[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: cyrus-sasl2 requires update (security, #275431; usability: #274087)



On Sat, Oct 09, 2004 at 10:25:29AM -0300, Henrique de Moraes Holschuh wrote:
> Gentoo found a local privilege escalation bug in SASL.  This affects
> SASL 1.5 (woody, sarge, sid) and SASL 2.1 (sarge, sid).  The security team
> has been notified, and packages for stable are on the way.

> NMUs with fixed packages are already on sid. cyrus-sasl was uploaded with
> urgency=emergency and should be moved to sarge today, since it is not
> frozen (if the hppa autobuider shows up, anyway).

> cyrus-sasl2 is frozen, and will require manual action by the release team to
> update sarge. It was uploaded with urgency=high, and must wait another day
> or two to clear the testing requirements.

> I also snuck in a fix for #274087, which is release-critical.  The fix has
> been in sasl 1.5 since forever, and nobody ever complained that it broke
> things.  That bug is really hairy: Either the fix for #274087 works, or we
> have some bad choices ahead of us:
>   1. to remove libnss-ldap from the archive because it it will have a
>      permanent critical bug (breaks any applications using libsasl2), or
>   2. update libldap (removing ALL sasl support from it, or providing a 
>      non-SASL-enabled version, and changing libnss-ldap to use the 
>      non-SASL-version).
> Note that openldap is doing things to SASL that no sane person would in a
> library (but that might very well be required to get it to work -- this is a
> related to a clear design bug in SASL's API).

Approved.

Thanks,
-- 
Steve Langasek
postmodern programmer

Attachment: signature.asc
Description: Digital signature


Reply to: