10.2.4
Apple Mac OS X Server 10.2.3
Apple Mac OS X Server 10.2.2
Apple Mac OS X Server 10.2.1
Apple Mac OS X Server 10.2
Apple Mac OS X Server 10.1.5
Apple Mac OS X Server 10.1.4
Apple Mac OS X Server 10.1.3
Apple Mac OS X Server 10.1.2
Apple Mac OS X Server 10.1.1
Apple Mac OS X Server 10.1
Apple Mac OS X Server 10.0
Apple Mac OS X 10.3.8
Apple Mac OS X 10.3.7
Apple Mac OS X 10.3.6
Apple Mac OS X 10.3.5
Apple Mac OS X 10.3.4
Apple Mac OS X 10.3.3
Apple Mac OS X 10.3.2
Apple Mac OS X 10.3.1
Apple Mac OS X 10.3
Apple Mac OS X 10.2.8
Apple Mac OS X 10.2.7
Apple Mac OS X 10.2.6
Apple Mac OS X 10.2.5
Apple Mac OS X 10.2.4
Apple Mac OS X 10.2.3
Apple Mac OS X 10.2.2
Apple Mac OS X 10.2.1
Apple Mac OS X 10.2
Apple Mac OS X 10.1.5
Apple Mac OS X 10.1.4
Apple Mac OS X 10.1.3
Apple Mac OS X 10.1.2
Apple Mac OS X 10.1.1
Apple Mac OS X 10.1
Apple Mac OS X 10.1
Apple Mac OS X 10.0.4
Apple Mac OS X 10.0.3
Apple Mac OS X 10.0.2
Apple Mac OS X 10.0.1
Apple Mac OS X 10.0 3
Apple Mac OS X 10.0
Cyrus SASL 2.1.18 -r2

- 不受影响的程序版本

Cyrus SASL 2.1.18 -r2

- 漏洞讨论

Cyrus SASL is affected by multiple critical vulnerabilities that may be remotely exploitable. The first issue is due to a boundary condition error, the second issue is due to a failure of the application to properly handle environment variables.

Information currently available regarding these issues is insufficient to provide a more detailed analysis. This BID will be updated and split into separate BIDs when more information becomes available.

An attacker can leverage the boundary condition issue to exploit arbitrary code on the affected computer. The impact of the environment variable issue is currently unknown.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com &lt;mailto:vuldb@securityfocus.com&gt;.

- 解决方案

Conectiva has released an advisory (CLSA-2005:959) along with fixes available dealing with this issue. Please see the referenced advisory for more information.

The Fedora Legacy project has released advisory FLSA:2137 to address this issue for RedHat Fedora Core 1. Please see the referenced advisory for further information.

Red Hat has released an updated advisory RHSA-2004:546-18 and fixes to address this issue on Red Hat Linux Enterprise platforms. Customers who are affected by this issue are advised to apply the appropriate updates. Customers subscribed to the Red Hat Network may apply the appropriate fixes using the Red Hat Update Agent (up2date). Please see referenced advisory for additional information.

Gentoo Linux has released an advisory dealing with this issue. Gentoo has advised that all Cyrus-SASL users should upgrade to the latest stable version:

# emerge sync

# emerge -pv ">=dev-libs/cyrus-sasl-2.1.18-r2"
# emerge ">=dev-libs/cyrus-sasl-2.1.18-r2"

For more information, please see the referenced Gentoo advisory.

Mandrake Linux has released advisory MDKSA-2004:106 along with fixes dealing with this issue. Please see the referenced advisory for more information.

Trustix Secure Linux has made an advisory (TSLSA-2004-0053) along with fixes available dealing with this issue. Please see the referenced advisory for more information.

Red Hat has released an advisory to address these issues in Fedora Core 2. Please see the referenced advisory for more information.

Debian has released an advisory (DSA 563-1) along with fixes available dealing with this issue. Please see the referenced advisory for more information.

Debian has updated advisory (DSA 563-1 to DSA 563-2) to address problems with the fixes released in the original advisory. Please see the referenced advisory for more information.

Debian has updated advisory (DSA 563-2 to DSA 563-3) to address problems with the fixes released in the original advisory. Please see the referenced advisory for more information.

Debian has released an advisory (DSA 568-1) dealing with this issue for the Cyrus SASL MIT packages. Please see the referenced advisory for more information.

Conectiva Linux has released advisory CLA-2004:889 along with fixes to address this issue. Please see the referenced advisory for further information.

OpenPKG security advisory OpenPKG-SA-2005.004 is available to address this issue. Please see the referenced advisory for further information.

SuSE has released advisory SUSE-SA:2005:013 to address the digestmda5 issue (CAN-2005-0373). Please see the referenced advisory for details on obtaining and applying fixes.

Mandrake Linux has released advisory MDKSA-2005:054 dealing with the digestmda5 issue (CAN-2005-0373). Please see the referenced advisory for details on obtaining and applying fixes.

Apple has released advisory (Security Update 2005-003) to address various issues. Please see the referenced advisory for more information. Updates for Mac OS X v10.3.8 and Mac OS X Server v10.3.8 are available.


Cyrus SASL 1.5.24

Cyrus SASL 1.5.27

Apple Mac OS X 10.3.8

Apple Mac OS X Server 10.3.8

Cyrus SASL 2.1.10

Cyrus SASL 2.1.12

Cyrus SASL 2.1.18

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站