Bug 31991

Summary: cyrus-sasl security issues - CVE-2019-19906, CVE-2022-24407 (both already fixed), but new version 2.1.28 available
Product: Mageia Reporter: Stig-Ørjan Smelror <smelror>
Component: RPM PackagesAssignee: All Packagers <pkg-bugs>
Status: NEW --- QA Contact:
Severity: normal    
Priority: Normal CC: nicolas.salguero
Version: Cauldron   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: cyrus-sasl-2.1.27-7.mga9.src.rpm CVE: CVE-2019-19906, CVE-2022-24407
Status comment: Fixed in version 2.1.28

Description Stig-Ørjan Smelror 2023-06-06 07:55:36 CEST 
As reported upstream.
https://www.cyrusimap.org/sasl/sasl/release-notes/2.1/index.html#new-in-2-1-28

Fixed in version 2.1.28
Stig-Ørjan Smelror 2023-06-06 07:56:53 CEST

CVE: (none) => CVE-2019-19906, CVE-2022-24407
Status comment: (none) => Fixed in version 2.1.28

Comment 1 Nicolas Salguero 2023-06-06 10:46:42 CEST 
Hi,

CVE-2019-19906 was fixed in bug 25914 and CVE-2022-24407 was fixed in bug 30085.

Best regards,

Nico.

CC: (none) => nicolas.salguero

Comment 2 Lewis Smith 2023-06-07 21:43:31 CEST 
In the light of which, both those bugs being RESOLVED FIXED, we could close this one forthwith. But is it worth updating the package anyway?

Source RPM: (none) => cyrus-sasl-2.1.27-7.mga9.src.rpm
CC: (none) => lewyssmith

Comment 3 David Walser 2023-06-08 01:34:28 CEST 
Yes, it should be updated, though perhaps after Cauldron reopens for Mageia 10.
Comment 4 Lewis Smith 2023-06-08 21:06:59 CEST 
In the light of which, assigning this globally as the package has various committers.

QA Contact: security => (none)
Assignee: bugsquad => pkg-bugs
Summary: cyrus-sasl security issues - CVE-2019-19906, CVE-2022-24407 => cyrus-sasl security issues - CVE-2019-19906, CVE-2022-24407 (both already fixed), but new version 2.1.28 available
Component: Security => RPM Packages
CC: lewyssmith => (none)