Debian Bug report logs -
#947043
cyrus-sasl2: CVE-2019-19906: Off-by-one in _sasl_add_string function
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Cyrus Team <team+cyrus@tracker.debian.org>
:
Bug#947043
; Package src:cyrus-sasl2
.
(Thu, 19 Dec 2019 20:21:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Cyrus Team <team+cyrus@tracker.debian.org>
.
(Thu, 19 Dec 2019 20:21:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: cyrus-sasl2
Version: 2.1.27+dfsg-1
Severity: grave
Tags: security upstream
Forwarded: https://github.com/cyrusimap/cyrus-sasl/issues/587
Control: found -1 2.1.27~101-g0780600+dfsg-3
Hi,
The following vulnerability was published for cyrus-sasl2.
CVE-2019-19906[0]:
Off by one in _sasl_add_string function
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-19906
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19906
[1] https://github.com/cyrusimap/cyrus-sasl/issues/587
Regards,
Salvatore
Marked as found in versions cyrus-sasl2/2.1.27~101-g0780600+dfsg-3.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org
.
(Thu, 19 Dec 2019 20:21:04 GMT) (full text, mbox, link).
Changed Bug title to 'cyrus-sasl2: CVE-2019-19906: Off-by-one in _sasl_add_string function' from 'cyrus-sasl2: CVE-2019-19906: Off by one in _sasl_add_string function'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Thu, 19 Dec 2019 21:57:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Cyrus Team <team+cyrus@tracker.debian.org>
:
Bug#947043
; Package src:cyrus-sasl2
.
(Thu, 19 Dec 2019 22:00:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Cyrus Team <team+cyrus@tracker.debian.org>
.
(Thu, 19 Dec 2019 22:00:03 GMT) (full text, mbox, link).
Message #14 received at 947043@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: tags -1 + patch
Hi,
On Thu, Dec 19, 2019 at 09:19:19PM +0100, Salvatore Bonaccorso wrote:
> Source: cyrus-sasl2
> Version: 2.1.27+dfsg-1
> Severity: grave
> Tags: security upstream
> Forwarded: https://github.com/cyrusimap/cyrus-sasl/issues/587
> Control: found -1 2.1.27~101-g0780600+dfsg-3
>
> Hi,
>
> The following vulnerability was published for cyrus-sasl2.
>
> CVE-2019-19906[0]:
> Off by one in _sasl_add_string function
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2019-19906
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19906
> [1] https://github.com/cyrusimap/cyrus-sasl/issues/587
Attached patch for this issue.
Regards,
Salvatore
[0021-CVE-2019-19906.patch (text/x-diff, attachment)]
Added tag(s) patch.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 947043-submit@bugs.debian.org
.
(Thu, 19 Dec 2019 22:00:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Cyrus Team <team+cyrus@tracker.debian.org>
:
Bug#947043
; Package src:cyrus-sasl2
.
(Fri, 20 Dec 2019 01:15:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Roberto C. Sánchez <roberto@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Cyrus Team <team+cyrus@tracker.debian.org>
.
(Fri, 20 Dec 2019 01:15:03 GMT) (full text, mbox, link).
Message #21 received at 947043@bugs.debian.org (full text, mbox, reply):
On Thu, Dec 19, 2019 at 09:19:19PM +0100, Salvatore Bonaccorso wrote:
>
> The following vulnerability was published for cyrus-sasl2.
>
> CVE-2019-19906[0]:
> Off by one in _sasl_add_string function
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
Hi Team,
Is anybody already working on this update? If not, I can start on it
possibly tomorrow or perhaps the day after.
Salvatore,
If I (or someone else on the team) prepares the upload, do we go ahead
and make the upload then let the security team handle the DSA
publication?
Regards,
-Roberto
--
Roberto C. Sánchez
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Cyrus Team <team+cyrus@tracker.debian.org>
:
Bug#947043
; Package src:cyrus-sasl2
.
(Fri, 20 Dec 2019 07:39:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Cyrus Team <team+cyrus@tracker.debian.org>
.
(Fri, 20 Dec 2019 07:39:03 GMT) (full text, mbox, link).
Message #26 received at 947043@bugs.debian.org (full text, mbox, reply):
Hi Roberto,
On Thu, Dec 19, 2019 at 08:06:19PM -0500, Roberto C. Sánchez wrote:
> On Thu, Dec 19, 2019 at 09:19:19PM +0100, Salvatore Bonaccorso wrote:
> >
> > The following vulnerability was published for cyrus-sasl2.
> >
> > CVE-2019-19906[0]:
> > Off by one in _sasl_add_string function
> >
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> >
> Hi Team,
>
> Is anybody already working on this update? If not, I can start on it
> possibly tomorrow or perhaps the day after.
>
> Salvatore,
>
> If I (or someone else on the team) prepares the upload, do we go ahead
> and make the upload then let the security team handle the DSA
> publication?
I already started yesterday, and have buster and stretch packages,
will likely release the DSA later today or tomorrow. So far tested
just lightly for stretch but will double check explicitly against
openldap.
unstable would need an update as well yet.
Can you later import then the changes in the packaging repository in
the appropriate branches?
Regards,
Salvatore
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Fri Dec 20 09:09:01 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.