Synopsis: Moderate: cyrus-sasl security update and bug fix update Issue date: 2007-09-04 CVE Names: CVE-2006-1721 A bug was found in cyrus-sasl's DIGEST-MD5 authentication mechanism. As part of the DIGEST-MD5 authentication exchange, the client is expected to send a specific set of information to the server. If one of these items (the "realm") was not sent or was malformed, it was possible for a remote unauthenticated attacker to cause a denial of service (segmentation fault) on the server. (CVE-2006-1721) This errata also fixes the following bugs in Scientific Linux 4: * the Kerberos 5 library included in Red Hat Enterprise Linux 4 was not thread safe. This update adds functionality which allows it to be used safely in a threaded application. * several memory leak bugs were fixed in cyrus-sasl's DIGEST-MD5 authentication plug-in. * /dev/urandom is now used by default on systems which don't support hwrandom. Previously, dev/random was the default. * cyrus-sasl needs zlib-devel to build properly. This dependency information is now included in the package. SL 3.0.x SRPMS: cyrus-sasl-2.1.15-15.src.rpm i386: cyrus-sasl-2.1.15-15.i386.rpm cyrus-sasl-devel-2.1.15-15.i386.rpm cyrus-sasl-gssapi-2.1.15-15.i386.rpm cyrus-sasl-md5-2.1.15-15.i386.rpm cyrus-sasl-plain-2.1.15-15.i386.rpm x86_64: cyrus-sasl-2.1.15-15.i386.rpm cyrus-sasl-2.1.15-15.x86_64.rpm cyrus-sasl-devel-2.1.15-15.x86_64.rpm cyrus-sasl-gssapi-2.1.15-15.i386.rpm cyrus-sasl-gssapi-2.1.15-15.x86_64.rpm cyrus-sasl-md5-2.1.15-15.i386.rpm cyrus-sasl-md5-2.1.15-15.x86_64.rpm cyrus-sasl-plain-2.1.15-15.i386.rpm cyrus-sasl-plain-2.1.15-15.x86_64.rpm SL 4.x SRPMS: cyrus-sasl-2.1.19-14.src.rpm i386: cyrus-sasl-2.1.19-14.i386.rpm cyrus-sasl-devel-2.1.19-14.i386.rpm cyrus-sasl-gssapi-2.1.19-14.i386.rpm cyrus-sasl-md5-2.1.19-14.i386.rpm cyrus-sasl-ntlm-2.1.19-14.i386.rpm cyrus-sasl-plain-2.1.19-14.i386.rpm cyrus-sasl-sql-2.1.19-14.i386.rpm x86_64: cyrus-sasl-2.1.19-14.i386.rpm cyrus-sasl-2.1.19-14.x86_64.rpm cyrus-sasl-devel-2.1.19-14.x86_64.rpm cyrus-sasl-gssapi-2.1.19-14.i386.rpm cyrus-sasl-gssapi-2.1.19-14.x86_64.rpm cyrus-sasl-md5-2.1.19-14.i386.rpm cyrus-sasl-md5-2.1.19-14.x86_64.rpm cyrus-sasl-ntlm-2.1.19-14.i386.rpm cyrus-sasl-ntlm-2.1.19-14.x86_64.rpm cyrus-sasl-plain-2.1.19-14.i386.rpm cyrus-sasl-plain-2.1.19-14.x86_64.rpm cyrus-sasl-sql-2.1.19-14.i386.rpm cyrus-sasl-sql-2.1.19-14.x86_64.rpm -Connie Sieh -Troy Dawson