https://linuxsecurity.com/advisories/deblts/debian-lts-dla-2044-1-cyrus-sasl2-security-update-10-38-49
CVE: (none) => CVE-2019-19906Component: RPM Packages => Security
Thank you for the pointer. No duplicate found for the CVE. This bug has been raised for cyrus-sasl2, which we do not have exactly; but cyrus-sasl. In case this difference matters. Assigning to DavidG because you have already (!) "add patch to fix CVE-2019-19906 (mga#25914)".
Assignee: bugsquad => geiger.david68210QA Contact: (none) => securitySource RPM: cyrus-sasl => cyrus-sasl-2.1.27-1.mga7.src.rpm
Actual link: https://www.debian.org/lts/security/2019/dla-2044 Debian has also issued an advisory for this on December 20: https://www.debian.org/security/2019/dsa-4591
Version: 7 => CauldronSummary: cyrus-sasl2 security update CVE-2019-19906 => cyrus-sasl new security issue CVE-2019-19906Whiteboard: (none) => MGA7TOO
Done also for mga7!
Advisory: ======================== Updated cyrus-sasl packages fix security vulnerability: Stephan Zeisberg reported an out-of-bounds write vulnerability in the _sasl_add_string() function in cyrus-sasl2, a library implementing the Simple Authentication and Security Layer. A remote attacker can take advantage of this issue to cause denial-of-service conditions for applications using the library (CVE-2019-19906). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19906 https://www.debian.org/security/2019/dsa-4591 ======================== Updated packages in core/updates_testing: ======================== cyrus-sasl-2.1.27-1.1.mga7 libsasl2_3-2.1.27-1.1.mga7 libsasl2-devel-2.1.27-1.1.mga7 libsasl2-plug-anonymous-2.1.27-1.1.mga7 libsasl2-plug-crammd5-2.1.27-1.1.mga7 libsasl2-plug-digestmd5-2.1.27-1.1.mga7 libsasl2-plug-plain-2.1.27-1.1.mga7 libsasl2-plug-scram-2.1.27-1.1.mga7 libsasl2-plug-login-2.1.27-1.1.mga7 libsasl2-plug-gssapi-2.1.27-1.1.mga7 libsasl2-plug-otp-2.1.27-1.1.mga7 libsasl2-plug-sasldb-2.1.27-1.1.mga7 libsasl2-plug-srp-2.1.27-1.1.mga7 libsasl2-plug-ntlm-2.1.27-1.1.mga7 libsasl2-plug-mysql-2.1.27-1.1.mga7 libsasl2-plug-pgsql-2.1.27-1.1.mga7 libsasl2-plug-sqlite3-2.1.27-1.1.mga7 libsasl2-plug-ldapdb-2.1.27-1.1.mga7 from cyrus-sasl-2.1.27-1.1.mga7.src.rpm
Version: Cauldron => 7Whiteboard: MGA7TOO => (none)CC: (none) => geiger.david68210Assignee: geiger.david68210 => qa-bugs
MGA7-64 Plasma on Lenovo B50 No installation issues Ref to bug 11112 for tests, points to accessing samaba. So tried $ strace -o sasl-txt smbtree -S Unable to initialize messaging context Enter MYGROUP\tester7's password: WORKGROUP \\MACH1 Samba Server Version 4.10.11 trace shows openat(AT_FDCWD, "/lib64/libsasl2.so.3", O_RDONLY|O_CLOEXEC) = 3 Looked into contents o cyrus-sasl and found daemon, so # systemctl -l status saslauthd ● saslauthd.service - SASL authentication daemon. Loaded: loaded (/usr/lib/systemd/system/saslauthd.service; disabled; vendor preset: disabled) Active: inactive (dead) # systemctl -l start saslauthd # systemctl -l status saslauthd ● saslauthd.service - SASL authentication daemon. Loaded: loaded (/usr/lib/systemd/system/saslauthd.service; disabled; vendor preset: disabled) Active: active (running) since Sat 2020-01-04 14:51:43 CET; 3s ago Process: 29476 ExecStart=/usr/sbin/saslauthd -m /run/saslauthd -a $SASL_AUTHMECH $SASLAUTHD_OPTS (code=exited, status=0/SUCCESS) Main PID: 29477 (saslauthd) Memory: 1.4M CGroup: /system.slice/saslauthd.service ├─29477 /usr/sbin/saslauthd -m /run/saslauthd -a pam ├─29478 /usr/sbin/saslauthd -m /run/saslauthd -a pam ├─29479 /usr/sbin/saslauthd -m /run/saslauthd -a pam ├─29480 /usr/sbin/saslauthd -m /run/saslauthd -a pam └─29481 /usr/sbin/saslauthd -m /run/saslauthd -a pam jan 04 14:51:43 mach5.hviaene.thuis systemd[1]: Starting SASL authentication daemon.... jan 04 14:51:43 mach5.hviaene.thuis saslauthd[29477]: : master pid is: 29477 jan 04 14:51:43 mach5.hviaene.thuis saslauthd[29477]: : listening on socket: /run/saslauthd/mux jan 04 14:51:43 mach5.hviaene.thuis systemd[1]: Started SASL authentication daemon.. I could not make sense of the other commands, but what I see looks good. OK'ing unless someone else has better ideas
CC: (none) => herman.viaeneWhiteboard: (none) => MGA7-64-OK
Good enough for me, Herman. Validating. Advisory in Comment 4.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
CC: (none) => tmbKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0011.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED