From security@linux-mandrake.com Fri Oct 8 01:06:18 2004 From: Mandrake Linux Security Team To: full-disclosure@lists.netsys.com Date: 7 Oct 2004 19:53:16 -0000 Subject: [Full-Disclosure] MDKSA-2004:106 - Updated cyrus-sasl packages fix local vulnerability -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandrakelinux Security Update Advisory _______________________________________________________________________ Package name: cyrus-sasl Advisory ID: MDKSA-2004:106 Date: October 7th, 2004 Affected versions: 10.0, 9.2, Corporate Server 2.1 ______________________________________________________________________ Problem Description: A vulnerability was discovered in the libsasl library of cyrus-sasl. libsasl honors the SASL_PATH environment variable blindly, which could allow a local user to create a malicious "library" that would get executed with the effective ID of SASL when anything calls libsasl. The provided packages are patched to protect against this vulnerability. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0884 ______________________________________________________________________ Updated Packages: Mandrakelinux 10.0: 5e5d9e126e0bf03a9c7dc7def1213c4e 10.0/RPMS/cyrus-sasl-2.1.15-10.1.100mdk.i586.rpm 8562e1d0be93b26ea84d0b025644cea1 10.0/RPMS/libsasl2-2.1.15-10.1.100mdk.i586.rpm 533a72fdd6edc830d9217dd984da3aac 10.0/RPMS/libsasl2-devel-2.1.15-10.1.100mdk.i586.rpm d736f6e8f20741c34e95637d43486471 10.0/RPMS/libsasl2-plug-anonymous-2.1.15-10.1.100mdk.i586.rpm b62cd043af5fa4dac25c3789b66849c5 10.0/RPMS/libsasl2-plug-crammd5-2.1.15-10.1.100mdk.i586.rpm e588f90d705706d284a6688dd4b9b136 10.0/RPMS/libsasl2-plug-digestmd5-2.1.15-10.1.100mdk.i586.rpm 1f6c4d7f481b6ff91b8d614648e98be5 10.0/RPMS/libsasl2-plug-gssapi-2.1.15-10.1.100mdk.i586.rpm 286f311f343c2f21df4c9fbfd6809d79 10.0/RPMS/libsasl2-plug-login-2.1.15-10.1.100mdk.i586.rpm eaea38b6454677074aff221769a06ee1 10.0/RPMS/libsasl2-plug-ntlm-2.1.15-10.1.100mdk.i586.rpm 7e48e4c3631c7017a6eb492d09b2a10f 10.0/RPMS/libsasl2-plug-otp-2.1.15-10.1.100mdk.i586.rpm da6cc786bda3e4e297c753708fa25d45 10.0/RPMS/libsasl2-plug-plain-2.1.15-10.1.100mdk.i586.rpm 555eab832bf1b6e6a230a896542475c1 10.0/RPMS/libsasl2-plug-sasldb-2.1.15-10.1.100mdk.i586.rpm 0c2992258fcea6a83a1a421f2e8bcb57 10.0/RPMS/libsasl2-plug-srp-2.1.15-10.1.100mdk.i586.rpm efdc07d417c7ebba707bc7bd5b13f829 10.0/SRPMS/cyrus-sasl-2.1.15-10.1.100mdk.src.rpm Mandrakelinux 10.0/AMD64: 74fff1da23dab6e2ea936663bde4754f amd64/10.0/RPMS/cyrus-sasl-2.1.15-10.1.100mdk.amd64.rpm 4ae7d79a0035264b4991844061155b22 amd64/10.0/RPMS/lib64sasl2-2.1.15-10.1.100mdk.amd64.rpm ec042bcd47406ce77ca6270baaa3e30d amd64/10.0/RPMS/lib64sasl2-devel-2.1.15-10.1.100mdk.amd64.rpm 90bf0467dd3a84ad4bda4191e7beeda6 amd64/10.0/RPMS/lib64sasl2-plug-anonymous-2.1.15-10.1.100mdk.amd64.rpm 0b592508b84e2b59c6d92b67bc9acc7d amd64/10.0/RPMS/lib64sasl2-plug-crammd5-2.1.15-10.1.100mdk.amd64.rpm 6c165b6f5a153268c090bf48867e1c16 amd64/10.0/RPMS/lib64sasl2-plug-digestmd5-2.1.15-10.1.100mdk.amd64.rpm 80cc5dc58b8096708f136b26707a9979 amd64/10.0/RPMS/lib64sasl2-plug-gssapi-2.1.15-10.1.100mdk.amd64.rpm e31d97544c17cf3627c96ba30bab4566 amd64/10.0/RPMS/lib64sasl2-plug-login-2.1.15-10.1.100mdk.amd64.rpm c2cf0e4bf0a16bfa0f12804a38d72086 amd64/10.0/RPMS/lib64sasl2-plug-ntlm-2.1.15-10.1.100mdk.amd64.rpm adc938ecf528ec25ce15a42eaa0b42cc amd64/10.0/RPMS/lib64sasl2-plug-otp-2.1.15-10.1.100mdk.amd64.rpm c1ea1fbea28db51ab5dc79ccd515c3ac amd64/10.0/RPMS/lib64sasl2-plug-plain-2.1.15-10.1.100mdk.amd64.rpm cafbef0aa82c2a38cfcac103931536fe amd64/10.0/RPMS/lib64sasl2-plug-sasldb-2.1.15-10.1.100mdk.amd64.rpm 21cc68617893b2d63b3b0afc466c09b9 amd64/10.0/RPMS/lib64sasl2-plug-srp-2.1.15-10.1.100mdk.amd64.rpm efdc07d417c7ebba707bc7bd5b13f829 amd64/10.0/SRPMS/cyrus-sasl-2.1.15-10.1.100mdk.src.rpm Corporate Server 2.1: 66cb444f56bb4217df77428198527b7f corporate/2.1/RPMS/cyrus-sasl-1.5.27-5.1.C21mdk.i586.rpm ad6d0411ebddc8f0c760297cfd20c282 corporate/2.1/RPMS/libsasl7-1.5.27-5.1.C21mdk.i586.rpm 20a039725daa6aa3a8e4140922b1a123 corporate/2.1/RPMS/libsasl7-devel-1.5.27-5.1.C21mdk.i586.rpm 9a16c82b1de4fbaccc370e26764620ec corporate/2.1/RPMS/libsasl7-plug-anonymous-1.5.27-5.1.C21mdk.i586.rpm 798328f930b8262188e745fcfbd7cb43 corporate/2.1/RPMS/libsasl7-plug-crammd5-1.5.27-5.1.C21mdk.i586.rpm 227b3b14966c940870415ed8e1590dc8 corporate/2.1/RPMS/libsasl7-plug-digestmd5-1.5.27-5.1.C21mdk.i586.rpm c17b0582d7bfcc49feaf98a9650458fc corporate/2.1/RPMS/libsasl7-plug-login-1.5.27-5.1.C21mdk.i586.rpm 455d4ae2174dad7622337bf2531e012f corporate/2.1/RPMS/libsasl7-plug-plain-1.5.27-5.1.C21mdk.i586.rpm a3ea8b441b6454eda5dbf4e9f7a0e126 corporate/2.1/SRPMS/cyrus-sasl-1.5.27-5.1.C21mdk.src.rpm Corporate Server 2.1/x86_64: d00de6225fcc2afb91ea13017738de9a x86_64/corporate/2.1/RPMS/cyrus-sasl-1.5.27-5.1.C21mdk.x86_64.rpm 49bd78a963695b794cc5f0a7d8285447 x86_64/corporate/2.1/RPMS/libsasl7-1.5.27-5.1.C21mdk.x86_64.rpm 44c9864023686e7f4f492a4ac2e0fe53 x86_64/corporate/2.1/RPMS/libsasl7-devel-1.5.27-5.1.C21mdk.x86_64.rpm 7d90d8f1ce6e5874996c048676a73ecd x86_64/corporate/2.1/RPMS/libsasl7-plug-anonymous-1.5.27-5.1.C21mdk.x86_64.rpm f8dc759136397b2444baa4f4233c07ae x86_64/corporate/2.1/RPMS/libsasl7-plug-crammd5-1.5.27-5.1.C21mdk.x86_64.rpm 9d91a8842db34d9e4486736007e459c4 x86_64/corporate/2.1/RPMS/libsasl7-plug-digestmd5-1.5.27-5.1.C21mdk.x86_64.rpm 4e82d378ad868a4f24de02d31de580f6 x86_64/corporate/2.1/RPMS/libsasl7-plug-login-1.5.27-5.1.C21mdk.x86_64.rpm 7cef5720f54436d7b1af6d6c817a3a72 x86_64/corporate/2.1/RPMS/libsasl7-plug-plain-1.5.27-5.1.C21mdk.x86_64.rpm a3ea8b441b6454eda5dbf4e9f7a0e126 x86_64/corporate/2.1/SRPMS/cyrus-sasl-1.5.27-5.1.C21mdk.src.rpm Mandrakelinux 9.2: 61fd385bb6c9a096d9799df48d1ee82f 9.2/RPMS/cyrus-sasl-2.1.15-4.1.92mdk.i586.rpm 3c3514ca12a7fdd2e570aa591f455e13 9.2/RPMS/libsasl2-2.1.15-4.1.92mdk.i586.rpm 6ba003f5d656d14144dc8d49083db212 9.2/RPMS/libsasl2-devel-2.1.15-4.1.92mdk.i586.rpm f86b5496c34adc514066f37b05128cf9 9.2/RPMS/libsasl2-plug-anonymous-2.1.15-4.1.92mdk.i586.rpm 7ac83050851d59918b27ebd32f060245 9.2/RPMS/libsasl2-plug-crammd5-2.1.15-4.1.92mdk.i586.rpm f74524d4fa09ce1c57b64b3fa8d78c28 9.2/RPMS/libsasl2-plug-digestmd5-2.1.15-4.1.92mdk.i586.rpm 66bd5dce305693ff83fac906d8856371 9.2/RPMS/libsasl2-plug-gssapi-2.1.15-4.1.92mdk.i586.rpm 32aa5d36b1f3305c68cf94f98031003f 9.2/RPMS/libsasl2-plug-login-2.1.15-4.1.92mdk.i586.rpm 6c4014739c88a866c4fbee477c619724 9.2/RPMS/libsasl2-plug-ntlm-2.1.15-4.1.92mdk.i586.rpm fcf63deaecb78df0821c100ba2916514 9.2/RPMS/libsasl2-plug-otp-2.1.15-4.1.92mdk.i586.rpm 27d0589f02db89408ae4598f5cf36051 9.2/RPMS/libsasl2-plug-plain-2.1.15-4.1.92mdk.i586.rpm 6f3ba42ebce674dc797a042dd6377b64 9.2/RPMS/libsasl2-plug-sasldb-2.1.15-4.1.92mdk.i586.rpm bd6a6af7f73fa380ed7b7712acced412 9.2/RPMS/libsasl2-plug-srp-2.1.15-4.1.92mdk.i586.rpm cc2e67e7a7df460932c8c97bbf9d79b6 9.2/SRPMS/cyrus-sasl-2.1.15-4.1.92mdk.src.rpm Mandrakelinux 9.2/AMD64: e932be9d60a9990f28f0cc9514c33123 amd64/9.2/RPMS/cyrus-sasl-2.1.15-4.1.92mdk.amd64.rpm 1dda4f42fee8f8480f8a6274c533f929 amd64/9.2/RPMS/lib64sasl2-2.1.15-4.1.92mdk.amd64.rpm e4cd66b10b8940507ed766e3bae72b38 amd64/9.2/RPMS/lib64sasl2-devel-2.1.15-4.1.92mdk.amd64.rpm 8c4426cf876b988cf8883db132497ae8 amd64/9.2/RPMS/lib64sasl2-plug-anonymous-2.1.15-4.1.92mdk.amd64.rpm 02f3fc6d31ebb7c000d7060c99e63884 amd64/9.2/RPMS/lib64sasl2-plug-crammd5-2.1.15-4.1.92mdk.amd64.rpm a7b4c37fb6ee6bc53e315dede91e2696 amd64/9.2/RPMS/lib64sasl2-plug-digestmd5-2.1.15-4.1.92mdk.amd64.rpm e3f1b44b40e8ad0511c814ef6d703835 amd64/9.2/RPMS/lib64sasl2-plug-gssapi-2.1.15-4.1.92mdk.amd64.rpm f2cd6a80bdb93a4b345ac60cc9975e72 amd64/9.2/RPMS/lib64sasl2-plug-login-2.1.15-4.1.92mdk.amd64.rpm 54b04103e38be7f9ac7982044d72dd83 amd64/9.2/RPMS/lib64sasl2-plug-ntlm-2.1.15-4.1.92mdk.amd64.rpm 87d5b714dae7284efb6024ed92b83aa8 amd64/9.2/RPMS/lib64sasl2-plug-otp-2.1.15-4.1.92mdk.amd64.rpm eb37724460418bbe7c3f24f915c97e1d amd64/9.2/RPMS/lib64sasl2-plug-plain-2.1.15-4.1.92mdk.amd64.rpm 82470db324565a79a16401512fd01281 amd64/9.2/RPMS/lib64sasl2-plug-sasldb-2.1.15-4.1.92mdk.amd64.rpm d2ea27f377fa52e5d651b354ebf20657 amd64/9.2/RPMS/lib64sasl2-plug-srp-2.1.15-4.1.92mdk.amd64.rpm cc2e67e7a7df460932c8c97bbf9d79b6 amd64/9.2/SRPMS/cyrus-sasl-2.1.15-4.1.92mdk.src.rpm _______________________________________________________________________ To upgrade automatically use MandrakeUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandrakesoft for security. You can obtain the GPG public key of the Mandrakelinux Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandrakelinux at: http://www.mandrakesoft.com/security/advisories If you want to report vulnerabilities, please contact security_linux-mandrake.com Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFBZZ6smqjQ0CJFipgRAqklAKCy85zvubFuHcjCjE65k1kylu25hwCgtgSu P5+Ffklyg+/6K51R1aH92aI= =gbCH -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html