CVE-2009-0688 — cyrus-sasl2-heimdal - buffer overflow

Description

Multiple buffer overflows in the CMU Cyrus SASL library before 2.1.23 might allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via strings that are used as input to the sasl_encode64 function in lib/saslutil.c.

How to fix CVE-2009-0688

To remediate CVE-2009-0688, upgrade the affected package to a fixed version below.

Debian/cyrus-sasl2—upgrade to 2.1.23.dfsg1-1 or later
Debian/cyrus-sasl2—upgrade to 2.1.22.dfsg1-23+lenny1 or later
Debian/cyrus-sasl2—upgrade to 2.1.22.dfsg1-23+squeeze1 or later
—upgrade to 2.1.22.dfsg1-23+lenny1 or later
—upgrade to 2.1.22.dfsg1-23+squeeze1 or later

Is CVE-2009-0688 being exploited?

Moderate — EPSS is 39.5%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (5)

from 0, < 2.1.23.dfsg1-1
from 0, < 2.1.22.dfsg1-23+lenny1
from 0, < 2.1.22.dfsg1-23+squeeze1
from 0, < 2.1.22.dfsg1-23+lenny1
from 0, < 2.1.22.dfsg1-23+squeeze1

References (1)

ADVISORYsecurity-tracker.debian.org/tracker/CVE-2009-0688