CVE-2022-24407 An earlier version of SASL didn't escape the password for a SQL INSERT or UPDATE statement.

This could lead to a remote attacker being able to run arbitrary SQL commands. This issue was resolved by updating plugin code to escape the password. SASL is disabled by default in Cyrus. For more information, see: https://www.sasl- Conference.org/2018/05/13/SASL-CVE-2018-1705. ------------- Cyrus v2.1.28 and later does not have this issue. An update has been applied to the v2.1.28 versions listed above. -------------- NAT-T is a network protocol that provides communication between two NAT devices. It can be used to tunnel any type of data across NAT gateways. NAT-T is not enabled by default in Cyrus. NAT-T can be enabled by changing the NAT-T setting in cyrus.conf. ------------- An update has been applied to the v2.1.28 versions listed above. --------------- An issue has been identified where the bcrypt plugin in Cyrus v2.1.28 through v2.1.38 and v3.0.0 before 3.0.1 does not validate the salt being passed from the client. As a result, an attacker can craft a malformed salt, leading to an infinite loop. This issue was resolved by updating the plugin code to validate the salt. -------------- A denial of service issue was identified in Cyrus v2.1.28 through v2.1.38 and v3.0

Versions Affected

Cyrus v2.1.28 through v2.1.38 and v3.0.0 before 3.0.1
CVE-2022-24407

CVE-2018-1704

An issue was identified where the bcrypt plugin in Cyrus v2.1.28 through v2.1.38 and v3.0.0 before 3.0.1 does not properly validate the salt being passed from the client, leading to an infinite loop when trying to decrypt a password that contains an invalid salt value. ------------- An update has been applied to all versions of Cyrus listed above, resolving this issue -------------- An issue with NAT-T has been identified in Cyrus v2.1.28 through v2.1.38 and v3.0.0 before 3

The 5 Most Common Mistakes Made When Outsourcing SEO
* Keep in mind that there are many different types of SEO strategies and it's important to know what you're getting into before hiring someone else for this job

Cyrus v2.1.28 and later does not have this issue. An update has been applied to the v2.1.28 versions listed above.

An update has been applied to the v2.1.28 versions listed above.

Cyrus v2.1.28 and later does not have these issues

. An update has been applied to the v2.1.28 versions listed above.
Cyrus v2.1.28 and later does not have these issues. An update has been applied to the v2.1.28 versions listed above.

Timeline

Published on: 02/24/2022 15:15:00 UTC
Last modified on: 07/25/2022 18:21:00 UTC

References

• http://www.openwall.com/lists/oss-security/2022/02/23/4
• https://github.com/cyrusimap/cyrus-sasl/blob/fdcd13ceaef8de684dc69008011fa865c5b4a3ac/docsrc/sasl/release-notes/2.1/index.rst
• https://www.cyrusimap.org/sasl/sasl/release-notes/2.1/index.html#new-in-2-1-28
• https://www.debian.org/security/2022/dsa-5087
• https://lists.debian.org/debian-lts-announce/2022/03/msg00002.html
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZZC6BMPI3V3MC2IGNLN377ETUWO7QBIH/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H26R4SMGM3WHXX4XYNNJB4YGFIL5UNF4/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4FIXU75Q6RBNK6UYM7MQ3TCFGXR7AX4U/
• https://www.oracle.com/security-alerts/cpujul2022.html
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-24407