Bug 152800

Summary: cyrus-sasl setuid/setgid flaw (CAN-2004-0884)
Product: [Retired] Fedora Legacy Reporter: Dominic Hargreaves <dom>
Component: Package requestAssignee: Fedora Legacy Bugs <bugs>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: b-nordquist, pekkas, rob.myers
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
URL: https://rhn.redhat.com/errata/RHSA-2004-546.html
Whiteboard: 1, LEGACY, QA, rh73, rh90
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David Lawrence 2005-03-30 23:27:55 UTC 
"At application startup, libsasl and libsasl2 attempts to build a list
of all available SASL plug-ins which are available on the system.  To do
so, the libraries search for and attempt to load every shared library found
within the plug-in directory.  This location can be set with the SASL_PATH
environment variable.

In situations where an untrusted local user can affect the environment of a
privileged process, this behavior could be exploited to run arbitrary code
with the privileges of a setuid or setgid application.  The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2004-0884 to this issue."

Check whether we are affected.



------- Additional Comments From marcdeslauriers 2004-10-07 10:40:33 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are updated packages to QA:

3f41fe25735d96bfa3872aa0f9f397732fb486ad  1/cyrus-sasl-2.1.15-6.1.legacy.i386.rpm
27497979e469b916f4ec84b01ff4cb90c1f99a0e  1/cyrus-sasl-2.1.15-6.1.legacy.src.rpm
2610d36134e1986b3d92226ca9aaa0f55b46e2a7 
1/cyrus-sasl-devel-2.1.15-6.1.legacy.i386.rpm
3769c0cf75d1275f3c184fa7817bf4e04eba59f9 
1/cyrus-sasl-gssapi-2.1.15-6.1.legacy.i386.rpm
18ad1abe123faaccc7786e805026c7b074d07cee 
1/cyrus-sasl-md5-2.1.15-6.1.legacy.i386.rpm
9d748526faf8557ea858ee64488d42c8cc7b3557 
1/cyrus-sasl-plain-2.1.15-6.1.legacy.i386.rpm
60466b5950e6686b5bce585db25f0f0074fba6d4  7.3/cyrus-sasl-1.5.24-25.1.legacy.i386.rpm
c8e6cf9e2f63e0a674247b93dc66821a60b28ba0  7.3/cyrus-sasl-1.5.24-25.1.legacy.src.rpm
603675d24e08c7ea2c960b5b2d5c300352cf01ce 
7.3/cyrus-sasl-devel-1.5.24-25.1.legacy.i386.rpm
529caa8af5c8a024180f9c5afdba5ae5a1ff29e4 
7.3/cyrus-sasl-gssapi-1.5.24-25.1.legacy.i386.rpm
e1e7feed9b415332dcad4670ecb318e4b91001b3 
7.3/cyrus-sasl-md5-1.5.24-25.1.legacy.i386.rpm
c5f65ae97867186c77311d6650429ea395017df4 
7.3/cyrus-sasl-plain-1.5.24-25.1.legacy.i386.rpm
05c1fcf4c704914a8c1a216da2515be943d545c8  9/cyrus-sasl-2.1.10-4.1.legacy.i386.rpm
14bbdbbfbf8ce1c4fd2d59a6190e688378e574d0  9/cyrus-sasl-2.1.10-4.1.legacy.src.rpm
92da686c5b3da92a7f62d59855e3ce4d30ac5660 
9/cyrus-sasl-devel-2.1.10-4.1.legacy.i386.rpm
d70cb19038d1a53fdeaf86ba764654d90b21808d 
9/cyrus-sasl-gssapi-2.1.10-4.1.legacy.i386.rpm
0c566a4ed86c63d753ca4af285fb4dac0a01797c 
9/cyrus-sasl-md5-2.1.10-4.1.legacy.i386.rpm
15509ba3a0a7f46869faaa5b39f06fdfa443e685 
9/cyrus-sasl-plain-2.1.10-4.1.legacy.i386.rpm

http://www.infostrategique.com/linuxrpms/legacy/1/cyrus-sasl-2.1.15-6.1.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/cyrus-sasl-2.1.15-6.1.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/cyrus-sasl-devel-2.1.15-6.1.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/cyrus-sasl-gssapi-2.1.15-6.1.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/cyrus-sasl-md5-2.1.15-6.1.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/cyrus-sasl-plain-2.1.15-6.1.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/7.3/cyrus-sasl-1.5.24-25.1.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/7.3/cyrus-sasl-1.5.24-25.1.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/7.3/cyrus-sasl-devel-1.5.24-25.1.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/7.3/cyrus-sasl-gssapi-1.5.24-25.1.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/7.3/cyrus-sasl-md5-1.5.24-25.1.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/7.3/cyrus-sasl-plain-1.5.24-25.1.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/cyrus-sasl-2.1.10-4.1.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/cyrus-sasl-2.1.10-4.1.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/cyrus-sasl-devel-2.1.10-4.1.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/cyrus-sasl-gssapi-2.1.10-4.1.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/cyrus-sasl-md5-2.1.10-4.1.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/cyrus-sasl-plain-2.1.10-4.1.legacy.i386.rpm

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBZanELMAs/0C4zNoRAscAAJ9+Wi5kHSxZwTR/GRaQz8mR3gSqTACfadSK
RjdWBXamgw6xfXYnEWwQQuI=
=VH3m
-----END PGP SIGNATURE-----




------- Additional Comments From dom 2004-10-07 12:18:59 ----

"[Updated 7th October 2004]
Revised cryus-sasl packages have been added for Red Hat Enterprise Linux 3;
the patch in the previous packages broke interaction with ldap."

https://rhn.redhat.com/errata/RHSA-2004-546.html



------- Additional Comments From marcdeslauriers 2004-10-07 12:40:22 ----

Packages in comment #1 are OK.

Here is the upstream patch for reference:

https://bugzilla.andrew.cmu.edu/cgi-bin/cvsweb.cgi/src/sasl/lib/common.c.diff?r1=1.103&r2=1.104




------- Additional Comments From rob.myers.edu 2004-10-08 05:28:53 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
i did QA on marc's FC1 updated package:
27497979e469b916f4ec84b01ff4cb90c1f99a0e  cyrus-sasl-2.1.15-6.1.legacy.src.rpm
 
sources ok, verified against cyrus-sasl-2.1.15-6
patches ok, verified against upstream, and cyrus-sasl-2.1.15-10 from RHEL
builds ok
cra's rpm-build-compare.sh looks ok
installs ok
runs ok
 
+PUBLISH
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
 
iD8DBQFBZrIRtU2XAt1OWnsRAhaoAKDEiC+z3RFOQx7/FD5Ad6MNb65IZgCgscBj
f5mXRYmNavmLleFK7u5Ds8k=
=B0Md
-----END PGP SIGNATURE-----




------- Additional Comments From michal 2004-10-10 19:43:03 ----

The relevant patch from sources referenced in
https://rhn.redhat.com/errata/RHSA-2004-546.html
has the following code:

+
+  /* Honor external variable only in a safe environment */
+  if (getuid() == geteuid() && getgid() == getegid())
+    path = getenv(SASL_PATH_ENV_VAR);
+  else
+    path = NULL;
+

while that one used by Marc, at least in cyrus-sasl-1.5.24-25.1.legacy.src.rpm,
skips this "else" branch.  Can we really guarantee that there will be
no garbage value for 'path' in the next line which reads 'if (! path)' and
Nalin is just paranoid?  I did not check sources that carefuly.



------- Additional Comments From rob.myers.edu 2004-10-11 03:55:29 ----

re comment #5:

michal is correct.  path can be uninitialized without the else branch.  it is
curious that the upstream cvs does not have this else branch.



------- Additional Comments From b-nordquist 2004-10-11 09:03:21 ----

Two identical RHL 9 test boxes, sendmail-8.12.8-9.90, configured for SMTP AUTH with SASL PLAIN and 
LOGIN mechanisms. After upgrading one to cyrus-sasl*-2.1.10-4.1.legacy (4 RPMs) downloaded from 
the above, and restarting sendmail, it no longer offers "250-AUTH PLAIN LOGIN" as it used to do. 
Further details on request; happy to do additional testing or troubleshooting. Thanks.



------- Additional Comments From marcdeslauriers 2004-10-11 12:40:39 ----

I quickly looked through the source to cyrus-sasl, and path is usually
initialized to NULL before calling the function containing the patched code.
Although the extra step is indeed a good idea. I'll update the patches next time
I build the packages.

Anyone have an idea why "250-AUTH PLAIN LOGIN" is missing in comment #7?



------- Additional Comments From marcdeslauriers 2004-10-11 14:03:59 ----

In response to comment 7, could you please send me your sendmail.cf and
sendmail.mc files please.




------- Additional Comments From rob.myers.edu 2004-10-12 05:25:43 ----

re comment #8:

here is the function from cyrus-sasl-1.5.28/lib/common.c:

static int
_sasl_getpath(void *context __attribute__((unused)),
              char ** path_dest)
{
  char *path;
                                                                               
                                                                             
  if (! path_dest)
    return SASL_BADPARAM;
                                                                               
                                                                             
  /* Honor external variable only in a safe environment */
  if (getuid() == geteuid() && getgid() == getegid())
    path = getenv(SASL_PATH_ENV_VAR);
                                                                               
                                                                             
  if (! path)
    path = PLUGINDIR;
  return _sasl_strdup(path, path_dest, NULL);
}

as you can see, path is not initialized elsewhere, like it can be in
cyrus-sasl-2.1.15/lib/common.c

static int
_sasl_getpath(void *context __attribute__((unused)),
              const char **path)
{
  if (! path)
    return SASL_BADPARAM;
                                                                               
                                                                             
  /* Honor external variable only in a safe environment */
  if (getuid() == geteuid() && getgid() == getegid())
    *path = getenv(SASL_PATH_ENV_VAR);
                                                                               
                                                                             
  if (! *path)
    *path = PLUGINDIR;
                                                                               
                                                                             
  return SASL_OK;
}




------- Additional Comments From michal 2004-10-12 11:45:48 ----

See also bug #2153.  Sigh!



------- Additional Comments From michal 2004-10-12 12:04:12 ----

re comment #9:

_sasl_getpath() from cyrus-sasl-1.5.28/lib/common.c in a form quoted
in comment #9 is simply broken. 'path' on entry will have some random
garbage in it, as this is not a global variable, so if assignment
'path = getenv(SASL_PATH_ENV_VAR);' will not execute we will get on
a return whatever.  Seem to me like an openinig for an attack.
'else' branch which sets 'path' to NULL is vital.

This is not the case for cyrus-sasl-2.1.15/lib/common.c
as we are passing there in 'path' hopefuly something correct.



------- Additional Comments From marcdeslauriers 2004-10-12 13:59:36 ----

ouch! yes, 1.5.28 is indeed broken now. I had just checked 2.1.15... Thanks for
pointing this out guys, it takes me a while sometimes :P

I'll build new packages tomorrow with a revised patch.




------- Additional Comments From marcdeslauriers 2004-10-13 12:20:46 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are updated packages to QA:

Changelog:
* Wed Oct 13 2004 Marc Deslauriers <marcdeslauriers> 2.1.10-4.2.legacy
- - Added better patches for SASL_PATH vulnerability (CAN-2004-0884)
 
* Tue Oct 05 2004 Marc Deslauriers <marcdeslauriers> 2.1.10-4.1.legacy
- - Added security patches for SASL_PATH vulnerability

34818d8f6d44bddd4d204e944686de33338a6294  1/cyrus-sasl-2.1.15-6.2.legacy.i386.rpm
f569fb60a4e34ce6aeeaa62180dcd110fb0e6074  1/cyrus-sasl-2.1.15-6.2.legacy.src.rpm
5055fd7affec47a4c0fabedbe1369683ca3c6bd1 
1/cyrus-sasl-devel-2.1.15-6.2.legacy.i386.rpm
7ade480a84d7cc286fdad2d89a7595f50fda701d 
1/cyrus-sasl-gssapi-2.1.15-6.2.legacy.i386.rpm
f9a02affad279e1f0c8a54bc1fc64f99edff9e3b 
1/cyrus-sasl-md5-2.1.15-6.2.legacy.i386.rpm
ce2a33bf931f338e01cf403fe8f5fd58d5ead383 
1/cyrus-sasl-plain-2.1.15-6.2.legacy.i386.rpm
5cf0da20e0509066dcd58bba80911ac6a22b04c2  7.3/cyrus-sasl-1.5.24-25.2.legacy.i386.rpm
5921e782553be3ae52f2803c68db0d9747f1bd1d  7.3/cyrus-sasl-1.5.24-25.2.legacy.src.rpm
b5edac351da3ca65376ffae855066d5a448d8d71 
7.3/cyrus-sasl-devel-1.5.24-25.2.legacy.i386.rpm
e748a687508e577b8fd51f1ffb6cb0e11fbcc0ce 
7.3/cyrus-sasl-gssapi-1.5.24-25.2.legacy.i386.rpm
b49fa71aaa7856fbf94d5ebe7739aec7242fde2e 
7.3/cyrus-sasl-md5-1.5.24-25.2.legacy.i386.rpm
e393067be61a694da561390c20c922ba348ecc5b 
7.3/cyrus-sasl-plain-1.5.24-25.2.legacy.i386.rpm
50ab0000a76d74bd03f74ec2d354cc33cb455529  9/cyrus-sasl-2.1.10-4.2.legacy.i386.rpm
c74dbd55368f8d6b5e138ada06c235038b270b23  9/cyrus-sasl-2.1.10-4.2.legacy.src.rpm
26c033f36999d76ee4b6b3cd4f6b7fef890d33c7 
9/cyrus-sasl-devel-2.1.10-4.2.legacy.i386.rpm
fcd5b7a488e3df387cf5cf14b89a14cfa2ca2cbe 
9/cyrus-sasl-gssapi-2.1.10-4.2.legacy.i386.rpm
c6f593553cf5fc5cdf412e40fd077fda027abea3 
9/cyrus-sasl-md5-2.1.10-4.2.legacy.i386.rpm
8259ffaacf33c0530c07d8a279c8756d70ae7e5c 
9/cyrus-sasl-plain-2.1.10-4.2.legacy.i386.rpm

http://www.infostrategique.com/linuxrpms/legacy/1/cyrus-sasl-2.1.15-6.2.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/cyrus-sasl-2.1.15-6.2.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/cyrus-sasl-devel-2.1.15-6.2.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/cyrus-sasl-gssapi-2.1.15-6.2.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/cyrus-sasl-md5-2.1.15-6.2.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/cyrus-sasl-plain-2.1.15-6.2.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/7.3/cyrus-sasl-1.5.24-25.2.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/7.3/cyrus-sasl-1.5.24-25.2.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/7.3/cyrus-sasl-devel-1.5.24-25.2.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/7.3/cyrus-sasl-gssapi-1.5.24-25.2.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/7.3/cyrus-sasl-md5-1.5.24-25.2.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/7.3/cyrus-sasl-plain-1.5.24-25.2.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/cyrus-sasl-2.1.10-4.2.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/cyrus-sasl-2.1.10-4.2.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/cyrus-sasl-devel-2.1.10-4.2.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/cyrus-sasl-gssapi-2.1.10-4.2.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/cyrus-sasl-md5-2.1.10-4.2.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/cyrus-sasl-plain-2.1.10-4.2.legacy.i386.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBbao9LMAs/0C4zNoRArCYAJ44dWPoOiQCtlpFAI6/O0+8rvgN8wCfV02g
PTYiaoEY2EMYJaWy1u6oL2A=
=8T1x
-----END PGP SIGNATURE-----




------- Additional Comments From b-nordquist 2004-10-14 04:08:19 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I tested Marc's RHL 9 cyrus-sasl packages:

cyrus-sasl-2.1.10-4.2.legacy.i386.rpm: (sha1) dsa sha1 md5 gpg OK
cyrus-sasl-devel-2.1.10-4.2.legacy.i386.rpm: (sha1) dsa sha1 md5 gpg OK
cyrus-sasl-gssapi-2.1.10-4.2.legacy.i386.rpm: (sha1) dsa sha1 md5 gpg OK
cyrus-sasl-md5-2.1.10-4.2.legacy.i386.rpm: (sha1) dsa sha1 md5 gpg OK
cyrus-sasl-plain-2.1.10-4.2.legacy.i386.rpm: (sha1) dsa sha1 md5 gpg OK

09e168b11f2db6ca6e31e4a04749acc0  cyrus-sasl-2.1.10-4.2.legacy.i386.rpm
b686ba551a0ed7db49b624f94cb300e3  cyrus-sasl-devel-2.1.10-4.2.legacy.i386.rpm
6a2b36447112faface17c3b6760d9e5e  cyrus-sasl-gssapi-2.1.10-4.2.legacy.i386.rpm
1caa03ec96d8017a12e8fc34571604cd  cyrus-sasl-md5-2.1.10-4.2.legacy.i386.rpm
259de2931adf8dc72ab9a3a304faa3be  cyrus-sasl-plain-2.1.10-4.2.legacy.i386.rpm

(Note that they match his GPG key, but the MD5 sums don't match what is
listed above?) Tested on RHL 9 with sendmail-8.12.8-9.90 configured for
SMTP AUTH (SASL PLAIN and LOGIN) -- works fine. This resolves comment #7
above. Thanks Marc!

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFBboextQzgmMVLS2URAgz7AJ0WqdLTwXdhGrJ+HFV91ofuRTnq3ACcDOyt
DMeVKWeI8fkUZ0J6iqHEgWY=
=sjwQ
-----END PGP SIGNATURE-----



------- Additional Comments From rob.myers.edu 2004-10-14 06:30:30 ----

marc posted sha1sums, not md5sums.



------- Additional Comments From josh.kayse.edu 2004-10-18 08:30:55 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I did QA on the FC1 Package:

f569fb60a4e34ce6aeeaa62180dcd110fb0e6074  cyrus-sasl-2.1.15-6.2.legacy.src.rpm

- - Source file identical to previous
- - Spec file looks good
- - Builds clean
- - Installs clean
- - Patches are good
- - runs good

+PUBLISH
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQFBdAu/wnUFCSDmt7ERAggUAKCdKmLAlJLUcHOvTLchZIJNOxRdZACgjsfC
+CRxVx67F1csa/KwOKJibvo=
=klcw
-----END PGP SIGNATURE-----




------- Additional Comments From rob.myers.edu 2004-10-21 05:06:15 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
i did QA on marc's FC1 package:
f569fb60a4e34ce6aeeaa62180dcd110fb0e6074 cyrus-sasl-2.1.15-6.2.legacy.src.rpm
 
sha1sum matches
builds ok
source files ok (verified against cyrus-sasl-2.1.15-6.1.legacy)
spec file ok
patches much better
cra's rpm-build-compare script ok (vs. cyrus-sasl-2.1.15-6)
installs ok
runs ok
 
+PUBLISH
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
 
iD8DBQFBd9BGtU2XAt1OWnsRAiI1AJ9sLj8x4mcfOiEFKplCZHq5SsTdZgCginOn
FpzlAblNIiMsTunUccmE6GI=
=w1Ht
-----END PGP SIGNATURE-----




------- Additional Comments From pekkas 2004-12-20 10:53:22 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

QA for SRPM for RHL73:
 - sources match the originals
 - the patch verified to come from RHEL 2.1AS update and looks good
 - spec file changes minimal and look good.
 - rebuild and installed OK.
 - after restarting sendmail, offers the same '250-AUTH GSSAPI DIGEST-MD5'
   as before.

+PUBLISH (RHL73)

5921e782553be3ae52f2803c68db0d9747f1bd1d  cyrus-sasl-1.5.24-25.2.legacy.src.rpm

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFBxzuuGHbTkzxSL7QRAq8xAKDQLi/OTcYAb6XTAMgSPtFHM6OpmACfZM89
h2YzAM5lHT0fJqHDdRNfLE4=
=9nss
-----END PGP SIGNATURE-----




------- Additional Comments From dom 2005-02-03 13:29:50 ----

packages pushed to testing-updates



------- Additional Comments From mschout 2005-02-08 06:53:22 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Verify Redhat 7.3:

sha1sums:
b4667fa03cb7395b7e0535fcdb74de78f4ee1a90
cyrus-sasl-1.5.24-25.2.legacy.i386.rpm
a5df6f8feca3944d60e10ec94264229d157b5ad6
cyrus-sasl-devel-1.5.24-25.2.legacy.i386.rpm
bc1e6e9cae9e1065a90327c752558c1f891f91a7
cyrus-sasl-gssapi-1.5.24-25.2.legacy.i386.rpm
61d28e3fbab415d6b37ac759bb154a54d94995c1
cyrus-sasl-md5-1.5.24-25.2.legacy.i386.rpm
6c8b1eae837a084f29fd572e781acc38e54c5201
cyrus-sasl-plain-1.5.24-25.2.legacy.i386.rpm

* rpm --checksig:
cyrus-sasl-1.5.24-25.2.legacy.i386.rpm: md5 gpg OK
cyrus-sasl-devel-1.5.24-25.2.legacy.i386.rpm: md5 gpg OK
cyrus-sasl-gssapi-1.5.24-25.2.legacy.i386.rpm: md5 gpg OK
cyrus-sasl-md5-1.5.24-25.2.legacy.i386.rpm: md5 gpg OK
cyrus-sasl-plain-1.5.24-25.2.legacy.i386.rpm: md5 gpg OK

* all signed by secnotice with valid GPG signature.
* packages install with no errors.
* appears to work normally.  sendmail offeres same AUTH options as before.

+VERIFY RHL7.3
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFCCO5Z+CqvSzp9LOwRAh3SAJ9H6H6+dZRwEfeZwpz7oYmR+bWqdACeMXr/
kb5hO41cbdow7BOZDQ7SSac=
=ar3l
-----END PGP SIGNATURE-----



------- Additional Comments From mschout 2005-02-08 07:04:42 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Verify FC1

sha1sums:
ef9d0ad17d1f5e8b9fa1f054a3ee5686d6886eec
cyrus-sasl-2.1.15-6.2.legacy.i386.rpm
d698f0da0e60a574052aa3c9780599f3a16c1af1
cyrus-sasl-devel-2.1.15-6.2.legacy.i386.rpm
40e3c0bd3a66bea24a255a9cc923c975d4848e65
cyrus-sasl-gssapi-2.1.15-6.2.legacy.i386.rpm
2d19e1de5a5f36574af71bf0eb1087f1322b03de
cyrus-sasl-md5-2.1.15-6.2.legacy.i386.rpm
a13820031b39c60ff44c32f3fb265f1b6101fa05
cyrus-sasl-plain-2.1.15-6.2.legacy.i386.rpm

* rpm --checksig:
cyrus-sasl-2.1.15-6.2.legacy.i386.rpm: (sha1) dsa sha1 md5 gpg OK
cyrus-sasl-devel-2.1.15-6.2.legacy.i386.rpm: (sha1) dsa sha1 md5 gpg OK
cyrus-sasl-gssapi-2.1.15-6.2.legacy.i386.rpm: (sha1) dsa sha1 md5 gpg OK
cyrus-sasl-md5-2.1.15-6.2.legacy.i386.rpm: (sha1) dsa sha1 md5 gpg OK
cyrus-sasl-plain-2.1.15-6.2.legacy.i386.rpm: (sha1) dsa sha1 md5 gpg OK

* packages install with no errors.
* appears to work normally.  sendmail offeres same AUTH options as before.

+VERIFY FC1
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFCCPEZ+CqvSzp9LOwRAgqiAJ41DVaR8ysn1PCOPHt2uoGhDyI8QwCcD3vD
W9D2jWtmDA+HLf2HP3tYQeU=
=G/HJ
-----END PGP SIGNATURE-----




------- Additional Comments From pekkas 2005-02-15 06:35:36 ----

Line breaks screw up the signature, but in any case..

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

RHL9:
 - signatures OK
 - installs and works nicely.

+VERIFY RHL9

cyrus-sasl-2.1.10-4.2.legacy.i386.rpm: (sha1) dsa sha1 md5 gpg OK
cyrus-sasl-devel-2.1.10-4.2.legacy.i386.rpm: (sha1) dsa sha1 md5 gpg OK
cyrus-sasl-gssapi-2.1.10-4.2.legacy.i386.rpm: (sha1) dsa sha1 md5 gpg OK
cyrus-sasl-md5-2.1.10-4.2.legacy.i386.rpm: (sha1) dsa sha1 md5 gpg OK
cyrus-sasl-plain-2.1.10-4.2.legacy.i386.rpm: (sha1) dsa sha1 md5 gpg OK

99dae02364cc6ba8e26ef4b080e555d85647f9e2  cyrus-sasl-2.1.10-4.2.legacy.i386.rpm
a6d19e7fbfb6ea5ef16b37a98cf03bbde7467059 
cyrus-sasl-devel-2.1.10-4.2.legacy.i386.rpm
e1021e337cf247eb42d795f37e786783567ac39b 
cyrus-sasl-gssapi-2.1.10-4.2.legacy.i386.rpm
df7f3f58cf8967b22b7c599e9d7cdbc151b7ee51  cyrus-sasl-md5-2.1.10-4.2.legacy.i386.rpm
c8851e0319d7cdb337d9ce34fe0c099383770473
cyrus-sasl-plain-2.1.10-4.2.legacy.i386.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFCEiSqGHbTkzxSL7QRApjyAKCE0ym72DCy+pvrfUVz/BbPFYZYQACfXsbh
FKepqQzBwTEv+9WmKqbVgrQ=
=ub09
-----END PGP SIGNATURE-----




------- Additional Comments From dom 2005-02-17 12:47:13 ----

Packages were released to updates.



------- Bug moved to this database by dkl 2005-03-30 18:27 -------

This bug previously known as bug 2137 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=2137
Originally filed under the Fedora Legacy product and Package request component.

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.