---------------------------------------------------------------------
Fedora Update Notification
FEDORA-2004-331
2004-10-08
---------------------------------------------------------------------

Product     : Fedora Core 2
Name        : cyrus-sasl
Version     : 2.1.18
Release     : 2.2
Summary     : The Cyrus SASL library.
Description :
The cyrus-sasl package contains the Cyrus implementation of SASL.
SASL is the Simple Authentication and Security Layer, a method for
adding authentication support to connection-based protocols.

---------------------------------------------------------------------
Update Information:

At application startup, libsasl and libsasl2 attempt to build a list
of all SASL plug-ins which are available on the system.  To do so,
the libraries search for and attempt to load every shared library
found within the plug-in directory.  This location can be set with
the SASL_PATH environment variable.

In situations where an untrusted local user can affect the
environment of a privileged process, this behavior could be exploited
to run arbitrary code with the privileges of a setuid or setgid
application.  The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2004-0884 to this issue.

Users of cyrus-sasl should upgrade to these updated packages, which
contain backported patches and are not vulnerable to this issue.

---------------------------------------------------------------------

* Thu Oct 07 2004 Nalin Dahyabhai <nalin@redhat.com> 2.1.18-2.2

- use notting's fix for incorrect patch for CAN-2004-0884 for 1.5.28

* Thu Oct 07 2004 Nalin Dahyabhai <nalin@redhat.com> 2.1.18-2.1

- don't trust the environment in setuid/setgid contexts (CAN-2004-0884, #134660)

---------------------------------------------------------------------
This update can be downloaded from:
    

74c6c5f219ade64c4514ec64dab48376  SRPMS/cyrus-sasl-2.1.18-2.2.src.rpm
f3095f3563e54d3f6a8481560542ff64  x86_64/cyrus-sasl-2.1.18-2.2.x86_64.rpm
ab802d3faa874f078051109578b698e9  x86_64/cyrus-sasl-devel-2.1.18-2.2.x86_64.rpm
e9569f4c67f59de333fa6beca6260e7d  x86_64/cyrus-sasl-gssapi-2.1.18-2.2.x86_64.rpm
5ab29e7ad1bbca0d098984ec73e8b6a8  x86_64/cyrus-sasl-plain-2.1.18-2.2.x86_64.rpm
b9b362e882c9950a5da33f15bb5207f0  x86_64/cyrus-sasl-md5-2.1.18-2.2.x86_64.rpm
270d6d4738a4a674ff79256cf42ea0a4  x86_64/debug/cyrus-sasl-debuginfo-2.1.18-2.2.x86_64.rpm
c8b8e3c700ef3e48b53eab20e6ee7f62  i386/cyrus-sasl-2.1.18-2.2.i386.rpm
1ae4633b8efae2f9c7b963398cee58c5  i386/cyrus-sasl-devel-2.1.18-2.2.i386.rpm
1e9062a935b0ae9482dd190ead4b099c  i386/cyrus-sasl-gssapi-2.1.18-2.2.i386.rpm
40e096e298d95ce2a6d24b7cf4cf8ef1  i386/cyrus-sasl-plain-2.1.18-2.2.i386.rpm
fbea0811ec245e404637c651b10f1e64  i386/cyrus-sasl-md5-2.1.18-2.2.i386.rpm
9370a1bbf9ca58297a1d721f929113e4  i386/debug/cyrus-sasl-debuginfo-2.1.18-2.2.i386.rpm

This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command.
---------------------------------------------------------------------

Fedora: cyrus-sasl-2.1.18-2.2 update

October 8, 2004
In situations where an untrusted local user can affect the environment of a privileged process, this behavior could be exploited to run arbitrary code with the privileges of a setu...

Summary

The cyrus-sasl package contains the Cyrus implementation of SASL.

SASL is the Simple Authentication and Security Layer, a method for

adding authentication support to connection-based protocols.

Update Information:

At application startup, libsasl and libsasl2 attempt to build a list of all SASL plug-ins which are available on the system. To do so, the libraries search for and attempt to load every shared library found within the plug-in directory. This location can be set with the SASL_PATH environment variable.

In situations where an untrusted local user can affect the environment of a privileged process, this behavior could be exploited to run arbitrary code with the privileges of a setuid or setgid application. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0884 to this issue.

Users of cyrus-sasl should upgrade to these updated packages, which contain backported patches and are not vulnerable to this issue.


* Thu Oct 07 2004 Nalin Dahyabhai <nalin@redhat.com> 2.1.18-2.2

- use notting's fix for incorrect patch for CAN-2004-0884 for 1.5.28

* Thu Oct 07 2004 Nalin Dahyabhai <nalin@redhat.com> 2.1.18-2.1

- don't trust the environme...

Read the Full Advisory

Change Log

References

Fedora Update Notification FEDORA-2004-331 2004-10-08 Product : Fedora Core 2 Name : cyrus-sasl Version : 2.1.18 Release : 2.2 Summary : The Cyrus SASL library. Description : The cyrus-sasl package contains the Cyrus implementation of SASL. SASL is the Simple Authentication and Security Layer, a method for adding authentication support to connection-based protocols.

Update Instructions

Severity
Product : Fedora Core 2
Name : cyrus-sasl
Version : 2.1.18
Release : 2.2
Summary : The Cyrus SASL library.

Related News

The End of the Road for Linux 6.11: A Call to Upgrade to Kernel 6.12
3 - 5 min read
The Linux kernel community recently issued an EOL announcement regarding the 6.11 kernel series, urging sysadmins to upgrade quickly to 6.12 . This
A Linux Admin
3 - 6 min read
As 2025 approaches, we Linux admins are facing new and often unseen cloud-native security obstacles. While skilled at mitigating known risks,
Leveraging Insights from the Linux Foundation
3 - 5 min read
The Linux Foundation's recent Census III report provides critical insights for Linux administrators, information security professionals, and anyone
Chrome 131 Released: Emergency Security Update Fixes Over a Dozen Significant Vulns
3 - 6 min read
Google recently unveiled a critical security update to their popular web browser, Google Chrome, addressing over a dozen significant security
From Wayland Fixes to Security Boosts: Examining Qt 6.8.1
3 - 6 min read
The recent Qt 6.8.1 release brings significant updates and improvements, strengthening its reputation as a secure and reliable application
Exploring Arch Linux 2024.12.01: Security Implications & Notable Enhancements for Linux Admins
3 - 6 min read
The Arch Linux 2024.12.01 ISO release marks an impressive milestone, offering cutting-edge updates that enhance functionality, streamline
Deck the Halls with Enhanced Security: Linux Kernel 6.13
3 - 5 min read
As Linux admins and infosec professionals prepare for the holiday season, there's much cause for celebration this year! Linus Torvalds recently made
Lessons from Bootkitty: Securing Linux Systems Against UEFI Intrusions
3 - 5 min read
New Linux security threats mark critical junctures that challenge existing policies and test security protocols to their limit. One such milestone

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved