---------------------------------------------------------------------
Fedora Update Notification
FEDORA-2004-331
2004-10-08
---------------------------------------------------------------------

Product     : Fedora Core 2
Name        : cyrus-sasl
Version     : 2.1.18
Release     : 2.2
Summary     : The Cyrus SASL library.
Description :
The cyrus-sasl package contains the Cyrus implementation of SASL.
SASL is the Simple Authentication and Security Layer, a method for
adding authentication support to connection-based protocols.

---------------------------------------------------------------------
Update Information:

At application startup, libsasl and libsasl2 attempt to build a list
of all SASL plug-ins which are available on the system.  To do so,
the libraries search for and attempt to load every shared library
found within the plug-in directory.  This location can be set with
the SASL_PATH environment variable.

In situations where an untrusted local user can affect the
environment of a privileged process, this behavior could be exploited
to run arbitrary code with the privileges of a setuid or setgid
application.  The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2004-0884 to this issue.

Users of cyrus-sasl should upgrade to these updated packages, which
contain backported patches and are not vulnerable to this issue.

---------------------------------------------------------------------

* Thu Oct 07 2004 Nalin Dahyabhai <nalin@redhat.com> 2.1.18-2.2

- use notting's fix for incorrect patch for CAN-2004-0884 for 1.5.28

* Thu Oct 07 2004 Nalin Dahyabhai <nalin@redhat.com> 2.1.18-2.1

- don't trust the environment in setuid/setgid contexts (CAN-2004-0884, #134660)

---------------------------------------------------------------------
This update can be downloaded from:
    

74c6c5f219ade64c4514ec64dab48376  SRPMS/cyrus-sasl-2.1.18-2.2.src.rpm
f3095f3563e54d3f6a8481560542ff64  x86_64/cyrus-sasl-2.1.18-2.2.x86_64.rpm
ab802d3faa874f078051109578b698e9  x86_64/cyrus-sasl-devel-2.1.18-2.2.x86_64.rpm
e9569f4c67f59de333fa6beca6260e7d  x86_64/cyrus-sasl-gssapi-2.1.18-2.2.x86_64.rpm
5ab29e7ad1bbca0d098984ec73e8b6a8  x86_64/cyrus-sasl-plain-2.1.18-2.2.x86_64.rpm
b9b362e882c9950a5da33f15bb5207f0  x86_64/cyrus-sasl-md5-2.1.18-2.2.x86_64.rpm
270d6d4738a4a674ff79256cf42ea0a4  x86_64/debug/cyrus-sasl-debuginfo-2.1.18-2.2.x86_64.rpm
c8b8e3c700ef3e48b53eab20e6ee7f62  i386/cyrus-sasl-2.1.18-2.2.i386.rpm
1ae4633b8efae2f9c7b963398cee58c5  i386/cyrus-sasl-devel-2.1.18-2.2.i386.rpm
1e9062a935b0ae9482dd190ead4b099c  i386/cyrus-sasl-gssapi-2.1.18-2.2.i386.rpm
40e096e298d95ce2a6d24b7cf4cf8ef1  i386/cyrus-sasl-plain-2.1.18-2.2.i386.rpm
fbea0811ec245e404637c651b10f1e64  i386/cyrus-sasl-md5-2.1.18-2.2.i386.rpm
9370a1bbf9ca58297a1d721f929113e4  i386/debug/cyrus-sasl-debuginfo-2.1.18-2.2.i386.rpm

This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command.
---------------------------------------------------------------------

Fedora: cyrus-sasl-2.1.18-2.2 update

October 8, 2004
In situations where an untrusted local user can affect the environment of a privileged process, this behavior could be exploited to run arbitrary code with the privileges of a setu...

Summary

The cyrus-sasl package contains the Cyrus implementation of SASL.

SASL is the Simple Authentication and Security Layer, a method for

adding authentication support to connection-based protocols.

Update Information:

At application startup, libsasl and libsasl2 attempt to build a list of all SASL plug-ins which are available on the system. To do so, the libraries search for and attempt to load every shared library found within the plug-in directory. This location can be set with the SASL_PATH environment variable.

In situations where an untrusted local user can affect the environment of a privileged process, this behavior could be exploited to run arbitrary code with the privileges of a setuid or setgid application. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0884 to this issue.

Users of cyrus-sasl should upgrade to these updated packages, which contain backported patches and are not vulnerable to this issue.


* Thu Oct 07 2004 Nalin Dahyabhai <nalin@redhat.com> 2.1.18-2.2

- use notting's fix for incorrect patch for CAN-2004-0884 for 1.5.28

* Thu Oct 07 2004 Nalin Dahyabhai <nalin@redhat.com> 2.1.18-2.1

- don't trust the environment in setuid/setgid contexts (CAN-2004-0884, #134660)

This update can be downloaded from:


74c6c5f219ade64c4514ec64dab48376 SRPMS/cyrus-sasl-2.1.18-2.2.src.rpm f3095f3563e54d3f6a8481560542ff64 x86_64/cyrus-sasl-2.1.18-2.2.x86_64.rpm ab802d3faa874f078051109578b698e9 x86_64/cyrus-sasl-devel-2.1.18-2.2.x86_64.rpm e9569f4c67f59de333fa6beca6260e7d x86_64/cyrus-sasl-gssapi-2.1.18-2.2.x86_64.rpm 5ab29e7ad1bbca0d098984ec73e8b6a8 x86_64/cyrus-sasl-plain-2.1.18-2.2.x86_64.rpm b9b362e882c9950a5da33f15bb5207f0 x86_64/cyrus-sasl-md5-2.1.18-2.2.x86_64.rpm 270d6d4738a4a674ff79256cf42ea0a4 x86_64/debug/cyrus-sasl-debuginfo-2.1.18-2.2.x86_64.rpm c8b8e3c700ef3e48b53eab20e6ee7f62 i386/cyrus-sasl-2.1.18-2.2.i386.rpm 1ae4633b8efae2f9c7b963398cee58c5 i386/cyrus-sasl-devel-2.1.18-2.2.i386.rpm 1e9062a935b0ae9482dd190ead4b099c i386/cyrus-sasl-gssapi-2.1.18-2.2.i386.rpm 40e096e298d95ce2a6d24b7cf4cf8ef1 i386/cyrus-sasl-plain-2.1.18-2.2.i386.rpm fbea0811ec245e404637c651b10f1e64 i386/cyrus-sasl-md5-2.1.18-2.2.i386.rpm 9370a1bbf9ca58297a1d721f929113e4 i386/debug/cyrus-sasl-debuginfo-2.1.18-2.2.i386.rpm

This update can also be installed with the Update Agent; you can launch the Update Agent with the 'up2date' command.

Change Log

References

Fedora Update Notification FEDORA-2004-331 2004-10-08 Product : Fedora Core 2 Name : cyrus-sasl Version : 2.1.18 Release : 2.2 Summary : The Cyrus SASL library. Description : The cyrus-sasl package contains the Cyrus implementation of SASL. SASL is the Simple Authentication and Security Layer, a method for adding authentication support to connection-based protocols.

Update Instructions

Severity
Product : Fedora Core 2
Name : cyrus-sasl
Version : 2.1.18
Release : 2.2
Summary : The Cyrus SASL library.

Related News

Google Releases Chrome 130 with Critical Security Fixes for 17 Flaws
3 - 5 min read
Google recently unveiled Chrome 130 , an update that addresses several security vulnerabilities to ensure the web browser's safety and reliability.
U.S. Investigation into China-Backed Telecom Companies Hack: The Role & Risks of Encryption Backdoors
3 - 5 min read
U.S. authorities are on high alert as they investigate an alleged Chinese state-sponsored hack targeting major U.S. telecommunications companies.
FASTCash Linux Malware: A New Cybercrime Menace Targeting Payment Switch Systems
3 - 5 min read
As malware threats evolve to increasingly target Linux systems, admins and organizations must stay up-to-date on the latest Linux malware variants
Optimizing CWPP on Linux Servers: Best Practices and Configurations
3 - 6 min read
Cloud Workload Protection Platforms are now essential for securing virtual environments. These provide a robust security layer vital for addressing
The Infiltration of Supply Chain Attacks in Open-Source Software Management
3 - 6 min read
Open-source projects are renowned for their collaborative nature and widespread adoption, yet more sophisticated supply chain attacks target them
Strengthen Your Linux Software Development Pipeline with Code Security Scanners
3 - 6 min read
Developers recognize the critical nature of protecting software systems as cyberattacks grow more sophisticated, thus necessitating robust security
Everything You Need to Know About Cloud Security Posture Management
3 - 5 min read
Many companies are transitioning from physical servers to cloud operations, but this transformation brings new challenges. Cloud Security Posture
Understanding the Critical Oath-Toolkit Vulnerability and Its Implications for Admins
3 - 5 min read
As Linux security threats advance and evolve, vulnerabilities often surface unexpectedly, exposing systems to potential exploitation. SUSE

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved