Articles / Red Hat: Updated cyrus-sasl…

Red Hat: Updated cyrus-sasl packages correct a security issue

The cyrus-sasl package contains the Cyrus implementation of SASL. SASL is the Simple Authentication and Security Layer, a method for adding authentication support to connection-based protocols. A bug was found in cyrus-sasl's DIGEST-MD5 authentication mechanism. As part of the DIGEST-MD5 authentication exchange, the client is expected to send a specific set of information to the server. If one of these items (the "realm") was not sent or was malformed, it was possible for a remote unauthenticated attacker to cause a denial of service (segmentation fault) on the server. Fixed packages are available from updates.redhat.com.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ---------------------------------------------------------------------
                   Red Hat Security Advisory

Synopsis:          Moderate: cyrus-sasl security update
Advisory ID:       RHSA-2007:0878-01
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2007-0878.html
Issue date:        2007-09-04
Updated on:        2007-09-04
Product:           Red Hat Enterprise Linux
CVE Names:         CVE-2006-1721 
- ---------------------------------------------------------------------

1. Summary:

Updated cyrus-sasl packages that correct a security issue are now available
for Red Hat Enterprise Linux 3.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Desktop version 3 - i386, x86_64
Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64

3. Problem description:

The cyrus-sasl package contains the Cyrus implementation of SASL.
SASL is the Simple Authentication and Security Layer, a method for
adding authentication support to connection-based protocols.

A bug was found in cyrus-sasl's DIGEST-MD5 authentication mechanism. As
part of the DIGEST-MD5 authentication exchange, the client is expected to
send a specific set of information to the server. If one of these items
(the "realm") was not sent or was malformed, it was possible for a remote
unauthenticated attacker to cause a denial of service (segmentation fault)
on the server. (CVE-2006-1721) 

Users of cyrus-sasl should upgrade to these updated packages, which contain a
backported patch to correct this issue.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via Red Hat Network.  To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

5. Bug IDs fixed (http://bugzilla.redhat.com/):

252339 - CVE-2006-1721 cyrus-sasl digest-md5 DoS

6. RPMs required:

Red Hat Enterprise Linux AS version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/cyrus-sasl-2.1.15-15.src.rpm
971ba1e92e9949601bafd8f7bfb59aa1  cyrus-sasl-2.1.15-15.src.rpm

i386:
bc2c9d4460476c6643ece0a3343e96a1  cyrus-sasl-2.1.15-15.i386.rpm
489d60eed4d6abd81257fab25dec0b80  cyrus-sasl-debuginfo-2.1.15-15.i386.rpm
2b570b0237173d3a7bde466c6e2fb36b  cyrus-sasl-devel-2.1.15-15.i386.rpm
e98364bad26467ee25ef5d710997fb1f  cyrus-sasl-gssapi-2.1.15-15.i386.rpm
fccdb8a03342b0a1640b9723f30d8b51  cyrus-sasl-md5-2.1.15-15.i386.rpm
aa119a97b280debf2cfb3c3d36fe4c60  cyrus-sasl-plain-2.1.15-15.i386.rpm

ia64:
bc2c9d4460476c6643ece0a3343e96a1  cyrus-sasl-2.1.15-15.i386.rpm
93e177c34d38edd502093ace0818ec6c  cyrus-sasl-2.1.15-15.ia64.rpm
489d60eed4d6abd81257fab25dec0b80  cyrus-sasl-debuginfo-2.1.15-15.i386.rpm
e638f877ec94eb4cbe0e95932286a89a  cyrus-sasl-debuginfo-2.1.15-15.ia64.rpm
d73eb01b3b091346a3e13e16a4f3012f  cyrus-sasl-devel-2.1.15-15.ia64.rpm
e98364bad26467ee25ef5d710997fb1f  cyrus-sasl-gssapi-2.1.15-15.i386.rpm
a2f2c05e60a957ebd6d1366d9affad86  cyrus-sasl-gssapi-2.1.15-15.ia64.rpm
fccdb8a03342b0a1640b9723f30d8b51  cyrus-sasl-md5-2.1.15-15.i386.rpm
d33de0609bd3bdd5c915d12688de8bbf  cyrus-sasl-md5-2.1.15-15.ia64.rpm
aa119a97b280debf2cfb3c3d36fe4c60  cyrus-sasl-plain-2.1.15-15.i386.rpm
627e26b0fa51c03d2a78bc9064b331c5  cyrus-sasl-plain-2.1.15-15.ia64.rpm

ppc:
e80ba70d9318f9c4db9e5aba67f140b4  cyrus-sasl-2.1.15-15.ppc.rpm
dd5ba07ac0b7f9db06924dc92ae64e0f  cyrus-sasl-2.1.15-15.ppc64.rpm
86d74bb6279e91ebe96c7b8eb9e3187b  cyrus-sasl-debuginfo-2.1.15-15.ppc.rpm
872125c0f8b58c342b20251362d8e251  cyrus-sasl-debuginfo-2.1.15-15.ppc64.rpm
7b247b8d3b1dfa910748b006feeb3180  cyrus-sasl-devel-2.1.15-15.ppc.rpm
20f36685aab8e777d6a03bbd07a9043b  cyrus-sasl-gssapi-2.1.15-15.ppc.rpm
bd759d41630b28ca16a9ac1bff7cd3ef  cyrus-sasl-gssapi-2.1.15-15.ppc64.rpm
acf5cddc0d2d8da2cf72bc2385ec8639  cyrus-sasl-md5-2.1.15-15.ppc.rpm
877e24163006884120ff7173250cceed  cyrus-sasl-md5-2.1.15-15.ppc64.rpm
e1152342f5d9e040724742fbda17efaf  cyrus-sasl-plain-2.1.15-15.ppc.rpm
4b27130a2484604d8b8532be9cef3d88  cyrus-sasl-plain-2.1.15-15.ppc64.rpm

s390:
b9961e0723518e7a34d80ab27bdf1e6b  cyrus-sasl-2.1.15-15.s390.rpm
0840d385f74719910a65e66ed1d4ae10  cyrus-sasl-debuginfo-2.1.15-15.s390.rpm
8d4586eb684f58b8ad05173a8a441cf1  cyrus-sasl-devel-2.1.15-15.s390.rpm
47aba4aba7b9e3b725cad6faebcdee10  cyrus-sasl-gssapi-2.1.15-15.s390.rpm
789ef3e79fa96edbf6bf29d23507bc55  cyrus-sasl-md5-2.1.15-15.s390.rpm
ce0920b0a21006a63764942cdc5f46f5  cyrus-sasl-plain-2.1.15-15.s390.rpm

s390x:
b9961e0723518e7a34d80ab27bdf1e6b  cyrus-sasl-2.1.15-15.s390.rpm
8fef2c2af40d2a350659c2df794e710b  cyrus-sasl-2.1.15-15.s390x.rpm
0840d385f74719910a65e66ed1d4ae10  cyrus-sasl-debuginfo-2.1.15-15.s390.rpm
0ea32602c4811bf760309c000bbaed35  cyrus-sasl-debuginfo-2.1.15-15.s390x.rpm
3a7fbf34a092488d62360f9b75a9e032  cyrus-sasl-devel-2.1.15-15.s390x.rpm
47aba4aba7b9e3b725cad6faebcdee10  cyrus-sasl-gssapi-2.1.15-15.s390.rpm
199afb45cc2909aff39c2d4fe2f6247e  cyrus-sasl-gssapi-2.1.15-15.s390x.rpm
789ef3e79fa96edbf6bf29d23507bc55  cyrus-sasl-md5-2.1.15-15.s390.rpm
57c373792e1ce7ff1af2153380811804  cyrus-sasl-md5-2.1.15-15.s390x.rpm
ce0920b0a21006a63764942cdc5f46f5  cyrus-sasl-plain-2.1.15-15.s390.rpm
467042d8e279de713d4730ec62bcf23c  cyrus-sasl-plain-2.1.15-15.s390x.rpm

x86_64:
bc2c9d4460476c6643ece0a3343e96a1  cyrus-sasl-2.1.15-15.i386.rpm
ad14eda4c01f9f14406ee1c8b9f51c09  cyrus-sasl-2.1.15-15.x86_64.rpm
489d60eed4d6abd81257fab25dec0b80  cyrus-sasl-debuginfo-2.1.15-15.i386.rpm
5d966cf53c9b927cfdec711857358b02  cyrus-sasl-debuginfo-2.1.15-15.x86_64.rpm
0b026c8ffebc536a8254f8b3d0b3732a  cyrus-sasl-devel-2.1.15-15.x86_64.rpm
e98364bad26467ee25ef5d710997fb1f  cyrus-sasl-gssapi-2.1.15-15.i386.rpm
b974739f506d6079cd221b594c2f3f63  cyrus-sasl-gssapi-2.1.15-15.x86_64.rpm
fccdb8a03342b0a1640b9723f30d8b51  cyrus-sasl-md5-2.1.15-15.i386.rpm
3589053882bd022ab14839c7f24e7044  cyrus-sasl-md5-2.1.15-15.x86_64.rpm
aa119a97b280debf2cfb3c3d36fe4c60  cyrus-sasl-plain-2.1.15-15.i386.rpm
0d170fb27a78b7cf3d2f946209335593  cyrus-sasl-plain-2.1.15-15.x86_64.rpm

Red Hat Desktop version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/cyrus-sasl-2.1.15-15.src.rpm
971ba1e92e9949601bafd8f7bfb59aa1  cyrus-sasl-2.1.15-15.src.rpm

i386:
bc2c9d4460476c6643ece0a3343e96a1  cyrus-sasl-2.1.15-15.i386.rpm
489d60eed4d6abd81257fab25dec0b80  cyrus-sasl-debuginfo-2.1.15-15.i386.rpm
2b570b0237173d3a7bde466c6e2fb36b  cyrus-sasl-devel-2.1.15-15.i386.rpm
e98364bad26467ee25ef5d710997fb1f  cyrus-sasl-gssapi-2.1.15-15.i386.rpm
fccdb8a03342b0a1640b9723f30d8b51  cyrus-sasl-md5-2.1.15-15.i386.rpm
aa119a97b280debf2cfb3c3d36fe4c60  cyrus-sasl-plain-2.1.15-15.i386.rpm

x86_64:
bc2c9d4460476c6643ece0a3343e96a1  cyrus-sasl-2.1.15-15.i386.rpm
ad14eda4c01f9f14406ee1c8b9f51c09  cyrus-sasl-2.1.15-15.x86_64.rpm
489d60eed4d6abd81257fab25dec0b80  cyrus-sasl-debuginfo-2.1.15-15.i386.rpm
5d966cf53c9b927cfdec711857358b02  cyrus-sasl-debuginfo-2.1.15-15.x86_64.rpm
0b026c8ffebc536a8254f8b3d0b3732a  cyrus-sasl-devel-2.1.15-15.x86_64.rpm
e98364bad26467ee25ef5d710997fb1f  cyrus-sasl-gssapi-2.1.15-15.i386.rpm
b974739f506d6079cd221b594c2f3f63  cyrus-sasl-gssapi-2.1.15-15.x86_64.rpm
fccdb8a03342b0a1640b9723f30d8b51  cyrus-sasl-md5-2.1.15-15.i386.rpm
3589053882bd022ab14839c7f24e7044  cyrus-sasl-md5-2.1.15-15.x86_64.rpm
aa119a97b280debf2cfb3c3d36fe4c60  cyrus-sasl-plain-2.1.15-15.i386.rpm
0d170fb27a78b7cf3d2f946209335593  cyrus-sasl-plain-2.1.15-15.x86_64.rpm

Red Hat Enterprise Linux ES version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/cyrus-sasl-2.1.15-15.src.rpm
971ba1e92e9949601bafd8f7bfb59aa1  cyrus-sasl-2.1.15-15.src.rpm

i386:
bc2c9d4460476c6643ece0a3343e96a1  cyrus-sasl-2.1.15-15.i386.rpm
489d60eed4d6abd81257fab25dec0b80  cyrus-sasl-debuginfo-2.1.15-15.i386.rpm
2b570b0237173d3a7bde466c6e2fb36b  cyrus-sasl-devel-2.1.15-15.i386.rpm
e98364bad26467ee25ef5d710997fb1f  cyrus-sasl-gssapi-2.1.15-15.i386.rpm
fccdb8a03342b0a1640b9723f30d8b51  cyrus-sasl-md5-2.1.15-15.i386.rpm
aa119a97b280debf2cfb3c3d36fe4c60  cyrus-sasl-plain-2.1.15-15.i386.rpm

ia64:
bc2c9d4460476c6643ece0a3343e96a1  cyrus-sasl-2.1.15-15.i386.rpm
93e177c34d38edd502093ace0818ec6c  cyrus-sasl-2.1.15-15.ia64.rpm
489d60eed4d6abd81257fab25dec0b80  cyrus-sasl-debuginfo-2.1.15-15.i386.rpm
e638f877ec94eb4cbe0e95932286a89a  cyrus-sasl-debuginfo-2.1.15-15.ia64.rpm
d73eb01b3b091346a3e13e16a4f3012f  cyrus-sasl-devel-2.1.15-15.ia64.rpm
e98364bad26467ee25ef5d710997fb1f  cyrus-sasl-gssapi-2.1.15-15.i386.rpm
a2f2c05e60a957ebd6d1366d9affad86  cyrus-sasl-gssapi-2.1.15-15.ia64.rpm
fccdb8a03342b0a1640b9723f30d8b51  cyrus-sasl-md5-2.1.15-15.i386.rpm
d33de0609bd3bdd5c915d12688de8bbf  cyrus-sasl-md5-2.1.15-15.ia64.rpm
aa119a97b280debf2cfb3c3d36fe4c60  cyrus-sasl-plain-2.1.15-15.i386.rpm
627e26b0fa51c03d2a78bc9064b331c5  cyrus-sasl-plain-2.1.15-15.ia64.rpm

x86_64:
bc2c9d4460476c6643ece0a3343e96a1  cyrus-sasl-2.1.15-15.i386.rpm
ad14eda4c01f9f14406ee1c8b9f51c09  cyrus-sasl-2.1.15-15.x86_64.rpm
489d60eed4d6abd81257fab25dec0b80  cyrus-sasl-debuginfo-2.1.15-15.i386.rpm
5d966cf53c9b927cfdec711857358b02  cyrus-sasl-debuginfo-2.1.15-15.x86_64.rpm
0b026c8ffebc536a8254f8b3d0b3732a  cyrus-sasl-devel-2.1.15-15.x86_64.rpm
e98364bad26467ee25ef5d710997fb1f  cyrus-sasl-gssapi-2.1.15-15.i386.rpm
b974739f506d6079cd221b594c2f3f63  cyrus-sasl-gssapi-2.1.15-15.x86_64.rpm
fccdb8a03342b0a1640b9723f30d8b51  cyrus-sasl-md5-2.1.15-15.i386.rpm
3589053882bd022ab14839c7f24e7044  cyrus-sasl-md5-2.1.15-15.x86_64.rpm
aa119a97b280debf2cfb3c3d36fe4c60  cyrus-sasl-plain-2.1.15-15.i386.rpm
0d170fb27a78b7cf3d2f946209335593  cyrus-sasl-plain-2.1.15-15.x86_64.rpm

Red Hat Enterprise Linux WS version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/cyrus-sasl-2.1.15-15.src.rpm
971ba1e92e9949601bafd8f7bfb59aa1  cyrus-sasl-2.1.15-15.src.rpm

i386:
bc2c9d4460476c6643ece0a3343e96a1  cyrus-sasl-2.1.15-15.i386.rpm
489d60eed4d6abd81257fab25dec0b80  cyrus-sasl-debuginfo-2.1.15-15.i386.rpm
2b570b0237173d3a7bde466c6e2fb36b  cyrus-sasl-devel-2.1.15-15.i386.rpm
e98364bad26467ee25ef5d710997fb1f  cyrus-sasl-gssapi-2.1.15-15.i386.rpm
fccdb8a03342b0a1640b9723f30d8b51  cyrus-sasl-md5-2.1.15-15.i386.rpm
aa119a97b280debf2cfb3c3d36fe4c60  cyrus-sasl-plain-2.1.15-15.i386.rpm

ia64:
bc2c9d4460476c6643ece0a3343e96a1  cyrus-sasl-2.1.15-15.i386.rpm
93e177c34d38edd502093ace0818ec6c  cyrus-sasl-2.1.15-15.ia64.rpm
489d60eed4d6abd81257fab25dec0b80  cyrus-sasl-debuginfo-2.1.15-15.i386.rpm
e638f877ec94eb4cbe0e95932286a89a  cyrus-sasl-debuginfo-2.1.15-15.ia64.rpm
d73eb01b3b091346a3e13e16a4f3012f  cyrus-sasl-devel-2.1.15-15.ia64.rpm
e98364bad26467ee25ef5d710997fb1f  cyrus-sasl-gssapi-2.1.15-15.i386.rpm
a2f2c05e60a957ebd6d1366d9affad86  cyrus-sasl-gssapi-2.1.15-15.ia64.rpm
fccdb8a03342b0a1640b9723f30d8b51  cyrus-sasl-md5-2.1.15-15.i386.rpm
d33de0609bd3bdd5c915d12688de8bbf  cyrus-sasl-md5-2.1.15-15.ia64.rpm
aa119a97b280debf2cfb3c3d36fe4c60  cyrus-sasl-plain-2.1.15-15.i386.rpm
627e26b0fa51c03d2a78bc9064b331c5  cyrus-sasl-plain-2.1.15-15.ia64.rpm

x86_64:
bc2c9d4460476c6643ece0a3343e96a1  cyrus-sasl-2.1.15-15.i386.rpm
ad14eda4c01f9f14406ee1c8b9f51c09  cyrus-sasl-2.1.15-15.x86_64.rpm
489d60eed4d6abd81257fab25dec0b80  cyrus-sasl-debuginfo-2.1.15-15.i386.rpm
5d966cf53c9b927cfdec711857358b02  cyrus-sasl-debuginfo-2.1.15-15.x86_64.rpm
0b026c8ffebc536a8254f8b3d0b3732a  cyrus-sasl-devel-2.1.15-15.x86_64.rpm
e98364bad26467ee25ef5d710997fb1f  cyrus-sasl-gssapi-2.1.15-15.i386.rpm
b974739f506d6079cd221b594c2f3f63  cyrus-sasl-gssapi-2.1.15-15.x86_64.rpm
fccdb8a03342b0a1640b9723f30d8b51  cyrus-sasl-md5-2.1.15-15.i386.rpm
3589053882bd022ab14839c7f24e7044  cyrus-sasl-md5-2.1.15-15.x86_64.rpm
aa119a97b280debf2cfb3c3d36fe4c60  cyrus-sasl-plain-2.1.15-15.i386.rpm
0d170fb27a78b7cf3d2f946209335593  cyrus-sasl-plain-2.1.15-15.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and 
details on how to verify the signature are available from
https://www.redhat.com/security/team/key/#package

7. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1721
http://www.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is .  More contact
details at https://www.redhat.com/security/team/contact/

Copyright 2007 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFG3XV1XlSAg2UNWIIRAppTAJ9pRNVqcsitnmhkEtD9vzAtC9pTdgCdFYXh
/E1GdkCAo8MLLdAkVN6pclQ=
=qssv
-----END PGP SIGNATURE-----
Screenshot

Project Spotlight

Kigo Video Converter Ultimate for Mac

A tool for converting and editing videos.

Screenshot

Project Spotlight

Kid3

An efficient tagger for MP3, Ogg/Vorbis, and FLAC files.