[BLFS Trac] #1838: OpenSSL-0.9.8a

Archaic archaic at linuxfromscratch.org
Mon May 1 01:52:43 PDT 2006


On Tue, Apr 25, 2006 at 11:22:35AM -0700, Dan Nicholson wrote:
> On 4/24/06, Archaic <archaic at linuxfromscratch.org> wrote:
> >
> > Does this new sasl version fix the vulnerability with digest-md5?
> 
> This was just checked in.  Does it ring a bell?  Should I port it back
> to 2.1.21?
> 
> https://bugzilla.andrew.cmu.edu/cgi-bin/cvsweb.cgi/src/sasl/plugins/digestmd5.c.diff?r1=1.178&r2=1.179
> 
> Log entry is "Prevent buffer overrun when DIGEST-MD5 plugin receives a
> packet shorter than 16 bytes."

That sounds like the fix. However,
http://asg.web.cmu.edu/archive/message.php?mailbox=archive.cyrus-sasl&msg=7766
seems to say that 2.1.21 isn't affected, yet the fix is in the main
branch (which is also the only branch I saw).

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1721 also seems
to say that 2.1.21 isn't affected, but gentoo says otherwise:
http://www.gentoo.org/security/en/glsa/glsa-200604-09.xml

I guess seeing if the diff applies is the best answer we could get.

-- 
Archaic

Want control, education, and security from your operating system?
Hardened Linux From Scratch
http://www.linuxfromscratch.org/hlfs




More information about the blfs-book mailing list