31991 – cyrus-sasl security issues - CVE-2019-19906, CVE-2022-24407 (both already fixed), but new version 2.1.28 available

Bug 31991 - cyrus-sasl security issues - CVE-2019-19906, CVE-2022-24407 (both already fixed), but new version 2.1.28 available

Summary: cyrus-sasl security issues - CVE-2019-19906, CVE-2022-24407 (both already fix...

Status:	NEW

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	RPM Packages (show other bugs)
Version:	Cauldron
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	All Packagers
QA Contact:

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2023-06-06 07:55 CEST by Stig-Ørjan Smelror
Modified:	2023-06-08 21:06 CEST (History)
CC List:	1 user (show)

See Also:
Source RPM:	cyrus-sasl-2.1.27-7.mga9.src.rpm
CVE:	CVE-2019-19906, CVE-2022-24407
Status comment:	Fixed in version 2.1.28

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Stig-Ørjan Smelror 2023-06-06 07:55:36 CEST

As reported upstream.
https://www.cyrusimap.org/sasl/sasl/release-notes/2.1/index.html#new-in-2-1-28

Fixed in version 2.1.28

Stig-Ørjan Smelror 2023-06-06 07:56:53 CEST

CVE: (none) => CVE-2019-19906, CVE-2022-24407
Status comment: (none) => Fixed in version 2.1.28

Comment 1 Nicolas Salguero 2023-06-06 10:46:42 CEST

Hi,

CVE-2019-19906 was fixed in bug 25914 and CVE-2022-24407 was fixed in bug 30085.

Best regards,

Nico.

CC: (none) => nicolas.salguero

Comment 2 Lewis Smith 2023-06-07 21:43:31 CEST

In the light of which, both those bugs being RESOLVED FIXED, we could close this one forthwith. But is it worth updating the package anyway?

Source RPM: (none) => cyrus-sasl-2.1.27-7.mga9.src.rpm
CC: (none) => lewyssmith

Comment 3 David Walser 2023-06-08 01:34:28 CEST

Yes, it should be updated, though perhaps after Cauldron reopens for Mageia 10.

Comment 4 Lewis Smith 2023-06-08 21:06:59 CEST

In the light of which, assigning this globally as the package has various committers.

QA Contact: security => (none)
Assignee: bugsquad => pkg-bugs
Summary: cyrus-sasl security issues - CVE-2019-19906, CVE-2022-24407 => cyrus-sasl security issues - CVE-2019-19906, CVE-2022-24407 (both already fixed), but new version 2.1.28 available
Component: Security => RPM Packages
CC: lewyssmith => (none)

Note You need to log in before you can comment on or make changes to this bug.