Debian alert DLA-2931-1 (cyrus-sasl2) [LWN.net]


From:
               Thorsten Alteholz <debian@alteholz.de>
To:
               debian-lts-announce@lists.debian.org
Subject:
               [SECURITY] [DLA 2931-1] cyrus-sasl2 security update
Date:
               Sun, 06 Mar 2022 17:15:21 +0000
Message-ID:
               <alpine.DEB.2.21.2203061714210.4328@postfach.intern.alteholz.me>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-2931-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                    Thorsten Alteholz
March 06, 2022                                https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : cyrus-sasl2
Version        : 2.1.27~101-g0780600+dfsg-3+deb9u2
CVE ID         : CVE-2022-24407


It was discovered that the SQL plugin in cyrus-sasl2, a library 
implementing the Simple Authentication and Security Layer, is prone to a 
SQL injection attack. An authenticated remote attacker can take advantage 
of this flaw to execute arbitrary SQL commands and for privilege 
escalation.


For Debian 9 stretch, this problem has been fixed in version
2.1.27~101-g0780600+dfsg-3+deb9u2.

We recommend that you upgrade your cyrus-sasl2 packages.

For the detailed security status of cyrus-sasl2 please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/cyrus-sasl2

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmIk7ClfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy
MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcACgkQlvysDTh7
WEfyyRAArM4vk5mBRWyzseYURK+8XDxpbM4Bpp7kCjf+rL13+5UVRcpufXjl6yVN
o170RBZ3YCmZEzR+Any2FIhjE/6Ar/MlglcjFjXpdv3vMYOM1DlMlapuDgmt+CeU
ATjM1Aa6CB5JFlEQxWfnCxK8IGU4AtKwC+1sQZPD9i2sUWukLZpBWurzoz2fMc3e
VhN+meXWd9HQ9wh27tnEEISz1EHCSWTeGK3vNQbkNcBGIa4E0px+6AebFFGZWSAt
RqTyw8xkxEU7PAWKiMm39Ed4q0Lk0BkKhzQRi0MOgi3noPhbB6vKaplqV0ulh2h9
1gUx6FPu5/rHLDH6yeNOD4h1p5MRIh6D9RgiOilLfmnxfZ4ndVCbgdpQSMcJN9K7
XeKBjp+MaMpAb8wV9PEJMeAv4XLvxCy+2VLBIHLyzuoyAVUKV5sfDM4MSBa2ZSJB
lGkGEcpXvyHi3o9l5/YrsEAzykKOfyRg2mxSLXwdo0D2cUmxPKMqEUMPd23k13LJ
CTKr7lgerqW6EIBD1Uu5ezIB+yxOwhCUIh5dyXbo96jM5Kv+zCfFByFdT4qhDa7h
+bklZ93NEx52aaJrEOintytrzoPU3qacIwhYqgkoFZvPW8KMoohDlLOSUlspYQRZ
b/IjU6FvXlRSfV8Z/eA9XDGNExDWcflqPVjE+DnG2taQsbpJi/c=
=brOw
-----END PGP SIGNATURE-----

From:		Thorsten Alteholz <debian@alteholz.de>
To:		debian-lts-announce@lists.debian.org
Subject:		[SECURITY] [DLA 2931-1] cyrus-sasl2 security update
Date:		Sun, 06 Mar 2022 17:15:21 +0000
Message-ID:		<alpine.DEB.2.21.2203061714210.4328@postfach.intern.alteholz.me>