2 published verifications about Cyrus SASL Cyrus SASL ×
“Cyrus SASL library versions 2.1.9 and earlier have a buffer overflow vulnerability that can be triggered by long inputs during user name canonicalization.”
The evidence strongly supports this as the long-documented Cyrus SASL flaw CVE-2002-1347. Multiple independent advisories state that Cyrus SASL 2.1.9 and earlier are vulnerable to a buffer overflow triggered by long usernames during canonicalization. Conflicting references point to a separate 2026 MongoDB C Driver integration bug, not the library vulnerability described here.
“Debian Security Advisory DSA-180-1 describes a buffer overflow vulnerability involving Cyrus SASL usernames.”
Debian’s own advisory materials explicitly describe Cyrus SASL buffer overflows tied to username handling, including overflows triggered by long usernames. Other records, including the Debian tracker and CVE references, align with that description. The main caveat is that DSA-180-1 also mentions realm-related handling and multiple overflows, but that does not undermine the claim.