Security Advisory Moderate: cyrus-sasl security update

Advisory: RHSA-2007:0878-10
Type: Security Advisory
Severity: Moderate
Issued on: 2007-09-04
Last updated on: 2007-09-04
Affected Products: Red Hat Desktop (v. 3)
Red Hat Enterprise Linux AS (v. 3)
Red Hat Enterprise Linux ES (v. 3)
Red Hat Enterprise Linux WS (v. 3)
OVAL: com.redhat.rhsa-20070878.xml
CVEs (cve.mitre.org): CVE-2006-1721

Details

Updated cyrus-sasl packages that correct a security issue are now available
for Red Hat Enterprise Linux 3.

This update has been rated as having moderate security impact by the Red
Hat Security Response Team.

The cyrus-sasl package contains the Cyrus implementation of SASL.
SASL is the Simple Authentication and Security Layer, a method for
adding authentication support to connection-based protocols.

A bug was found in cyrus-sasl's DIGEST-MD5 authentication mechanism. As
part of the DIGEST-MD5 authentication exchange, the client is expected to
send a specific set of information to the server. If one of these items
(the "realm") was not sent or was malformed, it was possible for a remote
unauthenticated attacker to cause a denial of service (segmentation fault)
on the server. (CVE-2006-1721)

Users of cyrus-sasl should upgrade to these updated packages, which contain a
backported patch to correct this issue.


Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via Red Hat Network. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

Updated packages

Red Hat Desktop (v. 3)
SRPMS:
cyrus-sasl-2.1.15-15.src.rpm     971ba1e92e9949601bafd8f7bfb59aa1
 
IA-32:
cyrus-sasl-2.1.15-15.i386.rpm     bc2c9d4460476c6643ece0a3343e96a1
cyrus-sasl-devel-2.1.15-15.i386.rpm     2b570b0237173d3a7bde466c6e2fb36b
cyrus-sasl-gssapi-2.1.15-15.i386.rpm     e98364bad26467ee25ef5d710997fb1f
cyrus-sasl-md5-2.1.15-15.i386.rpm     fccdb8a03342b0a1640b9723f30d8b51
cyrus-sasl-plain-2.1.15-15.i386.rpm     aa119a97b280debf2cfb3c3d36fe4c60
 
x86_64:
cyrus-sasl-2.1.15-15.i386.rpm     bc2c9d4460476c6643ece0a3343e96a1
cyrus-sasl-2.1.15-15.x86_64.rpm     ad14eda4c01f9f14406ee1c8b9f51c09
cyrus-sasl-devel-2.1.15-15.x86_64.rpm     0b026c8ffebc536a8254f8b3d0b3732a
cyrus-sasl-gssapi-2.1.15-15.i386.rpm     e98364bad26467ee25ef5d710997fb1f
cyrus-sasl-gssapi-2.1.15-15.x86_64.rpm     b974739f506d6079cd221b594c2f3f63
cyrus-sasl-md5-2.1.15-15.i386.rpm     fccdb8a03342b0a1640b9723f30d8b51
cyrus-sasl-md5-2.1.15-15.x86_64.rpm     3589053882bd022ab14839c7f24e7044
cyrus-sasl-plain-2.1.15-15.i386.rpm     aa119a97b280debf2cfb3c3d36fe4c60
cyrus-sasl-plain-2.1.15-15.x86_64.rpm     0d170fb27a78b7cf3d2f946209335593
 
Red Hat Enterprise Linux AS (v. 3)
SRPMS:
cyrus-sasl-2.1.15-15.src.rpm     971ba1e92e9949601bafd8f7bfb59aa1
 
IA-32:
cyrus-sasl-2.1.15-15.i386.rpm     bc2c9d4460476c6643ece0a3343e96a1
cyrus-sasl-devel-2.1.15-15.i386.rpm     2b570b0237173d3a7bde466c6e2fb36b
cyrus-sasl-gssapi-2.1.15-15.i386.rpm     e98364bad26467ee25ef5d710997fb1f
cyrus-sasl-md5-2.1.15-15.i386.rpm     fccdb8a03342b0a1640b9723f30d8b51
cyrus-sasl-plain-2.1.15-15.i386.rpm     aa119a97b280debf2cfb3c3d36fe4c60
 
IA-64:
cyrus-sasl-2.1.15-15.i386.rpm     bc2c9d4460476c6643ece0a3343e96a1
cyrus-sasl-2.1.15-15.ia64.rpm     93e177c34d38edd502093ace0818ec6c
cyrus-sasl-devel-2.1.15-15.ia64.rpm     d73eb01b3b091346a3e13e16a4f3012f
cyrus-sasl-gssapi-2.1.15-15.i386.rpm     e98364bad26467ee25ef5d710997fb1f
cyrus-sasl-gssapi-2.1.15-15.ia64.rpm     a2f2c05e60a957ebd6d1366d9affad86
cyrus-sasl-md5-2.1.15-15.i386.rpm     fccdb8a03342b0a1640b9723f30d8b51
cyrus-sasl-md5-2.1.15-15.ia64.rpm     d33de0609bd3bdd5c915d12688de8bbf
cyrus-sasl-plain-2.1.15-15.i386.rpm     aa119a97b280debf2cfb3c3d36fe4c60
cyrus-sasl-plain-2.1.15-15.ia64.rpm     627e26b0fa51c03d2a78bc9064b331c5
 
PPC:
cyrus-sasl-2.1.15-15.ppc.rpm     e80ba70d9318f9c4db9e5aba67f140b4
cyrus-sasl-2.1.15-15.ppc64.rpm     dd5ba07ac0b7f9db06924dc92ae64e0f
cyrus-sasl-devel-2.1.15-15.ppc.rpm     7b247b8d3b1dfa910748b006feeb3180
cyrus-sasl-gssapi-2.1.15-15.ppc.rpm     20f36685aab8e777d6a03bbd07a9043b
cyrus-sasl-gssapi-2.1.15-15.ppc64.rpm     bd759d41630b28ca16a9ac1bff7cd3ef
cyrus-sasl-md5-2.1.15-15.ppc.rpm     acf5cddc0d2d8da2cf72bc2385ec8639
cyrus-sasl-md5-2.1.15-15.ppc64.rpm     877e24163006884120ff7173250cceed
cyrus-sasl-plain-2.1.15-15.ppc.rpm     e1152342f5d9e040724742fbda17efaf
cyrus-sasl-plain-2.1.15-15.ppc64.rpm     4b27130a2484604d8b8532be9cef3d88
 
s390:
cyrus-sasl-2.1.15-15.s390.rpm     b9961e0723518e7a34d80ab27bdf1e6b
cyrus-sasl-devel-2.1.15-15.s390.rpm     8d4586eb684f58b8ad05173a8a441cf1
cyrus-sasl-gssapi-2.1.15-15.s390.rpm     47aba4aba7b9e3b725cad6faebcdee10
cyrus-sasl-md5-2.1.15-15.s390.rpm     789ef3e79fa96edbf6bf29d23507bc55
cyrus-sasl-plain-2.1.15-15.s390.rpm     ce0920b0a21006a63764942cdc5f46f5
 
s390x:
cyrus-sasl-2.1.15-15.s390.rpm     b9961e0723518e7a34d80ab27bdf1e6b
cyrus-sasl-2.1.15-15.s390x.rpm     8fef2c2af40d2a350659c2df794e710b
cyrus-sasl-devel-2.1.15-15.s390x.rpm     3a7fbf34a092488d62360f9b75a9e032
cyrus-sasl-gssapi-2.1.15-15.s390.rpm     47aba4aba7b9e3b725cad6faebcdee10
cyrus-sasl-gssapi-2.1.15-15.s390x.rpm     199afb45cc2909aff39c2d4fe2f6247e
cyrus-sasl-md5-2.1.15-15.s390.rpm     789ef3e79fa96edbf6bf29d23507bc55
cyrus-sasl-md5-2.1.15-15.s390x.rpm     57c373792e1ce7ff1af2153380811804
cyrus-sasl-plain-2.1.15-15.s390.rpm     ce0920b0a21006a63764942cdc5f46f5
cyrus-sasl-plain-2.1.15-15.s390x.rpm     467042d8e279de713d4730ec62bcf23c
 
x86_64:
cyrus-sasl-2.1.15-15.i386.rpm     bc2c9d4460476c6643ece0a3343e96a1
cyrus-sasl-2.1.15-15.x86_64.rpm     ad14eda4c01f9f14406ee1c8b9f51c09
cyrus-sasl-devel-2.1.15-15.x86_64.rpm     0b026c8ffebc536a8254f8b3d0b3732a
cyrus-sasl-gssapi-2.1.15-15.i386.rpm     e98364bad26467ee25ef5d710997fb1f
cyrus-sasl-gssapi-2.1.15-15.x86_64.rpm     b974739f506d6079cd221b594c2f3f63
cyrus-sasl-md5-2.1.15-15.i386.rpm     fccdb8a03342b0a1640b9723f30d8b51
cyrus-sasl-md5-2.1.15-15.x86_64.rpm     3589053882bd022ab14839c7f24e7044
cyrus-sasl-plain-2.1.15-15.i386.rpm     aa119a97b280debf2cfb3c3d36fe4c60
cyrus-sasl-plain-2.1.15-15.x86_64.rpm     0d170fb27a78b7cf3d2f946209335593
 
Red Hat Enterprise Linux ES (v. 3)
SRPMS:
cyrus-sasl-2.1.15-15.src.rpm     971ba1e92e9949601bafd8f7bfb59aa1
 
IA-32:
cyrus-sasl-2.1.15-15.i386.rpm     bc2c9d4460476c6643ece0a3343e96a1
cyrus-sasl-devel-2.1.15-15.i386.rpm     2b570b0237173d3a7bde466c6e2fb36b
cyrus-sasl-gssapi-2.1.15-15.i386.rpm     e98364bad26467ee25ef5d710997fb1f
cyrus-sasl-md5-2.1.15-15.i386.rpm     fccdb8a03342b0a1640b9723f30d8b51
cyrus-sasl-plain-2.1.15-15.i386.rpm     aa119a97b280debf2cfb3c3d36fe4c60
 
IA-64:
cyrus-sasl-2.1.15-15.i386.rpm     bc2c9d4460476c6643ece0a3343e96a1
cyrus-sasl-2.1.15-15.ia64.rpm     93e177c34d38edd502093ace0818ec6c
cyrus-sasl-devel-2.1.15-15.ia64.rpm     d73eb01b3b091346a3e13e16a4f3012f
cyrus-sasl-gssapi-2.1.15-15.i386.rpm     e98364bad26467ee25ef5d710997fb1f
cyrus-sasl-gssapi-2.1.15-15.ia64.rpm     a2f2c05e60a957ebd6d1366d9affad86
cyrus-sasl-md5-2.1.15-15.i386.rpm     fccdb8a03342b0a1640b9723f30d8b51
cyrus-sasl-md5-2.1.15-15.ia64.rpm     d33de0609bd3bdd5c915d12688de8bbf
cyrus-sasl-plain-2.1.15-15.i386.rpm     aa119a97b280debf2cfb3c3d36fe4c60
cyrus-sasl-plain-2.1.15-15.ia64.rpm     627e26b0fa51c03d2a78bc9064b331c5
 
x86_64:
cyrus-sasl-2.1.15-15.i386.rpm     bc2c9d4460476c6643ece0a3343e96a1
cyrus-sasl-2.1.15-15.x86_64.rpm     ad14eda4c01f9f14406ee1c8b9f51c09
cyrus-sasl-devel-2.1.15-15.x86_64.rpm     0b026c8ffebc536a8254f8b3d0b3732a
cyrus-sasl-gssapi-2.1.15-15.i386.rpm     e98364bad26467ee25ef5d710997fb1f
cyrus-sasl-gssapi-2.1.15-15.x86_64.rpm     b974739f506d6079cd221b594c2f3f63
cyrus-sasl-md5-2.1.15-15.i386.rpm     fccdb8a03342b0a1640b9723f30d8b51
cyrus-sasl-md5-2.1.15-15.x86_64.rpm     3589053882bd022ab14839c7f24e7044
cyrus-sasl-plain-2.1.15-15.i386.rpm     aa119a97b280debf2cfb3c3d36fe4c60
cyrus-sasl-plain-2.1.15-15.x86_64.rpm     0d170fb27a78b7cf3d2f946209335593
 
Red Hat Enterprise Linux WS (v. 3)
SRPMS:
cyrus-sasl-2.1.15-15.src.rpm     971ba1e92e9949601bafd8f7bfb59aa1
 
IA-32:
cyrus-sasl-2.1.15-15.i386.rpm     bc2c9d4460476c6643ece0a3343e96a1
cyrus-sasl-devel-2.1.15-15.i386.rpm     2b570b0237173d3a7bde466c6e2fb36b
cyrus-sasl-gssapi-2.1.15-15.i386.rpm     e98364bad26467ee25ef5d710997fb1f
cyrus-sasl-md5-2.1.15-15.i386.rpm     fccdb8a03342b0a1640b9723f30d8b51
cyrus-sasl-plain-2.1.15-15.i386.rpm     aa119a97b280debf2cfb3c3d36fe4c60
 
IA-64:
cyrus-sasl-2.1.15-15.i386.rpm     bc2c9d4460476c6643ece0a3343e96a1
cyrus-sasl-2.1.15-15.ia64.rpm     93e177c34d38edd502093ace0818ec6c
cyrus-sasl-devel-2.1.15-15.ia64.rpm     d73eb01b3b091346a3e13e16a4f3012f
cyrus-sasl-gssapi-2.1.15-15.i386.rpm     e98364bad26467ee25ef5d710997fb1f
cyrus-sasl-gssapi-2.1.15-15.ia64.rpm     a2f2c05e60a957ebd6d1366d9affad86
cyrus-sasl-md5-2.1.15-15.i386.rpm     fccdb8a03342b0a1640b9723f30d8b51
cyrus-sasl-md5-2.1.15-15.ia64.rpm     d33de0609bd3bdd5c915d12688de8bbf
cyrus-sasl-plain-2.1.15-15.i386.rpm     aa119a97b280debf2cfb3c3d36fe4c60
cyrus-sasl-plain-2.1.15-15.ia64.rpm     627e26b0fa51c03d2a78bc9064b331c5
 
x86_64:
cyrus-sasl-2.1.15-15.i386.rpm     bc2c9d4460476c6643ece0a3343e96a1
cyrus-sasl-2.1.15-15.x86_64.rpm     ad14eda4c01f9f14406ee1c8b9f51c09
cyrus-sasl-devel-2.1.15-15.x86_64.rpm     0b026c8ffebc536a8254f8b3d0b3732a
cyrus-sasl-gssapi-2.1.15-15.i386.rpm     e98364bad26467ee25ef5d710997fb1f
cyrus-sasl-gssapi-2.1.15-15.x86_64.rpm     b974739f506d6079cd221b594c2f3f63
cyrus-sasl-md5-2.1.15-15.i386.rpm     fccdb8a03342b0a1640b9723f30d8b51
cyrus-sasl-md5-2.1.15-15.x86_64.rpm     3589053882bd022ab14839c7f24e7044
cyrus-sasl-plain-2.1.15-15.i386.rpm     aa119a97b280debf2cfb3c3d36fe4c60
cyrus-sasl-plain-2.1.15-15.x86_64.rpm     0d170fb27a78b7cf3d2f946209335593
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

252339 - CVE-2006-1721 cyrus-sasl digest-md5 DoS


References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1721
http://www.redhat.com/security/updates/classification/#moderate

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/