Date: Fri, 8 Oct 2004 13:37:13 +0200
From: Trustix Security Advisor <[email protected]>
To: [email protected]Subject: TSLSA-2004-0053 - cyrus-sasl
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --------------------------------------------------------------------------
Trustix Secure Linux Security Advisory #2004-0053
Package name: cyrus-sasl
Summary: Insecure handling of environment variable
Date: 2004-10-08
Affected versions: Trustix Secure Linux 2.0
Trustix Secure Linux 2.1
Trustix Operating System - Enterprise Server 2
- --------------------------------------------------------------------------
Package description:
The cyrus-sasl package contains the Cyrus implementation of SASL.
SASL is the Simple Authentication and Security Layer, a method for
adding authentication support to connection-based protocols.
Problem description:
Kurt Lieber <klieber at gentoo dot org> reported that libsasl honors the
environment variable SASL_PATH blindly, allowing a local user to compile a
"library" locally that is executed with the EID of SASL.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2004-0884 to this issue.
Action:
We recommend that all systems with this package installed be upgraded.
Please note that if you do not need the functionality provided by this
package, you may want to remove it from your system.
Location:
All Trustix Secure Linux updates are available from
<URI:http://http.trustix.org/pub/trustix/updates/>
<URI:ftp://ftp.trustix.org/pub/trustix/updates/>
About Trustix Secure Linux:
Trustix Secure Linux is a small Linux distribution for servers. With focus
on security and stability, the system is painlessly kept safe and up to
date from day one using swup, the automated software updater.
Automatic updates:
Users of the SWUP tool can enjoy having updates automatically
installed using 'swup --upgrade'.
Questions?
Check out our mailing lists:
<URI:http://www.trustix.org/support/>
Verification:
This advisory along with all Trustix packages are signed with the
TSL sign key.
This key is available from:
<URI:http://www.trustix.org/TSL-SIGN-KEY>
The advisory itself is available from the errata pages at
<URI:http://www.trustix.org/errata/trustix-2.0/> and
<URI:http://www.trustix.org/errata/trustix-2.1/>
or directly at
<URI:http://www.trustix.org/errata/2004/0053/>
MD5sums of the packages:
- --------------------------------------------------------------------------
4af05e282564f6fe2607050dc74e9069 2.1/rpms/cyrus-sasl-2.1.15-8tr.i586.rpm
695f42006b0a6c75cd65e3dd6138d7e5 2.1/rpms/cyrus-sasl-devel-2.1.15-8tr.i586.rpm
6409b2efc33c634058e57550ff92b227 2.1/rpms/cyrus-sasl-md5-2.1.15-8tr.i586.rpm
a59a6f63291b9fcbe16f2b89465d723d 2.1/rpms/cyrus-sasl-mysql-2.1.15-8tr.i586.rpm
3fc625bd28e59db1b78b79fd428e65a7 2.1/rpms/cyrus-sasl-otp-2.1.15-8tr.i586.rpm
7e2e781deab55846d0c59cb859c26349 2.1/rpms/cyrus-sasl-plain-2.1.15-8tr.i586.rpm
b8074dad5e817bacdf25c601fc2096d8 2.1/rpms/cyrus-sasl-utils-2.1.15-8tr.i586.rpm
e19a5ef6d7c6fe7127a3b3f222d48377 2.0/rpms/cyrus-sasl-2.1.15-5tr.i586.rpm
75328d33529e51ca323d219c59bd14fe 2.0/rpms/cyrus-sasl-devel-2.1.15-5tr.i586.rpm
00968a1ae5592795c340fd44b6561f0e 2.0/rpms/cyrus-sasl-md5-2.1.15-5tr.i586.rpm
6342fda511daf5cfe3c61d3652863a26 2.0/rpms/cyrus-sasl-mysql-2.1.15-5tr.i586.rpm
7492025aba5fae1f60f2a86da37fb4cc 2.0/rpms/cyrus-sasl-otp-2.1.15-5tr.i586.rpm
9cdfab8c8b4f4578d29a6b2e7b32254f 2.0/rpms/cyrus-sasl-plain-2.1.15-5tr.i586.rpm
e664d84f1661270d06fa1e6b3b089208 2.0/rpms/cyrus-sasl-utils-2.1.15-5tr.i586.rpm
6efcf6483076aa1db6a25ff6f3962222 e-2/rpms/cyrus-sasl-2.1.15-8tr.i586.rpm
9f3778e984587f4f9b053adfc09d84f1 e-2/rpms/cyrus-sasl-devel-2.1.15-8tr.i586.rpm
dc9a9ec47f9082378214523c07fe680f e-2/rpms/cyrus-sasl-md5-2.1.15-8tr.i586.rpm
86a4defb48589ebbd8e4631bf4547023 e-2/rpms/cyrus-sasl-mysql-2.1.15-8tr.i586.rpm
2f1c114260d1657f46dcd27a96e97bc7 e-2/rpms/cyrus-sasl-otp-2.1.15-8tr.i586.rpm
a4e581f397453cbd9011f61791f177fb e-2/rpms/cyrus-sasl-plain-2.1.15-8tr.i586.rpm
0f5fdc476c7de211efce071166691775 e-2/rpms/cyrus-sasl-utils-2.1.15-8tr.i586.rpm
- --------------------------------------------------------------------------
Trustix Security Team
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
iD8DBQFBZnu5i8CEzsK9IksRAjevAJ43J5l2zyJ03Jz1edKQyMVOsU8nrgCfTRrf
GgOZQ0CItjCX33nVIy7G36M=
=NA/g
-----END PGP SIGNATURE-----