important: cyrus-sasl/libgcrypt security update
important
An update for cyrus-sasl/libgcrypt is now available for NewStart CGSL MAIN 6.02.
NewStart Security has rated this update as having a security impact of important. A Common Vunlnerability Scoring System(CVSS)base score, which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.
cyrus-sasl: This package provides debug information for package cyrus-sasl-md5. Debug information is useful when developing applications that use this package or when debugging this package.
libgcrypt: Libgcrypt is a general purpose crypto library based on the code used in GNU Privacy Guard. This package contains files needed to develop applications using libgcrypt.
Security Fix(es):
cyrus-sasl: A flaw was found in the SQL plugin shipped with Cyrus SASL. The vulnerability occurs due to failure to properly escape SQL input and leads to an improper input validation vulnerability. This flaw allows an attacker to execute arbitrary SQL commands and the ability to change the passwords for other accounts allowing escalation of privileges.(CVE-2022-24407)
cyrus-sasl: bugfix
libgcrypt: A side-channel attack flaw was found in the way libgcrypt implemented Elgamal encryption. This flaw allows an attacker to decrypt parts of ciphertext encrypted using Elgamal, for example, when using OpenPGP. The highest threat from this vulnerability is to confidentiality.(CVE-2021-33560)
libgcrypt: bugfix
Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
http://security.gd-linux.com/how_to_apply_patch.html
Remember the build tag is 6.02.B0B9.