[BLFS Trac] #1838: OpenSSL-0.9.8a

Archaic archaic at linuxfromscratch.org
Mon May 1 01:52:43 PDT 2006

On Tue, Apr 25, 2006 at 11:22:35AM -0700, Dan Nicholson wrote:
> On 4/24/06, Archaic <archaic at linuxfromscratch.org> wrote:
> >
> > Does this new sasl version fix the vulnerability with digest-md5?
> This was just checked in.  Does it ring a bell?  Should I port it back
> to 2.1.21?
> https://bugzilla.andrew.cmu.edu/cgi-bin/cvsweb.cgi/src/sasl/plugins/digestmd5.c.diff?r1=1.178&r2=1.179
> Log entry is "Prevent buffer overrun when DIGEST-MD5 plugin receives a
> packet shorter than 16 bytes."

That sounds like the fix. However,
seems to say that 2.1.21 isn't affected, yet the fix is in the main
branch (which is also the only branch I saw).

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1721 also seems
to say that 2.1.21 isn't affected, but gentoo says otherwise:

I guess seeing if the diff applies is the best answer we could get.


Want control, education, and security from your operating system?
Hardened Linux From Scratch

More information about the blfs-book mailing list