CVE-2019-19906
First published: Thu Dec 19 2019(Updated: )
cyrus-sasl (aka Cyrus SASL) 2.1.27 has an out-of-bounds write leading to unauthenticated remote denial-of-service in OpenLDAP via a malformed LDAP packet. The OpenLDAP crash is ultimately caused by an off-by-one error in _sasl_add_string in common.c in cyrus-sasl.
Credit: CVE-2019-19906 cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/cyrus-sasl2 | <=2.1.27~101-g0780600+dfsg-3<=2.1.27+dfsg-1 | 2.1.27+dfsg-1+deb10u1 2.1.27~101-g0780600+dfsg-3+deb9u1 2.1.27+dfsg-2 |
| ubuntu/cyrus-sasl2 | <2.1.27~101- | 2.1.27~101- |
| ubuntu/cyrus-sasl2 | <2.1.27+dfsg-1ubuntu0.1 | 2.1.27+dfsg-1ubuntu0.1 |
| ubuntu/cyrus-sasl2 | <2.1.25.dfsg1-17ubuntu0.1~ | 2.1.25.dfsg1-17ubuntu0.1~ |
| ubuntu/cyrus-sasl2 | <2.1.26.dfsg1-14ubuntu0.2 | 2.1.26.dfsg1-14ubuntu0.2 |
| debian/cyrus-sasl2 | 2.1.27+dfsg-2.1+deb11u1 2.1.28+dfsg-10 2.1.28+dfsg1-7 2.1.28+dfsg1-8 | |
| macOS Catalina | <10.15.6 | 10.15.6 |
| macOS Mojave | ||
| macOS High Sierra | ||
| Apple iOS, iPadOS, and watchOS | <13.6 | 13.6 |
| Apple iOS, iPadOS, and watchOS | <13.6 | 13.6 |
| cyrusimap cyrus-sasl | <2.1.28 | |
| Debian GNU/Linux | =8.0 | |
| Debian GNU/Linux | =9.0 | |
| Debian GNU/Linux | =10.0 | |
| Ubuntu Linux | =12.04 | |
| Ubuntu Linux | =14.04 | |
| Ubuntu Linux | =16.04 | |
| Ubuntu Linux | =18.04 | |
| Ubuntu Linux | =19.10 | |
| Fedoraproject Fedora | =31 | |
| Fedoraproject Fedora | =32 | |
| Red Hat JBoss Enterprise Web Server | =2.0.0 | |
| Apple iOS and macOS | =10.14.6 | |
| Red Hat Enterprise Linux | =5.0 | |
| Red Hat Enterprise Linux | =6.0 | |
| Red Hat Enterprise Linux | =7.0 | |
| Red Hat Enterprise Linux | =8.0 | |
| redhat enterprise Linux eus | =8.4 | |
| redhat enterprise Linux for ibm z systems | =8.0 | |
| redhat enterprise Linux for ibm z systems eus | =8.4 | |
| redhat enterprise Linux for power little endian | =8.0 | |
| redhat enterprise Linux for power little endian eus | =8.4 | |
| redhat enterprise Linux server aus | =8.4 | |
| redhat enterprise Linux server for power little endian update services for sap solutions | =8.4 | |
| redhat enterprise Linux server tus | =8.4 | |
| redhat enterprise Linux server update services for sap solutions | =8.4 | |
| Apple iOS, iPadOS, and watchOS | =13.6 | |
| iOS | =13.6 | |
| Apple iOS and macOS | <10.13.6 | |
| Apple iOS and macOS | >=10.13.0<10.13.6 | |
| Apple iOS and macOS | >=10.15.0<10.15.6 | |
| Apple iOS and macOS | =10.13.6 | |
| Apple iOS and macOS | =10.13.6-security_update_2018-002 | |
| Apple iOS and macOS | =10.13.6-security_update_2018-003 | |
| Apple iOS and macOS | =10.13.6-security_update_2019-001 | |
| Apple iOS and macOS | =10.13.6-security_update_2019-002 | |
| Apple iOS and macOS | =10.13.6-security_update_2019-003 | |
| Apple iOS and macOS | =10.13.6-security_update_2019-004 | |
| Apple iOS and macOS | =10.13.6-security_update_2019-005 | |
| Apple iOS and macOS | =10.13.6-security_update_2019-006 | |
| Apple iOS and macOS | =10.13.6-security_update_2019-007 | |
| Apple iOS and macOS | =10.13.6-security_update_2020-001 | |
| Apple iOS and macOS | =10.13.6-security_update_2020-002 | |
| Apple iOS and macOS | =10.13.6-security_update_2020-003 | |
| Apple iOS and macOS | =10.14.6-security_update_2019-001 | |
| Apple iOS and macOS | =10.14.6-security_update_2019-002 | |
| Apple iOS and macOS | =10.14.6-security_update_2019-004 | |
| Apple iOS and macOS | =10.14.6-security_update_2019-005 | |
| Apple iOS and macOS | =10.14.6-security_update_2019-006 | |
| Apple iOS and macOS | =10.14.6-security_update_2019-007 | |
| Apple iOS and macOS | =10.14.6-security_update_2020-001 | |
| Apple iOS and macOS | =10.14.6-security_update_2020-002 | |
| Apple iOS and macOS | =10.14.6-security_update_2020-003 | |
| All of | ||
| Apache Bookkeeper | =4.12.1 | |
| CentOS CentOS | =7.0 | |
| Cyrus SASL | <2.1.28 | |
| Debian | =8.0 | |
| Debian | =9.0 | |
| Debian | =10.0 | |
| Ubuntu | =12.04 | |
| Ubuntu | =14.04 | |
| Ubuntu | =16.04 | |
| Ubuntu | =18.04 | |
| Ubuntu | =19.10 | |
| Fedora | =31 | |
| Fedora | =32 | |
| Apache Bookkeeper | =4.12.1 | |
| CentOS Stream | =7.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/cyrusimap/cyrus-sasl/issues/587
- https://github.com/cyrusimap/cyrus-sasl/commit/dcc9f51cbd4ed622cfb0f9b1c141eb2ffe3b12f1
- https://github.com/cyrusimap/cyrus-sasl/commit/f96ba043fb9ffd30f7089564164203136506e7ab
- https://github.com/cyrusimap/cyrus-sasl/commit/332b8c591b662bce4a2dae55cad9784e15096908
- https://github.com/cyrusimap/cyrus-sasl/commit/5ac1beeb574cd9d0a518d72330b19d2460688089
- https://www.openldap.org/its/index.cgi/Incoming?id=9123
- https://www.cyrusimap.org/sasl/sasl/release-notes/2.1/index.html#new-in-2-1-28
- https://github.com/cyrusimap/cyrus-sasl/pull/655
- https://security-tracker.debian.org/tracker/CVE-2019-19906
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19906
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947043
- https://support.apple.com/en-us/HT211289 (Advisory)
- https://support.apple.com/en-us/HT211288 (Advisory)
- http://seclists.org/fulldisclosure/2020/Jul/23
- http://seclists.org/fulldisclosure/2020/Jul/24
- http://www.openwall.com/lists/oss-security/2022/02/23/4
- https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E
- https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2019/12/msg00027.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MW6GZCLECGL2PBNHVNPJIX4RPVRVFR7R/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OB4GSVOJ6ESHQNT5GSV63OX5D4KPSTGT/
- https://seclists.org/bugtraq/2019/Dec/42
- https://support.apple.com/kb/HT211288
- https://support.apple.com/kb/HT211289
- https://usn.ubuntu.com/4256-1/
- https://www.debian.org/security/2019/dsa-4591
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MW6GZCLECGL2PBNHVNPJIX4RPVRVFR7R/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OB4GSVOJ6ESHQNT5GSV63OX5D4KPSTGT/
- https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E
- https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E
- https://ubuntu.com/security/notices/USN-4256-1
- https://www.cve.org/CVERecord?id=CVE-2019-19906
- https://nvd.nist.gov/vuln/detail/CVE-2019-19906
- https://launchpad.net/bugs/cve/CVE-2019-19906
- https://ubuntu.com/security/CVE-2019-19906
Peer vulnerabilities
(Found alongside the following vulnerabilities)
- CVE-2020-9927
- CVE-2020-9884
- CVE-2020-9889
- CVE-2020-9888
- CVE-2020-9890
- CVE-2020-9891
- CVE-2020-9928
- CVE-2020-9929
- CVE-2020-9870
- CVE-2020-9866
- CVE-2020-9869
- CVE-2020-9949
- CVE-2020-9934
- CVE-2020-9883
- CVE-2020-9865
- CVE-2020-9900
- CVE-2020-9980
- CVE-2020-9799
- CVE-2020-9913
- CVE-2020-27933
- CVE-2020-11758
- CVE-2020-11759
- CVE-2020-11760
- CVE-2020-11761
- CVE-2020-11762
- CVE-2020-11763
- CVE-2020-11764
- CVE-2020-11765
- CVE-2020-9871
- CVE-2020-9872
- CVE-2020-9874
- CVE-2020-9879
- CVE-2020-9936
- CVE-2020-9937
- CVE-2020-9919
- CVE-2020-9876
- CVE-2020-9873
- CVE-2020-9938
- CVE-2020-9877
- CVE-2020-9875
- CVE-2020-9984
- CVE-2020-9887
- CVE-2020-9908
- CVE-2020-9990
- CVE-2020-9921
- CVE-2019-14899
- CVE-2020-9904
- CVE-2020-9924
- CVE-2020-9892
- CVE-2020-9863
- CVE-2020-9902
- CVE-2020-9905
- CVE-2020-9997
- CVE-2020-9926
- CVE-2020-9994
- CVE-2020-9935
- CVE-2019-19906
- CVE-2020-9920
- CVE-2020-9922
- CVE-2020-9885
- CVE-2020-9878
- CVE-2020-9880
- CVE-2020-9881
- CVE-2020-9882
- CVE-2020-9940
- CVE-2020-9985
- CVE-2020-12243
- CVE-2020-10878
- CVE-2020-12723
- CVE-2014-9512
- CVE-2020-9930
- CVE-2020-9939
- CVE-2020-9864
- CVE-2020-9868
- CVE-2020-9854
- CVE-2020-9901
- CVE-2019-20807
- CVE-2020-9898
- CVE-2020-9918
- CVE-2020-9899
- CVE-2020-9906
- CVE-2020-9907
- CVE-2020-9931
- CVE-2020-9933
- CVE-2020-9914
- CVE-2020-9923
- CVE-2020-9909
- CVE-2020-9903
- CVE-2020-9911
- CVE-2020-9894
- CVE-2020-9915
- CVE-2020-9893
- CVE-2020-9895
- CVE-2020-9925
- CVE-2020-9910
- CVE-2020-9916
- CVE-2020-9862
- CVE-2020-6514
- CVE-2020-9917
Frequently Asked Questions
What is CVE-2019-19906?
CVE-2019-19906 is a vulnerability in Mail that allows for an out-of-bounds write issue.
How does CVE-2019-19906 affect Apple macOS Catalina?
CVE-2019-19906 affects Apple macOS Catalina version up to and excluding 10.15.6.
How does CVE-2019-19906 affect Apple Mojave?
CVE-2019-19906 affects Apple Mojave.
How does CVE-2019-19906 affect Apple High Sierra?
CVE-2019-19906 affects Apple High Sierra.
How does CVE-2019-19906 affect Apple iOS?
CVE-2019-19906 affects Apple iOS version up to and excluding 13.6.
How does CVE-2019-19906 affect Apple iPadOS?
CVE-2019-19906 affects Apple iPadOS version up to and excluding 13.6.
How can I fix CVE-2019-19906?
To fix CVE-2019-19906, update your system to the latest version of the affected software.
Where can I find more information about CVE-2019-19906?
You can find more information about CVE-2019-19906 in the references provided by Apple: [Reference 1](https://support.apple.com/en-us/HT211289) and [Reference 2](https://support.apple.com/en-us/HT211288).
- collector/debian-bugs
- alias/CVE-2019-19906
- agent/weakness
- agent/type
- agent/remedy
- agent/severity
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- collector/usn-cve
- source/Ubuntu
- agent/software-canonical-lookup
- agent/references
- agent/description
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- agent/event
- collector/security-tracker-debian
- source/Debian
- agent/trending
- agent/source
- agent/author
- collector/apple-support
- agent/software-canonical-lookup-request
- collector/nvd-cve
- source/NVD
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- package-manager/debian
- package-manager/ubuntu
- vendor/apple
- canonical/macos catalina
- canonical/macos mojave
- canonical/macos high sierra
- canonical/apple ios, ipados, and watchos
- vendor/cyrusimap
- canonical/cyrusimap cyrus-sasl
- vendor/debian
- canonical/debian gnu/linux
- version/debian gnu/linux/8.0
- version/debian gnu/linux/9.0
- version/debian gnu/linux/10.0
- vendor/canonical
- canonical/ubuntu linux
- version/ubuntu linux/12.04
- version/ubuntu linux/14.04
- version/ubuntu linux/16.04
- version/ubuntu linux/18.04
- version/ubuntu linux/19.10
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/31
- version/fedoraproject fedora/32
- vendor/redhat
- canonical/red hat jboss enterprise web server
- version/red hat jboss enterprise web server/2.0.0
- canonical/apple ios and macos
- version/apple ios and macos/10.14.6
- canonical/red hat enterprise linux
- version/red hat enterprise linux/5.0
- version/red hat enterprise linux/6.0
- version/red hat enterprise linux/7.0
- version/red hat enterprise linux/8.0
- canonical/redhat enterprise linux eus
- version/redhat enterprise linux eus/8.4
- canonical/redhat enterprise linux for ibm z systems
- version/redhat enterprise linux for ibm z systems/8.0
- canonical/redhat enterprise linux for ibm z systems eus
- version/redhat enterprise linux for ibm z systems eus/8.4
- canonical/redhat enterprise linux for power little endian
- version/redhat enterprise linux for power little endian/8.0
- canonical/redhat enterprise linux for power little endian eus
- version/redhat enterprise linux for power little endian eus/8.4
- canonical/redhat enterprise linux server aus
- version/redhat enterprise linux server aus/8.4
- canonical/redhat enterprise linux server for power little endian update services for sap solutions
- version/redhat enterprise linux server for power little endian update services for sap solutions/8.4
- canonical/redhat enterprise linux server tus
- version/redhat enterprise linux server tus/8.4
- canonical/redhat enterprise linux server update services for sap solutions
- version/redhat enterprise linux server update services for sap solutions/8.4
- version/apple ios, ipados, and watchos/13.6
- canonical/ios
- version/ios/13.6
- version/apple ios and macos/10.13.0
- version/apple ios and macos/10.15.0
- version/apple ios and macos/10.13.6
- version/apple ios and macos/10.13.6-security_update_2018-002
- version/apple ios and macos/10.13.6-security_update_2018-003
- version/apple ios and macos/10.13.6-security_update_2019-001
- version/apple ios and macos/10.13.6-security_update_2019-002
- version/apple ios and macos/10.13.6-security_update_2019-003
- version/apple ios and macos/10.13.6-security_update_2019-004
- version/apple ios and macos/10.13.6-security_update_2019-005
- version/apple ios and macos/10.13.6-security_update_2019-006
- version/apple ios and macos/10.13.6-security_update_2019-007
- version/apple ios and macos/10.13.6-security_update_2020-001
- version/apple ios and macos/10.13.6-security_update_2020-002
- version/apple ios and macos/10.13.6-security_update_2020-003
- version/apple ios and macos/10.14.6-security_update_2019-001
- version/apple ios and macos/10.14.6-security_update_2019-002
- version/apple ios and macos/10.14.6-security_update_2019-004
- version/apple ios and macos/10.14.6-security_update_2019-005
- version/apple ios and macos/10.14.6-security_update_2019-006
- version/apple ios and macos/10.14.6-security_update_2019-007
- version/apple ios and macos/10.14.6-security_update_2020-001
- version/apple ios and macos/10.14.6-security_update_2020-002
- version/apple ios and macos/10.14.6-security_update_2020-003
- vendor/apache
- canonical/apache bookkeeper
- version/apache bookkeeper/4.12.1
- vendor/centos
- canonical/centos centos
- version/centos centos/7.0
- canonical/cyrus sasl
- canonical/debian
- version/debian/8.0
- version/debian/9.0
- version/debian/10.0
- canonical/ubuntu
- version/ubuntu/12.04
- version/ubuntu/14.04
- version/ubuntu/16.04
- version/ubuntu/18.04
- version/ubuntu/19.10
- canonical/fedora
- version/fedora/31
- version/fedora/32
- canonical/centos stream
- version/centos stream/7.0