NOTE: This is a cyrus-sasl bug, but it is not in the component list, I think Nalin should get this report I seems that there have been silent upgrades and what not to cyrus-sasl so that there are many version 1.5.24's floating around. Quoting Kurt D. Zeilenga from openldap: "Sounds like you might be suffering from a nasty (and dangerous) Cyrus SASL bug. Make sure you have Cyrus SASL 1.5.24 installed as currently available from ftp://ftp.andrew.cmu.edu/pub/cyrus-mail. Do not install versions from any other source as there appears to be multiple versions labeled 1.5.24 floating about (due to a silent upgrade) and only the version in the official FTP site is known not to contain the bug." A diff of the 1.5.24 tarball from the 7.0 src.rpm and the "official" 1.5.24 reveals the following: diff -uNr rh/cyrus-sasl-1.5.24/lib/server.c cyrus/cyrus-sasl-1.5.24/lib/server.c --- rh/cyrus-sasl-1.5.24/lib/server.c Mon Jul 10 14:54:45 2000 +++ cyrus/cyrus-sasl-1.5.24/lib/server.c Sun Aug 13 22:04:42 2000 @@ -895,7 +895,7 @@ s_conn->base.oparams.user = (char *) canonuser; } - return SASL_OK; + return ret; } This should be verified to find out if this is a serious bug or not.
Looks like you're right. Refetching the tarball gives me a file that's 58 bytes larger than the one I had. Will be updated in 1.5.24-11 and -12. Thanks *very* much for the heads-up!
I've put an updated cyrus-sasl-1.5.24 into the pipeline for release as a security errata.