cyrus-sasl2 requires update (security, #275431; usability: #274087)
Gentoo found a local privilege escalation bug in SASL. This affects
SASL 1.5 (woody, sarge, sid) and SASL 2.1 (sarge, sid). The security team
has been notified, and packages for stable are on the way.
NMUs with fixed packages are already on sid. cyrus-sasl was uploaded with
urgency=emergency and should be moved to sarge today, since it is not
frozen (if the hppa autobuider shows up, anyway).
cyrus-sasl2 is frozen, and will require manual action by the release team to
update sarge. It was uploaded with urgency=high, and must wait another day
or two to clear the testing requirements.
I also snuck in a fix for #274087, which is release-critical. The fix has
been in sasl 1.5 since forever, and nobody ever complained that it broke
things. That bug is really hairy: Either the fix for #274087 works, or we
have some bad choices ahead of us:
1. to remove libnss-ldap from the archive because it it will have a
permanent critical bug (breaks any applications using libsasl2), or
2. update libldap (removing ALL sasl support from it, or providing a
non-SASL-enabled version, and changing libnss-ldap to use the
non-SASL-version).
Note that openldap is doing things to SASL that no sane person would in a
library (but that might very well be required to get it to work -- this is a
related to a clear design bug in SASL's API).
I cannot use the pages at http://www.wolffelaar.nl/~sarge/, because, well,
the browser seems to spin forever and I don't get back any data from the
server :)
The NMU diff for cyrus-sasl2 is available at:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=275498
--
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie." -- The Silicon Valley Tarot
Henrique Holschuh
Reply to: