ALAS2023-2023-063

Amazon Linux 2023 Security Advisory: ALAS-2023-063
Advisory Release Date: 2023-02-17 20:45 Pacific
Advisory Updated Date: 2023-02-22 23:33 Pacific
Severity: Important
Issue Overview:

A flaw was found in the SQL plugin shipped with Cyrus SASL. Failure to properly escape the SQL input allows a remote attacker to execute arbitrary SQL commands. This issue can lead to the escalation of privileges. (CVE-2022-24407)


Affected Packages:

cyrus-sasl


Issue Correction:
Run dnf update cyrus-sasl --releasever=2023.0.20230222 to update your system.

New Packages:
aarch64:
    cyrus-sasl-sql-debuginfo-2.1.27-18.amzn2023.0.3.aarch64
    cyrus-sasl-lib-2.1.27-18.amzn2023.0.3.aarch64
    cyrus-sasl-devel-2.1.27-18.amzn2023.0.3.aarch64
    cyrus-sasl-ntlm-debuginfo-2.1.27-18.amzn2023.0.3.aarch64
    cyrus-sasl-gs2-2.1.27-18.amzn2023.0.3.aarch64
    cyrus-sasl-md5-2.1.27-18.amzn2023.0.3.aarch64
    cyrus-sasl-ldap-2.1.27-18.amzn2023.0.3.aarch64
    cyrus-sasl-debugsource-2.1.27-18.amzn2023.0.3.aarch64
    cyrus-sasl-lib-debuginfo-2.1.27-18.amzn2023.0.3.aarch64
    cyrus-sasl-scram-debuginfo-2.1.27-18.amzn2023.0.3.aarch64
    cyrus-sasl-gssapi-2.1.27-18.amzn2023.0.3.aarch64
    cyrus-sasl-plain-2.1.27-18.amzn2023.0.3.aarch64
    cyrus-sasl-debuginfo-2.1.27-18.amzn2023.0.3.aarch64
    cyrus-sasl-2.1.27-18.amzn2023.0.3.aarch64
    cyrus-sasl-gssapi-debuginfo-2.1.27-18.amzn2023.0.3.aarch64
    cyrus-sasl-devel-debuginfo-2.1.27-18.amzn2023.0.3.aarch64
    cyrus-sasl-md5-debuginfo-2.1.27-18.amzn2023.0.3.aarch64
    cyrus-sasl-scram-2.1.27-18.amzn2023.0.3.aarch64
    cyrus-sasl-ntlm-2.1.27-18.amzn2023.0.3.aarch64
    cyrus-sasl-sql-2.1.27-18.amzn2023.0.3.aarch64
    cyrus-sasl-gs2-debuginfo-2.1.27-18.amzn2023.0.3.aarch64
    cyrus-sasl-plain-debuginfo-2.1.27-18.amzn2023.0.3.aarch64
    cyrus-sasl-ldap-debuginfo-2.1.27-18.amzn2023.0.3.aarch64

src:
    cyrus-sasl-2.1.27-18.amzn2023.0.3.src

x86_64:
    cyrus-sasl-md5-debuginfo-2.1.27-18.amzn2023.0.3.x86_64
    cyrus-sasl-devel-debuginfo-2.1.27-18.amzn2023.0.3.x86_64
    cyrus-sasl-devel-2.1.27-18.amzn2023.0.3.x86_64
    cyrus-sasl-lib-2.1.27-18.amzn2023.0.3.x86_64
    cyrus-sasl-md5-2.1.27-18.amzn2023.0.3.x86_64
    cyrus-sasl-debuginfo-2.1.27-18.amzn2023.0.3.x86_64
    cyrus-sasl-debugsource-2.1.27-18.amzn2023.0.3.x86_64
    cyrus-sasl-gs2-debuginfo-2.1.27-18.amzn2023.0.3.x86_64
    cyrus-sasl-scram-2.1.27-18.amzn2023.0.3.x86_64
    cyrus-sasl-2.1.27-18.amzn2023.0.3.x86_64
    cyrus-sasl-gs2-2.1.27-18.amzn2023.0.3.x86_64
    cyrus-sasl-ldap-2.1.27-18.amzn2023.0.3.x86_64
    cyrus-sasl-lib-debuginfo-2.1.27-18.amzn2023.0.3.x86_64
    cyrus-sasl-ntlm-2.1.27-18.amzn2023.0.3.x86_64
    cyrus-sasl-sql-2.1.27-18.amzn2023.0.3.x86_64
    cyrus-sasl-sql-debuginfo-2.1.27-18.amzn2023.0.3.x86_64
    cyrus-sasl-gssapi-2.1.27-18.amzn2023.0.3.x86_64
    cyrus-sasl-scram-debuginfo-2.1.27-18.amzn2023.0.3.x86_64
    cyrus-sasl-ldap-debuginfo-2.1.27-18.amzn2023.0.3.x86_64
    cyrus-sasl-plain-debuginfo-2.1.27-18.amzn2023.0.3.x86_64
    cyrus-sasl-gssapi-debuginfo-2.1.27-18.amzn2023.0.3.x86_64
    cyrus-sasl-ntlm-debuginfo-2.1.27-18.amzn2023.0.3.x86_64
    cyrus-sasl-plain-2.1.27-18.amzn2023.0.3.x86_64

Additional References

Red Hat: CVE-2022-24407

Mitre: CVE-2022-24407