Dominic Hargreaves
20/02/05, 03:15
--2fHTh5uZTiUOsy+g
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
-----------------------------------------------------------------------
Fedora Legacy Update Advisory
Synopsis: Updated cyrus-sasl resolves security vulnerabilities
Advisory ID: FLSA:2137
Issue date: 2005-02-17
Product: Red Hat Linux
Fedora Core
Keywords: Security
Cross references: https://bugzilla.fedora.us/show_bug.cgi?id=3D2137
CVE Names: CAN-2004-0884
-----------------------------------------------------------------------
-----------------------------------------------------------------------
1. Topic:
Updated cyrus-sasl packages that fix a security vulnerability are now
available.
2. Relevant releases/architectures:
Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386
Fedora Core 1 - i386
3. Problem description:
The cyrus-sasl package contains the Cyrus implementation of SASL.
SASL is the Simple Authentication and Security Layer, a method for
adding authentication support to connection-based protocols.
At application startup, libsasl and libsasl2 attempts to build a list
of all available SASL plug-ins which are available on the system. To do
so, the libraries search for and attempt to load every shared library found
within the plug-in directory. This location can be set with the SASL_PATH
environment variable.
In situations where an untrusted local user can affect the environment of a
privileged process, this behavior could be exploited to run arbitrary code
with the privileges of a setuid or setgid application. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2004-0884 to this issue.
4. Solution:
Before applying this update, make sure all previously released errata=20
relevant to your system have been applied.
To update all RPMs for your particular architecture, run:
rpm -Fvh [filenames]
where [filenames] is a list of the RPMs you wish to upgrade. Only those=20
RPMs which are currently installed will be updated. Those RPMs which are=
=20
not installed but included in the list will not be updated. Note that you=
=20
can also use wildcards (*.rpm) if your current directory *only* contains=20
the desired RPMs.
Please note that this update is also available via yum and apt. Many=20
people find this an easier way to apply updates. To use yum issue:
yum update
or to use apt:
apt-get update; apt-get upgrade
This will start an interactive process that will result in the appropriate=
=20
RPMs being upgraded on your system. This assumes that you have yum or=20
apt-get configured for obtaining Fedora Legacy content. Please visit=20
http://www fedoralegacy.org/docs for directions on how to configure yum=20
and apt-get.
5. Bug IDs fixed:
http://bugzilla.fedora.us - 2137 - cyrus-sasl setuid/setgid flaw
(CAN-2004-0884)
6. RPMs required:
Red Hat Linux 7.3:
SRPM:
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/cyrus-sasl-1.5.24=
-25.2.legacy.src.rpm
i386:
http://download.fedoralegacy.org/redhat/7.3/updates/i386/cyrus-sasl-1.5.24-=
25.2.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/cyrus-sasl-devel-1=
=2E5.24-25.2.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/cyrus-sasl-gssapi-=
1.5.24-25.2.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/cyrus-sasl-md5-1.5=
=2E24-25.2.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/cyrus-sasl-plain-1=
=2E5.24-25.2.legacy.i386.rpm
Red Hat Linux 9:
SRPM:
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/cyrus-sasl-2.1.10-4=
=2E2.legacy.src.rpm
i386:
http://download.fedoralegacy.org/redhat/9/updates/i386/cyrus-sasl-2.1.10-4.=
2.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/cyrus-sasl-devel-2.1=
=2E10-4.2.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/cyrus-sasl-gssapi-2.=
1.10-4.2.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/cyrus-sasl-md5-2.1.1=
0-4.2.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/cyrus-sasl-plain-2.1=
=2E10-4.2.legacy.i386.rpm
Fedora Core 1
SRPM:
http://download.fedoralegacy.org/fedora/1/updates/SRPMS/cyrus-sasl-2.1.15-6=
=2E2.legacy.src.rpm
i386:
http://download.fedoralegacy.org/fedora/1/updates/i386/cyrus-sasl-2.1.15-6.=
2.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/cyrus-sasl-devel-2.1=
=2E15-6.2.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/cyrus-sasl-gssapi-2.=
1.15-6.2.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/cyrus-sasl-md5-2.1.1=
5-6.2.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/cyrus-sasl-plain-2.1=
=2E15-6.2.legacy.i386.rpm
7. Verification:
SHA1 sum Package Name
---------------------------------------------------------------------------
b1a8f0ec581a4241ad5426c66610fbd333d43cd6
redhat/7.3/updates/SRPMS/cyrus-sasl-1.5.24-25.2.legacy.src.rpm
b4667fa03cb7395b7e0535fcdb74de78f4ee1a90
redhat/7.3/updates/i386/cyrus-sasl-1.5.24-25.2.legacy.i386.rpm
a5df6f8feca3944d60e10ec94264229d157b5ad6
redhat/7.3/updates/i386/cyrus-sasl-devel-1.5.24-25.2.legacy.i386.rpm
bc1e6e9cae9e1065a90327c752558c1f891f91a7
redhat/7.3/updates/i386/cyrus-sasl-gssapi-1.5.24-25.2.legacy.i386.rpm
61d28e3fbab415d6b37ac759bb154a54d94995c1
redhat/7.3/updates/i386/cyrus-sasl-md5-1.5.24-25.2.legacy.i386.rpm
6c8b1eae837a084f29fd572e781acc38e54c5201
redhat/7.3/updates/i386/cyrus-sasl-plain-1.5.24-25.2.legacy.i386.rpm
d7fdf0513e1b05543801354137b27660c7c1df9b
redhat/9/updates/SRPMS/cyrus-sasl-2.1.10-4.2.legacy.src.rpm
99dae02364cc6ba8e26ef4b080e555d85647f9e2
redhat/9/updates/i386/cyrus-sasl-2.1.10-4.2.legacy.i386.rpm
a6d19e7fbfb6ea5ef16b37a98cf03bbde7467059
redhat/9/updates/i386/cyrus-sasl-devel-2.1.10-4.2.legacy.i386.rpm
e1021e337cf247eb42d795f37e786783567ac39b
redhat/9/updates/i386/cyrus-sasl-gssapi-2.1.10-4.2.legacy.i386.rpm
df7f3f58cf8967b22b7c599e9d7cdbc151b7ee51
redhat/9/updates/i386/cyrus-sasl-md5-2.1.10-4.2.legacy.i386.rpm
c8851e0319d7cdb337d9ce34fe0c099383770473
redhat/9/updates/i386/cyrus-sasl-plain-2.1.10-4.2.legacy.i386.rpm
67070836cf1f9ab742789e2d1787d9b5d18cb5c1
fedora/1/updates/SRPMS/cyrus-sasl-2.1.15-6.2.legacy.src.rpm
ef9d0ad17d1f5e8b9fa1f054a3ee5686d6886eec
fedora/1/updates/i386/cyrus-sasl-2.1.15-6.2.legacy.i386.rpm
d698f0da0e60a574052aa3c9780599f3a16c1af1
fedora/1/updates/i386/cyrus-sasl-devel-2.1.15-6.2.legacy.i386.rpm
40e3c0bd3a66bea24a255a9cc923c975d4848e65
fedora/1/updates/i386/cyrus-sasl-gssapi-2.1.15-6.2.legacy.i386.rpm
2d19e1de5a5f36574af71bf0eb1087f1322b03de
fedora/1/updates/i386/cyrus-sasl-md5-2.1.15-6.2.legacy.i386.rpm
a13820031b39c60ff44c32f3fb265f1b6101fa05
fedora/1/updates/i386/cyrus-sasl-plain-2.1.15-6.2.legacy.i386.rpm
These packages are GPG signed by Fedora Legacy for security. Our key is=20
available from http://www.fedoralegacy org/about/security.php
You can verify each package with the following command:
rpm --checksig -v <filename>
If you only wish to verify that each package has not been corrupted or=20
tampered with, examine only the sha1sum with the following command:
sha1sum <filename>
8. References:
https://rhn.redhat.com/errata/RHSA-2004-546.html
9. Contact:
The Fedora Legacy security contact is <secnotice@fedoralegacy.org>. More=20
project details at http://www.fedoralegacy.org
---------------------------------------------------------------------
--2fHTh5uZTiUOsy+g
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFCFR66YzuFKFF44qURAlynAJ0cLNNnF3wTLoavM0j7qR IvOGiRbgCg5r07
14i9iaBqN9Y1OLoBsWP5V9U=
=+56c
-----END PGP SIGNATURE-----
--2fHTh5uZTiUOsy+g--
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
-----------------------------------------------------------------------
Fedora Legacy Update Advisory
Synopsis: Updated cyrus-sasl resolves security vulnerabilities
Advisory ID: FLSA:2137
Issue date: 2005-02-17
Product: Red Hat Linux
Fedora Core
Keywords: Security
Cross references: https://bugzilla.fedora.us/show_bug.cgi?id=3D2137
CVE Names: CAN-2004-0884
-----------------------------------------------------------------------
-----------------------------------------------------------------------
1. Topic:
Updated cyrus-sasl packages that fix a security vulnerability are now
available.
2. Relevant releases/architectures:
Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386
Fedora Core 1 - i386
3. Problem description:
The cyrus-sasl package contains the Cyrus implementation of SASL.
SASL is the Simple Authentication and Security Layer, a method for
adding authentication support to connection-based protocols.
At application startup, libsasl and libsasl2 attempts to build a list
of all available SASL plug-ins which are available on the system. To do
so, the libraries search for and attempt to load every shared library found
within the plug-in directory. This location can be set with the SASL_PATH
environment variable.
In situations where an untrusted local user can affect the environment of a
privileged process, this behavior could be exploited to run arbitrary code
with the privileges of a setuid or setgid application. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2004-0884 to this issue.
4. Solution:
Before applying this update, make sure all previously released errata=20
relevant to your system have been applied.
To update all RPMs for your particular architecture, run:
rpm -Fvh [filenames]
where [filenames] is a list of the RPMs you wish to upgrade. Only those=20
RPMs which are currently installed will be updated. Those RPMs which are=
=20
not installed but included in the list will not be updated. Note that you=
=20
can also use wildcards (*.rpm) if your current directory *only* contains=20
the desired RPMs.
Please note that this update is also available via yum and apt. Many=20
people find this an easier way to apply updates. To use yum issue:
yum update
or to use apt:
apt-get update; apt-get upgrade
This will start an interactive process that will result in the appropriate=
=20
RPMs being upgraded on your system. This assumes that you have yum or=20
apt-get configured for obtaining Fedora Legacy content. Please visit=20
http://www fedoralegacy.org/docs for directions on how to configure yum=20
and apt-get.
5. Bug IDs fixed:
http://bugzilla.fedora.us - 2137 - cyrus-sasl setuid/setgid flaw
(CAN-2004-0884)
6. RPMs required:
Red Hat Linux 7.3:
SRPM:
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/cyrus-sasl-1.5.24=
-25.2.legacy.src.rpm
i386:
http://download.fedoralegacy.org/redhat/7.3/updates/i386/cyrus-sasl-1.5.24-=
25.2.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/cyrus-sasl-devel-1=
=2E5.24-25.2.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/cyrus-sasl-gssapi-=
1.5.24-25.2.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/cyrus-sasl-md5-1.5=
=2E24-25.2.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/cyrus-sasl-plain-1=
=2E5.24-25.2.legacy.i386.rpm
Red Hat Linux 9:
SRPM:
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/cyrus-sasl-2.1.10-4=
=2E2.legacy.src.rpm
i386:
http://download.fedoralegacy.org/redhat/9/updates/i386/cyrus-sasl-2.1.10-4.=
2.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/cyrus-sasl-devel-2.1=
=2E10-4.2.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/cyrus-sasl-gssapi-2.=
1.10-4.2.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/cyrus-sasl-md5-2.1.1=
0-4.2.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/cyrus-sasl-plain-2.1=
=2E10-4.2.legacy.i386.rpm
Fedora Core 1
SRPM:
http://download.fedoralegacy.org/fedora/1/updates/SRPMS/cyrus-sasl-2.1.15-6=
=2E2.legacy.src.rpm
i386:
http://download.fedoralegacy.org/fedora/1/updates/i386/cyrus-sasl-2.1.15-6.=
2.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/cyrus-sasl-devel-2.1=
=2E15-6.2.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/cyrus-sasl-gssapi-2.=
1.15-6.2.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/cyrus-sasl-md5-2.1.1=
5-6.2.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/cyrus-sasl-plain-2.1=
=2E15-6.2.legacy.i386.rpm
7. Verification:
SHA1 sum Package Name
---------------------------------------------------------------------------
b1a8f0ec581a4241ad5426c66610fbd333d43cd6
redhat/7.3/updates/SRPMS/cyrus-sasl-1.5.24-25.2.legacy.src.rpm
b4667fa03cb7395b7e0535fcdb74de78f4ee1a90
redhat/7.3/updates/i386/cyrus-sasl-1.5.24-25.2.legacy.i386.rpm
a5df6f8feca3944d60e10ec94264229d157b5ad6
redhat/7.3/updates/i386/cyrus-sasl-devel-1.5.24-25.2.legacy.i386.rpm
bc1e6e9cae9e1065a90327c752558c1f891f91a7
redhat/7.3/updates/i386/cyrus-sasl-gssapi-1.5.24-25.2.legacy.i386.rpm
61d28e3fbab415d6b37ac759bb154a54d94995c1
redhat/7.3/updates/i386/cyrus-sasl-md5-1.5.24-25.2.legacy.i386.rpm
6c8b1eae837a084f29fd572e781acc38e54c5201
redhat/7.3/updates/i386/cyrus-sasl-plain-1.5.24-25.2.legacy.i386.rpm
d7fdf0513e1b05543801354137b27660c7c1df9b
redhat/9/updates/SRPMS/cyrus-sasl-2.1.10-4.2.legacy.src.rpm
99dae02364cc6ba8e26ef4b080e555d85647f9e2
redhat/9/updates/i386/cyrus-sasl-2.1.10-4.2.legacy.i386.rpm
a6d19e7fbfb6ea5ef16b37a98cf03bbde7467059
redhat/9/updates/i386/cyrus-sasl-devel-2.1.10-4.2.legacy.i386.rpm
e1021e337cf247eb42d795f37e786783567ac39b
redhat/9/updates/i386/cyrus-sasl-gssapi-2.1.10-4.2.legacy.i386.rpm
df7f3f58cf8967b22b7c599e9d7cdbc151b7ee51
redhat/9/updates/i386/cyrus-sasl-md5-2.1.10-4.2.legacy.i386.rpm
c8851e0319d7cdb337d9ce34fe0c099383770473
redhat/9/updates/i386/cyrus-sasl-plain-2.1.10-4.2.legacy.i386.rpm
67070836cf1f9ab742789e2d1787d9b5d18cb5c1
fedora/1/updates/SRPMS/cyrus-sasl-2.1.15-6.2.legacy.src.rpm
ef9d0ad17d1f5e8b9fa1f054a3ee5686d6886eec
fedora/1/updates/i386/cyrus-sasl-2.1.15-6.2.legacy.i386.rpm
d698f0da0e60a574052aa3c9780599f3a16c1af1
fedora/1/updates/i386/cyrus-sasl-devel-2.1.15-6.2.legacy.i386.rpm
40e3c0bd3a66bea24a255a9cc923c975d4848e65
fedora/1/updates/i386/cyrus-sasl-gssapi-2.1.15-6.2.legacy.i386.rpm
2d19e1de5a5f36574af71bf0eb1087f1322b03de
fedora/1/updates/i386/cyrus-sasl-md5-2.1.15-6.2.legacy.i386.rpm
a13820031b39c60ff44c32f3fb265f1b6101fa05
fedora/1/updates/i386/cyrus-sasl-plain-2.1.15-6.2.legacy.i386.rpm
These packages are GPG signed by Fedora Legacy for security. Our key is=20
available from http://www.fedoralegacy org/about/security.php
You can verify each package with the following command:
rpm --checksig -v <filename>
If you only wish to verify that each package has not been corrupted or=20
tampered with, examine only the sha1sum with the following command:
sha1sum <filename>
8. References:
https://rhn.redhat.com/errata/RHSA-2004-546.html
9. Contact:
The Fedora Legacy security contact is <secnotice@fedoralegacy.org>. More=20
project details at http://www.fedoralegacy.org
---------------------------------------------------------------------
--2fHTh5uZTiUOsy+g
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFCFR66YzuFKFF44qURAlynAJ0cLNNnF3wTLoavM0j7qR IvOGiRbgCg5r07
14i9iaBqN9Y1OLoBsWP5V9U=
=+56c
-----END PGP SIGNATURE-----
--2fHTh5uZTiUOsy+g--