安全公告详情

NS-SA-2022-0088

2022-11-09 12:33:35

简介

important: cyrus-sasl/libgcrypt security update

严重级别

important

主题

An update for cyrus-sasl/libgcrypt is now available for NewStart CGSL MAIN 6.02.
NewStart Security has rated this update as having a security impact of important. A Common Vunlnerability Scoring System(CVSS)base score, which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.

详细描述

cyrus-sasl: This package provides debug information for package cyrus-sasl-md5. Debug information is useful when developing applications that use this package or when debugging this package.
libgcrypt: Libgcrypt is a general purpose crypto library based on the code used in GNU Privacy Guard. This package contains files needed to develop applications using libgcrypt.


Security Fix(es):
cyrus-sasl: A flaw was found in the SQL plugin shipped with Cyrus SASL. The vulnerability occurs due to failure to properly escape SQL input and leads to an improper input validation vulnerability. This flaw allows an attacker to execute arbitrary SQL commands and the ability to change the passwords for other accounts allowing escalation of privileges.(CVE-2022-24407)
cyrus-sasl: bugfix
libgcrypt: A side-channel attack flaw was found in the way libgcrypt implemented Elgamal encryption. This flaw allows an attacker to decrypt parts of ciphertext encrypted using Elgamal, for example, when using OpenPGP. The highest threat from this vulnerability is to confidentiality.(CVE-2021-33560)
libgcrypt: bugfix


Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
http://security.gd-linux.com/how_to_apply_patch.html
Remember the build tag is 6.02.B0B9.

影响组件

  • cyrus-sasl
  • libgcrypt

影响产品

  • CGSL MAIN 6.02

更新包

{"fix":[{"product":"CGSL MAIN 6.02","pkgs":[{"binary":["cyrus-sasl-2.1.27-6.el8_5.x86_64.rpm","cyrus-sasl-devel-2.1.27-6.el8_5.x86_64.rpm","cyrus-sasl-gssapi-2.1.27-6.el8_5.x86_64.rpm","cyrus-sasl-lib-2.1.27-6.el8_5.x86_64.rpm","cyrus-sasl-md5-2.1.27-6.el8_5.x86_64.rpm","cyrus-sasl-plain-2.1.27-6.el8_5.x86_64.rpm","cyrus-sasl-scram-2.1.27-6.el8_5.x86_64.rpm"],"source":"cyrus-sasl-2.1.27-6.el8_5.src.rpm"},{"binary":["libgcrypt-1.8.5-6.el8.x86_64.rpm","libgcrypt-devel-1.8.5-6.el8.x86_64.rpm"],"source":"libgcrypt-1.8.5-6.el8.src.rpm"}]}]}

CVE

参考