Bug 18968 - cyrus-sasl-1.5.24 is not the "real" 1.5.24
Summary: cyrus-sasl-1.5.24 is not the "real" 1.5.24
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: cyrus-sasl (Show other bugs)
(Show other bugs)
Version: 7.0
Hardware: i386 Linux
Target Milestone: ---
Assignee: Nalin Dahyabhai
QA Contact: Aaron Brown
Keywords: Security
Depends On:
TreeView+ depends on / blocked
Reported: 2000-10-12 16:02 UTC by heckmann
Modified: 2007-03-27 03:36 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2000-10-25 22:34:25 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description heckmann 2000-10-12 16:02:28 UTC
NOTE: This is a cyrus-sasl bug, but it is not in the component list, I
think Nalin should get this report

I seems that there have been silent upgrades and what not to cyrus-sasl so
that there are many version 1.5.24's floating around. Quoting Kurt D.
Zeilenga from openldap:

"Sounds like you might be suffering from a nasty (and dangerous) Cyrus SASL
bug.  Make sure you have Cyrus SASL 1.5.24 installed as currently available
from ftp://ftp.andrew.cmu.edu/pub/cyrus-mail.                Do not install
versions from any other source as there appears
to                                                                be
multiple versions labeled 1.5.24 floating about (due to a
upgrade) and only the version in the official FTP site is known
not                                                                 to
contain the bug."

A diff of the 1.5.24 tarball from the 7.0 src.rpm and the "official" 1.5.24
reveals the following:

diff -uNr rh/cyrus-sasl-1.5.24/lib/server.c
--- rh/cyrus-sasl-1.5.24/lib/server.c   Mon Jul 10 14:54:45 2000
+++ cyrus/cyrus-sasl-1.5.24/lib/server.c        Sun Aug 13 22:04:42 2000
@@ -895,7 +895,7 @@
        s_conn->base.oparams.user = (char *) canonuser;
-    return SASL_OK;
+    return ret;
This should be verified to find out if this is a serious bug or not.

Comment 1 Nalin Dahyabhai 2000-10-25 20:57:39 UTC
Looks like you're right.  Refetching the tarball gives me a file that's 58 bytes
larger than the one I had.  Will be updated in 1.5.24-11 and -12.  Thanks *very*
much for the heads-up!

Comment 2 Nalin Dahyabhai 2000-10-25 22:34:23 UTC
I've put an updated cyrus-sasl-1.5.24 into the pipeline for release as a
security errata.

Note You need to log in before you can comment on or make changes to this bug.