Re: Cyrus SASL library buffer overflows

[Matthias Andree <ma () dt e-technik uni-dortmund de>]

Timo Sirainen <tss () iki fi> writes:

> These overflows are found at least in version 2.1.9, none of them are
> present in 1.5.28. 2.1.10 was just released which fixed the problems.
>
> Note that besides the Cyrus project itself, the SASL library is also used
> by Postfix-TLS patch, OpenLDAP and probably some other servers.

Dr. Lutz Jänicke, maintainer of the Postfix-TLS patch, has just stated
on the Postfix-Users list that the Postfix-TLS patch does not use SASL.

Links to the list archives, pick a random one to distribute load:

1 http://marc.theaimsgroup.com/?l=postfix-users&m=103950709607868&w=2
2 http://archives.neohapsis.com/archives/postfix/2002-12/1067.html
3 http://article.gmane.org/gmane.mail.postfix.user/25377
4 http://groups.google.com/groups?dq=&hl=en&lr=&ie=UTF-8&selm=at46qh%24676%241%40FreeBSD.csie.NCTU.edu.tw
5 http://msgs.securepoint.com/cgi-bin/get/postfix0212/245/2.html
6 roll your die again


Postfix can be compiled to use SASL, but this is not the default when
compiled from source, but requires additional configuration. Some
distributors enable SASL for their packages by default though, watch for
their announcements, but also check if your Postfix version uses SASL1
or SASL2.

-- 
Matthias Andree