In association with heise online

18 May 2009, 11:30

Security update for Cyrus SASL authentication framework

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

A vulnerability in the Cyrus SASL can be exploited for remote DoS attacks on network applications. Attackers may even be able to inject and execute arbitrary code. The Cyrus SASL is an open source implementation of the Simple Authentication and Security Layer (SASL), a generic framework that offers secure authentication for protocols which don't include the feature themselves. For instance, Sendmail uses the Cyrus SASL for SMTP authentication (SMTP AUTH).

The problem is caused by a flaw in the sasl_encode64 function in lib/saslutil.c that can trigger buffer overflows under certain conditions. From version 2.1.23 (direct download), the framework apparently no longer contains the vulnerabilities. However, some applications no longer work with the updated version if the buffer they use doesn't include space for a closing NUL character.

Several Linux distributions are already offering package updates to fix the issue.

See also:



Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit