[SECURITY] [DLA 2931-1] cyrus-sasl2 security update

2022-03-0617:15:21

lists.debian.org

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

6.5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

0.003 Low

EPSS

Percentile

68.8%

JSON

Debian LTS Advisory DLA-2931-1 [email protected]
https://www.debian.org/lts/security/ Thorsten Alteholz
March 06, 2022 https://wiki.debian.org/LTS

Package : cyrus-sasl2
Version : 2.1.27~101-g0780600+dfsg-3+deb9u2
CVE ID : CVE-2022-24407

It was discovered that the SQL plugin in cyrus-sasl2, a library
implementing the Simple Authentication and Security Layer, is prone to a
SQL injection attack. An authenticated remote attacker can take advantage
of this flaw to execute arbitrary SQL commands and for privilege
escalation.

For Debian 9 stretch, this problem has been fixed in version
2.1.27~101-g0780600+dfsg-3+deb9u2.

We recommend that you upgrade your cyrus-sasl2 packages.

For the detailed security status of cyrus-sasl2 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/cyrus-sasl2

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

OSVersionArchitecturePackageVersionFilename
Debian10arm64sasl2-bin< 2.1.27+dfsg-1+deb10u2sasl2-bin_2.1.27+dfsg-1+deb10u2_arm64.deb
Debian11arm64libsasl2-2-dbgsym< 2.1.27+dfsg-2.1+deb11u1libsasl2-2-dbgsym_2.1.27+dfsg-2.1+deb11u1_arm64.deb
Debian10mips64ellibsasl2-modules-sql< 2.1.27+dfsg-1+deb10u2libsasl2-modules-sql_2.1.27+dfsg-1+deb10u2_mips64el.deb
Debian11ppc64ellibsasl2-modules-sql< 2.1.27+dfsg-2.1+deb11u1libsasl2-modules-sql_2.1.27+dfsg-2.1+deb11u1_ppc64el.deb
Debian10arm64sasl2-bin-dbgsym< 2.1.27+dfsg-1+deb10u2sasl2-bin-dbgsym_2.1.27+dfsg-1+deb10u2_arm64.deb
Debian11ppc64ellibsasl2-dev< 2.1.27+dfsg-2.1+deb11u1libsasl2-dev_2.1.27+dfsg-2.1+deb11u1_ppc64el.deb
Debian9i386libsasl2-dev< 2.1.27~101-g0780600+dfsg-3+deb9u2libsasl2-dev_2.1.27~101-g0780600+dfsg-3+deb9u2_i386.deb
Debian10mipsellibsasl2-modules-gssapi-mit-dbgsym< 2.1.27+dfsg-1+deb10u2libsasl2-modules-gssapi-mit-dbgsym_2.1.27+dfsg-1+deb10u2_mipsel.deb
Debian10ppc64ellibsasl2-modules-gssapi-heimdal-dbgsym< 2.1.27+dfsg-1+deb10u2libsasl2-modules-gssapi-heimdal-dbgsym_2.1.27+dfsg-1+deb10u2_ppc64el.deb
Debian10armhflibsasl2-modules< 2.1.27+dfsg-1+deb10u2libsasl2-modules_2.1.27+dfsg-1+deb10u2_armhf.deb

OS	Version	Architecture	Package	Version	Filename
Debian	10	arm64	sasl2-bin	< 2.1.27+dfsg-1+deb10u2	sasl2-bin_2.1.27+dfsg-1+deb10u2_arm64.deb
Debian	11	arm64	libsasl2-2-dbgsym	< 2.1.27+dfsg-2.1+deb11u1	libsasl2-2-dbgsym_2.1.27+dfsg-2.1+deb11u1_arm64.deb
Debian	10	mips64el	libsasl2-modules-sql	< 2.1.27+dfsg-1+deb10u2	libsasl2-modules-sql_2.1.27+dfsg-1+deb10u2_mips64el.deb
Debian	11	ppc64el	libsasl2-modules-sql	< 2.1.27+dfsg-2.1+deb11u1	libsasl2-modules-sql_2.1.27+dfsg-2.1+deb11u1_ppc64el.deb
Debian	10	arm64	sasl2-bin-dbgsym	< 2.1.27+dfsg-1+deb10u2	sasl2-bin-dbgsym_2.1.27+dfsg-1+deb10u2_arm64.deb
Debian	11	ppc64el	libsasl2-dev	< 2.1.27+dfsg-2.1+deb11u1	libsasl2-dev_2.1.27+dfsg-2.1+deb11u1_ppc64el.deb
Debian	9	i386	libsasl2-dev	< 2.1.27~101-g0780600+dfsg-3+deb9u2	libsasl2-dev_2.1.27~101-g0780600+dfsg-3+deb9u2_i386.deb
Debian	10	mipsel	libsasl2-modules-gssapi-mit-dbgsym	< 2.1.27+dfsg-1+deb10u2	libsasl2-modules-gssapi-mit-dbgsym_2.1.27+dfsg-1+deb10u2_mipsel.deb
Debian	10	ppc64el	libsasl2-modules-gssapi-heimdal-dbgsym	< 2.1.27+dfsg-1+deb10u2	libsasl2-modules-gssapi-heimdal-dbgsym_2.1.27+dfsg-1+deb10u2_ppc64el.deb
Debian	10	armhf	libsasl2-modules	< 2.1.27+dfsg-1+deb10u2	libsasl2-modules_2.1.27+dfsg-1+deb10u2_armhf.deb