{
  "threat_severity" : "Important",
  "public_date" : "2008-05-15T00:00:00Z",
  "bugzilla" : {
    "description" : "cyrus-sasl: sasl_encode64() does not reliably null-terminate its output",
    "id" : "487251",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=487251"
  },
  "cvss" : {
    "cvss_base_score" : "6.4",
    "cvss_scoring_vector" : "AV:N/AC:L/Au:N/C:P/I:N/A:P",
    "status" : "verified"
  },
  "details" : [ "Multiple buffer overflows in the CMU Cyrus SASL library before 2.1.23 might allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via strings that are used as input to the sasl_encode64 function in lib/saslutil.c." ],
  "statement" : "The upstream fix for this issue is not backwards compatible and introduces an ABI change not allowed in Red Hat Enterprise Linux. Therefore, there is no plan to address this problem directly in cyrus-sasl packages.\nAll applications shipped in Red Hat Enterprise Linux and using affected sasl_encode64() function were investigated and patched if their use of the function could have security consequences. See following bug report for further details: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-0688#c20",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 4",
    "release_date" : "2009-06-18T00:00:00Z",
    "advisory" : "RHSA-2009:1116",
    "cpe" : "cpe:/o:redhat:enterprise_linux:4",
    "package" : "cyrus-imapd-0:2.2.12-10.el4_8.1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 5",
    "release_date" : "2009-06-18T00:00:00Z",
    "advisory" : "RHSA-2009:1116",
    "cpe" : "cpe:/o:redhat:enterprise_linux:5",
    "package" : "cyrus-imapd-0:2.3.7-2.el5_3.2"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2009-0688\nhttps://nvd.nist.gov/vuln/detail/CVE-2009-0688" ],
  "name" : "CVE-2009-0688",
  "csaw" : false
}