Ubuntu
cyrus-sasl2 package

  1. Bug #8883
  2. Comment #5

Comment 5 for bug 8883

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-Id: <email address hidden>
Date: Fri, 08 Oct 2004 10:47:03 -0400
From: Henrique de Moraes Holschuh <email address hidden>
To: <email address hidden>
Cc: Henrique de Moraes Holschuh <email address hidden>, Dima Barsky <email address hidden>
Subject: Fixed in NMU of cyrus-sasl2 2.1.19-1.2

tag 274087 + fixed
tag 275431 + fixed

quit

This message was generated automatically in response to a
non-maintainer upload. The .changes file follows.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 8 Oct 2004 11:15:39 -0300
Source: cyrus-sasl2
Binary: libsasl2 libsasl2-modules-sql sasl2-bin libsasl2-modules libsasl2-dev libsasl2-modules-gssapi-heimdal libsasl2-modules-kerberos-heimdal
Architecture: source i386
Version: 2.1.19-1.2
Distribution: unstable
Urgency: high
Maintainer: Dima Barsky <email address hidden>
Changed-By: Henrique de Moraes Holschuh <email address hidden>
Description:
 libsasl2 - Authentication abstraction library
 libsasl2-dev - Development files for authentication abstraction library
 libsasl2-modules - Pluggable Authentication Modules for SASL
 libsasl2-modules-gssapi-heimdal - Pluggable Authentication Modules for SASL
 libsasl2-modules-kerberos-heimdal - Pluggable Authentication Modules for SASL
 libsasl2-modules-sql - Pluggable Authentication Modules for SASL
 sasl2-bin - Programs for manipulating the SASL users database
Closes: 274087 275431
Changes:
 cyrus-sasl2 (2.1.19-1.2) unstable; urgency=high
 .
   * NMU, since I am not sure Dima is back yet
   * SECURITY FIX: SASL_PATH environment variable must not be honoured on
     setuid environments, otherwise we have a local privilege escalation
     exploit (CVE: CAN-2004-0884), related advisories: RHSA-2004:546-02;
     GLSA 200410-05
     * upstream CVS: lib/common.c: don't honor SASL_PATH in setuid
       environment. from Gentoo (CVE CAN-2004-0884); (closes: #275431)
   * upstream CVS: plugins/kerberos4.c: document weirdness with openssl DES
   * upstream CVS: plugins/cram.c,plugins/anonymous.c,plugins/login.c,
     plugins/plain.c,plugins/sasldb.c: Fixed several 64 bit portability
     warnings
   * Forward port sasl_set_alloc locking patch from SASL 1.5, to avoid
     problems with the braindead idea of globals SASL has, and with libraries
     that think they can get around mucking with them (hello openldap!)
     (closes: #274087)
Files:
 3babd0a1794f1ad1e049315db5abc325 1062 devel important cyrus-sasl2_2.1.19-1.2.dsc
 e489181f0ca74cace906efa79a2cbb8c 30654 devel important cyrus-sasl2_2.1.19-1.2.diff.gz
 c3509401264b0939e7989fbb6ff67da5 112786 utils important sasl2-bin_2.1.19-1.2_i386.deb
 b69a98c3039f0704f859ec28c9b75862 155828 libs important libsasl2-modules_2.1.19-1.2_i386.deb
 0eeddbff8fee4a4b283b8c33710e8bc1 50992 libs optional libsasl2-modules-sql_2.1.19-1.2_i386.deb
 82fd1fc5f09fb53a7d6a4af85dcb937f 53016 libs optional libsasl2-modules-gssapi-heimdal_2.1.19-1.2_i386.deb
 4bbce17451309ff60819a4ea20fda7e9 52696 libs optional libsasl2-modules-kerberos-heimdal_2.1.19-1.2_i386.deb
 8125b12a6cabff4e72b38bb04476d3e4 258138 libs important libsasl2_2.1.19-1.2_i386.deb
 e825bd4e73049bd70dba004661880a8d 245878 libdevel optional libsasl2-dev_2.1.19-1.2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBZqX97iXePxzbD+MRAiJTAJ0TZ3h9xRTrDdjoY1ji840VpyQoOACfYFKZ
9R0pq3Zge7GGyTLtboFsKF8=
=P67P
-----END PGP SIGNATURE-----