| Name | CVE-2019-19906 |
| Description | cyrus-sasl (aka Cyrus SASL) 2.1.27 has an out-of-bounds write leading to unauthenticated remote denial-of-service in OpenLDAP via a malformed LDAP packet. The OpenLDAP crash is ultimately caused by an off-by-one error in _sasl_add_string in common.c in cyrus-sasl. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DLA-2044-1, DSA-4591-1, ELA-203-1 |
| Debian Bugs | 947043 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| cyrus-sasl2 (PTS) | jessie, jessie (lts) | 2.1.26.dfsg1-13+deb8u3 | fixed |
| stretch (security), stretch (lts), stretch | 2.1.27~101-g0780600+dfsg-3+deb9u2 | fixed | |
| buster (security), buster, buster (lts) | 2.1.27+dfsg-1+deb10u2 | fixed | |
| bullseye (security), bullseye | 2.1.27+dfsg-2.1+deb11u1 | fixed | |
| bookworm | 2.1.28+dfsg-10 | fixed | |
| sid, trixie | 2.1.28+dfsg1-8 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| cyrus-sasl2 | source | wheezy | 2.1.25.dfsg1-6+deb7u2 | ELA-203-1 | ||
| cyrus-sasl2 | source | jessie | 2.1.26.dfsg1-13+deb8u2 | DLA-2044-1 | ||
| cyrus-sasl2 | source | stretch | 2.1.27~101-g0780600+dfsg-3+deb9u1 | DSA-4591-1 | ||
| cyrus-sasl2 | source | buster | 2.1.27+dfsg-1+deb10u1 | DSA-4591-1 | ||
| cyrus-sasl2 | source | (unstable) | 2.1.27+dfsg-2 | 947043 |
https://github.com/cyrusimap/cyrus-sasl/issues/587
Fixed by: https://github.com/cyrusimap/cyrus-sasl/commit/dcc9f51cbd4ed622cfb0f9b1c141eb2ffe3b12f1 (master)
Fixed by: https://github.com/cyrusimap/cyrus-sasl/commit/f96ba043fb9ffd30f7089564164203136506e7ab (master)
Fixed by: https://github.com/cyrusimap/cyrus-sasl/commit/332b8c591b662bce4a2dae55cad9784e15096908 (cyrus-sasl-2.1.28)
Fixed by: https://github.com/cyrusimap/cyrus-sasl/commit/5ac1beeb574cd9d0a518d72330b19d2460688089 (cyrus-sasl-2.1.28)
https://www.openldap.org/its/index.cgi/Incoming?id=9123
https://www.cyrusimap.org/sasl/sasl/release-notes/2.1/index.html#new-in-2-1-28
DSA-4591-1 applied only the first part of the fix which was incomplete (but can be
considered a functional incomplete fix, thus not warranting a CVE):
https://github.com/cyrusimap/cyrus-sasl/pull/655
The functional incomplete fix was already addressed in unstable with 2.1.27+dfsg2-1