Executive Summary
| Summary | |
|---|---|
| Title | New Cyrus SASL packages fix denial of service |
| Informations | |||
|---|---|---|---|
| Name | DSA-1042 | First vendor Publication | 2006-04-25 |
| Vendor | Debian | Last vendor Modification | 2006-04-25 |
| Severity (Vendor) | N/A | Revision | 1 |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:N/AC:H/Au:N/C:N/I:N/A:P) | |||
|---|---|---|---|
| Cvss Base Score | 2.6 | Attack Range | Network |
| Cvss Impact Score | 2.9 | Attack Complexity | High |
| Cvss Expoit Score | 4.9 | Authentication | None Required |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| The Mu Security research team discovered a denial of service condition in the Simple Authentication and Security Layer authentication library (SASL) during DIGEST-MD5 negotiation. This potentially affects multiple products that use SASL DIGEST-MD5 authentication including OpenLDAP, Sendmail, Postfix, etc. The old stable distribution (woody) is not affected by this problem. For the stable distribution (sarge) this problem has been fixed in version 2.1.19-1.5sarge1. For the unstable distribution (sid) this problem has been fixed in version 2.1.19.dfsg1-0.2. We recommend that you upgrade your cyrus-sasl2 packages. |
Original Source
| Url : http://www.debian.org/security/2006/dsa-1042 |
CWE : Common Weakness Enumeration
| % | Id | Name |
|---|---|---|
| 100 % | CWE-20 | Improper Input Validation |
OVAL Definitions
| Definition Id: oval:org.mitre.oval:def:9861 | |||
| Oval ID: | oval:org.mitre.oval:def:9861 | ||
| Title: | digestmd5.c in the CMU Cyrus Simple Authentication and Security Layer (SASL) library 2.1.18, and possibly other versions before 2.1.21, allows remote unauthenticated attackers to cause a denial of service (segmentation fault) via malformed inputs in DIGEST-MD5 negotiation. | ||
| Description: | digestmd5.c in the CMU Cyrus Simple Authentication and Security Layer (SASL) library 2.1.18, and possibly other versions before 2.1.21, allows remote unauthenticated attackers to cause a denial of service (segmentation fault) via malformed inputs in DIGEST-MD5 negotiation. | ||
| Family: | unix | Class: | vulnerability |
| Reference(s): | CVE-2006-1721 | Version: | 5 |
| Platform(s): | Red Hat Enterprise Linux 3 CentOS Linux 3 Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 | Product(s): | |
| Definition Synopsis: | |||
| |||
CPE : Common Platform Enumeration
| Type | Description | Count |
|---|---|---|
| Application | 5 |
OpenVAS Exploits
| Date | Description |
|---|---|
| 2009-11-17 | Name : Mac OS X Version File : nvt/macosx_version.nasl |
| 2008-09-24 | Name : Gentoo Security Advisory GLSA 200604-09 (cyrus-sasl) File : nvt/glsa_200604_09.nasl |
| 2008-09-04 | Name : FreeBSD Ports: cyrus-sasl File : nvt/freebsd_cyrus-sasl1.nasl |
| 2008-01-17 | Name : Debian Security Advisory DSA 1042-1 (cyrus-sasl2) File : nvt/deb_1042_1.nasl |
Open Source Vulnerability Database (OSVDB)
| Id | Description |
|---|---|
| 24510 | Cyrus SASL DIGEST-MD5 Pre-Authentication Unspecified DoS |
Nessus® Vulnerability Scanner
| Date | Description |
|---|---|
| 2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2007-0795.nasl - Type : ACT_GATHER_INFO |
| 2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2007-0878.nasl - Type : ACT_GATHER_INFO |
| 2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20070904_cyrus_sasl_on_SL4_x.nasl - Type : ACT_GATHER_INFO |
| 2009-07-27 | Name : The remote VMware ESXi / ESX host is missing one or more security-related pat... File : vmware_VMSA-2008-0009.nasl - Type : ACT_GATHER_INFO |
| 2007-09-07 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2007-0795.nasl - Type : ACT_GATHER_INFO |
| 2007-09-05 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2007-0878.nasl - Type : ACT_GATHER_INFO |
| 2007-09-05 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2007-0795.nasl - Type : ACT_GATHER_INFO |
| 2007-09-05 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2007-0878.nasl - Type : ACT_GATHER_INFO |
| 2006-10-14 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1042.nasl - Type : ACT_GATHER_INFO |
| 2006-09-29 | Name : The remote host is missing a Mac OS X update which fixes a security issue. File : macosx_10_4_8.nasl - Type : ACT_GATHER_INFO |
| 2006-09-29 | Name : The remote host is missing a Mac OS X update which fixes a security issue. File : macosx_SecUpd2006-006.nasl - Type : ACT_GATHER_INFO |
| 2006-05-13 | Name : The remote FreeBSD host is missing a security-related update. File : freebsd_pkg_408f6ebfd15211da962f000b972eb521.nasl - Type : ACT_GATHER_INFO |
| 2006-05-13 | Name : The remote host is missing a vendor-supplied security patch File : suse_SA_2006_025.nasl - Type : ACT_GATHER_INFO |
| 2006-04-26 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-272-1.nasl - Type : ACT_GATHER_INFO |
| 2006-04-21 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200604-09.nasl - Type : ACT_GATHER_INFO |
Alert History
| Date | Informations |
|---|---|
| 2014-02-17 11:25:43 |
|
