CVE-2022-2469

NameCVE-2022-2469
DescriptionGNU SASL libgsasl server-side read-out-of-bounds with malicious authenticated GSS-API client
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-5189-1, ELA-651-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
gsasl (PTS)jessie, jessie (lts)1.8.0-6+deb8u1fixed
stretch (lts), stretch1.8.0-8+deb9u1fixed
buster, buster (security)1.8.0-8+deb10u1fixed
bullseye (security), bullseye1.10.0-4+deb11u1fixed
bookworm2.2.0-1fixed
sid, trixie2.2.1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
gsaslsourcejessie1.8.0-6+deb8u1ELA-651-1
gsaslsourcestretch1.8.0-8+deb9u1ELA-651-1
gsaslsourcebuster1.8.0-8+deb10u1DSA-5189-1
gsaslsourcebullseye1.10.0-4+deb11u1DSA-5189-1
gsaslsource(unstable)2.0.1-1

Notes

Advisory: https://lists.gnu.org/archive/html/help-gsasl/2022-07/msg00001.html
Reproducing issue: https://lists.gnu.org/archive/html/help-gsasl/2022-07/msg00002.html
Fixed by: https://gitlab.com/gsasl/gsasl/-/commit/796e4197f696261c1f872d7576371232330bcc30 (v2.0.1)
Search for package or bug name: Reporting problems