LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for June 20, 2013

Pencil, Pencil, and Pencil

Dividing the Linux desktop

LWN.net Weekly Edition for June 13, 2013

A report from pgCon 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Red Hat alert RHSA-2004:546-02 (cyrus-sasl)



From:
    	      bugzilla@redhat.com


To:
    	      enterprise-watch-list@redhat.com


Subject:
    	      [RHSA-2004:546-02] Updated cyrus-sasl packages fix security flaw


Date:
    	      Thu, 7 Oct 2004 18:11 -0400



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ---------------------------------------------------------------------
                   Red Hat Security Advisory

Synopsis:          Updated cyrus-sasl packages fix security flaw
Advisory ID:       RHSA-2004:546-02
Issue date:        2004-10-07
Updated on:        2004-10-07
Product:           Red Hat Enterprise Linux
Keywords:          environment
CVE Names:         CAN-2004-0884
- ---------------------------------------------------------------------

1. Summary:

Updated cyrus-sasl packages that fix a setuid and setgid application
vulnerability are now available.

[Updated 7th October 2004]
Revised cryus-sasl packages have been added for Red Hat Enterprise Linux 3;
the patch in the previous packages broke interaction with ldap.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386, ia64
Red Hat Linux Advanced Workstation 2.1 - ia64
Red Hat Enterprise Linux ES version 2.1 - i386
Red Hat Enterprise Linux WS version 2.1 - i386
Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, ppc64, s390, s390x, x86_64
Red Hat Desktop version 3 - i386, x86_64
Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64

3. Problem description:

The cyrus-sasl package contains the Cyrus implementation of SASL.  SASL is
the Simple Authentication and Security Layer, a method for adding
authentication support to connection-based protocols.

At application startup, libsasl and libsasl2 attempts to build a list
of all available SASL plug-ins which are available on the system.  To do
so, the libraries search for and attempt to load every shared library found
within the plug-in directory.  This location can be set with the SASL_PATH
environment variable.

In situations where an untrusted local user can affect the environment of a
privileged process, this behavior could be exploited to run arbitrary code
with the privileges of a setuid or setgid application.  The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2004-0884 to this issue.

Users of cyrus-sasl should upgrade to these updated packages, which contain
backported patches and are not vulnerable to this issue.

4. Solution:

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.  Use Red Hat
Network to download and update your packages.  To launch the Red Hat
Update Agent, use the following command:

    up2date

For information on how to install packages manually, refer to the
following Web page for the System Administration or Customization
guide specific to your system:

    http://www.redhat.com/docs/manuals/enterprise/

5. Bug IDs fixed (http://bugzilla.redhat.com/ for more info):

134657 - CAN-2004-0884 privilege escalation
134979 - cyrus-sasl causes crashes with ldap

6. RPMs required:

Red Hat Enterprise Linux AS (Advanced Server) version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1AS/en/os/SRPMS/cyr...
adf38e226dfa211bb2e7e83c5c5418b9  cyrus-sasl-1.5.24-26.src.rpm

i386:
0ecb1995b05aebf41e8c609b367e902f  cyrus-sasl-1.5.24-26.i386.rpm
846a21bc2e1a84f37f9f43f973ebda44  cyrus-sasl-devel-1.5.24-26.i386.rpm
9d29af70b1dd3a98f8eba31fa796d338  cyrus-sasl-gssapi-1.5.24-26.i386.rpm
ddaf1332b6bdad447e1550fccab267eb  cyrus-sasl-md5-1.5.24-26.i386.rpm
67c7f02257346ccbc236a02bbac49925  cyrus-sasl-plain-1.5.24-26.i386.rpm

ia64:
97497be93ad3074862be30b3eaf9fe46  cyrus-sasl-1.5.24-26.ia64.rpm
6c4362bc42c9c41f7eb07b61ee733320  cyrus-sasl-devel-1.5.24-26.ia64.rpm
bd3a433063c18f2384bc9249a58d8504  cyrus-sasl-gssapi-1.5.24-26.ia64.rpm
6d34fc4ff8ffda80308d02e82bcefc64  cyrus-sasl-md5-1.5.24-26.ia64.rpm
1eb867b4419336e95ffffec0a88fe01f  cyrus-sasl-plain-1.5.24-26.ia64.rpm

Red Hat Linux Advanced Workstation 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1AW/en/os/SRPMS/cyr...
adf38e226dfa211bb2e7e83c5c5418b9  cyrus-sasl-1.5.24-26.src.rpm

ia64:
97497be93ad3074862be30b3eaf9fe46  cyrus-sasl-1.5.24-26.ia64.rpm
6c4362bc42c9c41f7eb07b61ee733320  cyrus-sasl-devel-1.5.24-26.ia64.rpm
bd3a433063c18f2384bc9249a58d8504  cyrus-sasl-gssapi-1.5.24-26.ia64.rpm
6d34fc4ff8ffda80308d02e82bcefc64  cyrus-sasl-md5-1.5.24-26.ia64.rpm
1eb867b4419336e95ffffec0a88fe01f  cyrus-sasl-plain-1.5.24-26.ia64.rpm

Red Hat Enterprise Linux ES version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1ES/en/os/SRPMS/cyr...
adf38e226dfa211bb2e7e83c5c5418b9  cyrus-sasl-1.5.24-26.src.rpm

i386:
0ecb1995b05aebf41e8c609b367e902f  cyrus-sasl-1.5.24-26.i386.rpm
846a21bc2e1a84f37f9f43f973ebda44  cyrus-sasl-devel-1.5.24-26.i386.rpm
9d29af70b1dd3a98f8eba31fa796d338  cyrus-sasl-gssapi-1.5.24-26.i386.rpm
ddaf1332b6bdad447e1550fccab267eb  cyrus-sasl-md5-1.5.24-26.i386.rpm
67c7f02257346ccbc236a02bbac49925  cyrus-sasl-plain-1.5.24-26.i386.rpm

Red Hat Enterprise Linux WS version 2.1:

SRPMS:
ftp://updates.redhat.com/enterprise/2.1WS/en/os/SRPMS/cyr...
adf38e226dfa211bb2e7e83c5c5418b9  cyrus-sasl-1.5.24-26.src.rpm

i386:
0ecb1995b05aebf41e8c609b367e902f  cyrus-sasl-1.5.24-26.i386.rpm
846a21bc2e1a84f37f9f43f973ebda44  cyrus-sasl-devel-1.5.24-26.i386.rpm
9d29af70b1dd3a98f8eba31fa796d338  cyrus-sasl-gssapi-1.5.24-26.i386.rpm
ddaf1332b6bdad447e1550fccab267eb  cyrus-sasl-md5-1.5.24-26.i386.rpm
67c7f02257346ccbc236a02bbac49925  cyrus-sasl-plain-1.5.24-26.i386.rpm

Red Hat Enterprise Linux AS version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/cyrus...
a9cde51259dec493061ea0e03bf04537  cyrus-sasl-2.1.15-10.src.rpm

i386:
4e7a31beac1f79bda62f5715686ed652  cyrus-sasl-2.1.15-10.i386.rpm
55541276383fa24ed49fc40be3720263  cyrus-sasl-devel-2.1.15-10.i386.rpm
b4cb1b1d9f43c06371a85eac06de92ac  cyrus-sasl-gssapi-2.1.15-10.i386.rpm
4c481245bb88965e5501f787f67fb863  cyrus-sasl-md5-2.1.15-10.i386.rpm
3567df72f78bec2755943a2be732dbbb  cyrus-sasl-plain-2.1.15-10.i386.rpm

ia64:
aa10aabc5083f29c91fc21b9b5e34081  cyrus-sasl-2.1.15-10.ia64.rpm
4e7a31beac1f79bda62f5715686ed652  cyrus-sasl-2.1.15-10.i386.rpm
25ff6248dc2c62835be4db608cfcd2b5  cyrus-sasl-devel-2.1.15-10.ia64.rpm
e22e44ff1ef945b6f13cab172380e53d  cyrus-sasl-gssapi-2.1.15-10.ia64.rpm
90c8505c7c4e6e6657332c604b83a43c  cyrus-sasl-md5-2.1.15-10.ia64.rpm
baa93f3bfb4dfae22b5a2971e9b83e35  cyrus-sasl-plain-2.1.15-10.ia64.rpm

ppc:
b2bddd0010bd1340b753617edcb90caa  cyrus-sasl-2.1.15-10.ppc.rpm
b110c26ced4d8557524e53ccc26ed46d  cyrus-sasl-devel-2.1.15-10.ppc.rpm
3bf9b253bbd5e280367b85fa99f99e8c  cyrus-sasl-gssapi-2.1.15-10.ppc.rpm
879100afe15b6641808e979edeef445c  cyrus-sasl-md5-2.1.15-10.ppc.rpm
8c8efc6cccb8cb3a09313133fbf912d6  cyrus-sasl-plain-2.1.15-10.ppc.rpm

ppc64:
edbd0ed195134adf55d2619ae86294ef  cyrus-sasl-2.1.15-10.ppc64.rpm

s390:
51f034feb0c6ff15940fa9ee8825b313  cyrus-sasl-2.1.15-10.s390.rpm
21d68bbf2ec87862ea962bb425803dca  cyrus-sasl-devel-2.1.15-10.s390.rpm
01ee5010919fe6810390042efe14fdb8  cyrus-sasl-gssapi-2.1.15-10.s390.rpm
b46dec0bfe0cd3d00b73d76e93c99ef0  cyrus-sasl-md5-2.1.15-10.s390.rpm
4d77001213929ab7dc7b0f29f8b864dc  cyrus-sasl-plain-2.1.15-10.s390.rpm

s390x:
993b18d386a38b63013cf3036907a81d  cyrus-sasl-2.1.15-10.s390x.rpm
51f034feb0c6ff15940fa9ee8825b313  cyrus-sasl-2.1.15-10.s390.rpm
8aafa73a49830c989bd0c41733ac4d16  cyrus-sasl-devel-2.1.15-10.s390x.rpm
9a758c6607181142de0754bad0472f6a  cyrus-sasl-gssapi-2.1.15-10.s390x.rpm
53d9d697764a09700b9fd09fb0367fc8  cyrus-sasl-md5-2.1.15-10.s390x.rpm
7183d87047ab36d80499dd74d3944927  cyrus-sasl-plain-2.1.15-10.s390x.rpm

x86_64:
6719a7d1f5aab57f890983c7b067a77f  cyrus-sasl-2.1.15-10.x86_64.rpm
4e7a31beac1f79bda62f5715686ed652  cyrus-sasl-2.1.15-10.i386.rpm
e1ab3ddf06867ebee94eb8d30acc0bea  cyrus-sasl-devel-2.1.15-10.x86_64.rpm
2176eb0408120e072a9ea434d970d656  cyrus-sasl-gssapi-2.1.15-10.x86_64.rpm
a84b19147e50c5f3690356686d31f1bd  cyrus-sasl-md5-2.1.15-10.x86_64.rpm
434fb1bc67c4f98a84a7fc641b71fe3f  cyrus-sasl-plain-2.1.15-10.x86_64.rpm

Red Hat Desktop version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/...
a9cde51259dec493061ea0e03bf04537  cyrus-sasl-2.1.15-10.src.rpm

i386:
4e7a31beac1f79bda62f5715686ed652  cyrus-sasl-2.1.15-10.i386.rpm
55541276383fa24ed49fc40be3720263  cyrus-sasl-devel-2.1.15-10.i386.rpm
b4cb1b1d9f43c06371a85eac06de92ac  cyrus-sasl-gssapi-2.1.15-10.i386.rpm
4c481245bb88965e5501f787f67fb863  cyrus-sasl-md5-2.1.15-10.i386.rpm
3567df72f78bec2755943a2be732dbbb  cyrus-sasl-plain-2.1.15-10.i386.rpm

x86_64:
6719a7d1f5aab57f890983c7b067a77f  cyrus-sasl-2.1.15-10.x86_64.rpm
4e7a31beac1f79bda62f5715686ed652  cyrus-sasl-2.1.15-10.i386.rpm
e1ab3ddf06867ebee94eb8d30acc0bea  cyrus-sasl-devel-2.1.15-10.x86_64.rpm
2176eb0408120e072a9ea434d970d656  cyrus-sasl-gssapi-2.1.15-10.x86_64.rpm
a84b19147e50c5f3690356686d31f1bd  cyrus-sasl-md5-2.1.15-10.x86_64.rpm
434fb1bc67c4f98a84a7fc641b71fe3f  cyrus-sasl-plain-2.1.15-10.x86_64.rpm

Red Hat Enterprise Linux ES version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/cyrus...
a9cde51259dec493061ea0e03bf04537  cyrus-sasl-2.1.15-10.src.rpm

i386:
4e7a31beac1f79bda62f5715686ed652  cyrus-sasl-2.1.15-10.i386.rpm
55541276383fa24ed49fc40be3720263  cyrus-sasl-devel-2.1.15-10.i386.rpm
b4cb1b1d9f43c06371a85eac06de92ac  cyrus-sasl-gssapi-2.1.15-10.i386.rpm
4c481245bb88965e5501f787f67fb863  cyrus-sasl-md5-2.1.15-10.i386.rpm
3567df72f78bec2755943a2be732dbbb  cyrus-sasl-plain-2.1.15-10.i386.rpm

ia64:
aa10aabc5083f29c91fc21b9b5e34081  cyrus-sasl-2.1.15-10.ia64.rpm
4e7a31beac1f79bda62f5715686ed652  cyrus-sasl-2.1.15-10.i386.rpm
25ff6248dc2c62835be4db608cfcd2b5  cyrus-sasl-devel-2.1.15-10.ia64.rpm
e22e44ff1ef945b6f13cab172380e53d  cyrus-sasl-gssapi-2.1.15-10.ia64.rpm
90c8505c7c4e6e6657332c604b83a43c  cyrus-sasl-md5-2.1.15-10.ia64.rpm
baa93f3bfb4dfae22b5a2971e9b83e35  cyrus-sasl-plain-2.1.15-10.ia64.rpm

x86_64:
6719a7d1f5aab57f890983c7b067a77f  cyrus-sasl-2.1.15-10.x86_64.rpm
4e7a31beac1f79bda62f5715686ed652  cyrus-sasl-2.1.15-10.i386.rpm
e1ab3ddf06867ebee94eb8d30acc0bea  cyrus-sasl-devel-2.1.15-10.x86_64.rpm
2176eb0408120e072a9ea434d970d656  cyrus-sasl-gssapi-2.1.15-10.x86_64.rpm
a84b19147e50c5f3690356686d31f1bd  cyrus-sasl-md5-2.1.15-10.x86_64.rpm
434fb1bc67c4f98a84a7fc641b71fe3f  cyrus-sasl-plain-2.1.15-10.x86_64.rpm

Red Hat Enterprise Linux WS version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/cyrus...
a9cde51259dec493061ea0e03bf04537  cyrus-sasl-2.1.15-10.src.rpm

i386:
4e7a31beac1f79bda62f5715686ed652  cyrus-sasl-2.1.15-10.i386.rpm
55541276383fa24ed49fc40be3720263  cyrus-sasl-devel-2.1.15-10.i386.rpm
b4cb1b1d9f43c06371a85eac06de92ac  cyrus-sasl-gssapi-2.1.15-10.i386.rpm
4c481245bb88965e5501f787f67fb863  cyrus-sasl-md5-2.1.15-10.i386.rpm
3567df72f78bec2755943a2be732dbbb  cyrus-sasl-plain-2.1.15-10.i386.rpm

ia64:
aa10aabc5083f29c91fc21b9b5e34081  cyrus-sasl-2.1.15-10.ia64.rpm
4e7a31beac1f79bda62f5715686ed652  cyrus-sasl-2.1.15-10.i386.rpm
25ff6248dc2c62835be4db608cfcd2b5  cyrus-sasl-devel-2.1.15-10.ia64.rpm
e22e44ff1ef945b6f13cab172380e53d  cyrus-sasl-gssapi-2.1.15-10.ia64.rpm
90c8505c7c4e6e6657332c604b83a43c  cyrus-sasl-md5-2.1.15-10.ia64.rpm
baa93f3bfb4dfae22b5a2971e9b83e35  cyrus-sasl-plain-2.1.15-10.ia64.rpm

x86_64:
6719a7d1f5aab57f890983c7b067a77f  cyrus-sasl-2.1.15-10.x86_64.rpm
4e7a31beac1f79bda62f5715686ed652  cyrus-sasl-2.1.15-10.i386.rpm
e1ab3ddf06867ebee94eb8d30acc0bea  cyrus-sasl-devel-2.1.15-10.x86_64.rpm
2176eb0408120e072a9ea434d970d656  cyrus-sasl-gssapi-2.1.15-10.x86_64.rpm
a84b19147e50c5f3690356686d31f1bd  cyrus-sasl-md5-2.1.15-10.x86_64.rpm
434fb1bc67c4f98a84a7fc641b71fe3f  cyrus-sasl-plain-2.1.15-10.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and 
details on how to verify the signature are available from
https://www.redhat.com/security/team/key.html#package

7. References:

https://bugzilla.andrew.cmu.edu/cgi-bin/cvsweb.cgi/src/sa...
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0884

8. Contact:

The Red Hat security contact is <secalert@redhat.com>.  More contact
details at https://www.redhat.com/security/team/contact.html

Copyright 2004 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFBZb8FXlSAg2UNWIIRAnb+AKCMDcyrEhAuiH71iIy5J9kiLhwYTQCcCWIM
hIm3/gTOclZWmShyow4QVXw=
=dPAp
-----END PGP SIGNATURE-----


-- 
Enterprise-watch-list mailing list
Enterprise-watch-list@redhat.com
https://www.redhat.com/mailman/listinfo/enterprise-watch-...
(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds