From tsl@trustix.org Fri Oct 8 17:00:58 2004 From: Trustix Security Advisor To: bugtraq@securityfocus.com Date: Fri, 8 Oct 2004 13:37:13 +0200 Subject: TSLSA-2004-0053 - cyrus-sasl -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -------------------------------------------------------------------------- Trustix Secure Linux Security Advisory #2004-0053 Package name: cyrus-sasl Summary: Insecure handling of environment variable Date: 2004-10-08 Affected versions: Trustix Secure Linux 2.0 Trustix Secure Linux 2.1 Trustix Operating System - Enterprise Server 2 - -------------------------------------------------------------------------- Package description: The cyrus-sasl package contains the Cyrus implementation of SASL. SASL is the Simple Authentication and Security Layer, a method for adding authentication support to connection-based protocols. Problem description: Kurt Lieber reported that libsasl honors the environment variable SASL_PATH blindly, allowing a local user to compile a "library" locally that is executed with the EID of SASL. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0884 to this issue. Action: We recommend that all systems with this package installed be upgraded. Please note that if you do not need the functionality provided by this package, you may want to remove it from your system. Location: All Trustix Secure Linux updates are available from About Trustix Secure Linux: Trustix Secure Linux is a small Linux distribution for servers. With focus on security and stability, the system is painlessly kept safe and up to date from day one using swup, the automated software updater. Automatic updates: Users of the SWUP tool can enjoy having updates automatically installed using 'swup --upgrade'. Questions? Check out our mailing lists: Verification: This advisory along with all Trustix packages are signed with the TSL sign key. This key is available from: The advisory itself is available from the errata pages at and or directly at MD5sums of the packages: - -------------------------------------------------------------------------- 4af05e282564f6fe2607050dc74e9069 2.1/rpms/cyrus-sasl-2.1.15-8tr.i586.rpm 695f42006b0a6c75cd65e3dd6138d7e5 2.1/rpms/cyrus-sasl-devel-2.1.15-8tr.i586.rpm 6409b2efc33c634058e57550ff92b227 2.1/rpms/cyrus-sasl-md5-2.1.15-8tr.i586.rpm a59a6f63291b9fcbe16f2b89465d723d 2.1/rpms/cyrus-sasl-mysql-2.1.15-8tr.i586.rpm 3fc625bd28e59db1b78b79fd428e65a7 2.1/rpms/cyrus-sasl-otp-2.1.15-8tr.i586.rpm 7e2e781deab55846d0c59cb859c26349 2.1/rpms/cyrus-sasl-plain-2.1.15-8tr.i586.rpm b8074dad5e817bacdf25c601fc2096d8 2.1/rpms/cyrus-sasl-utils-2.1.15-8tr.i586.rpm e19a5ef6d7c6fe7127a3b3f222d48377 2.0/rpms/cyrus-sasl-2.1.15-5tr.i586.rpm 75328d33529e51ca323d219c59bd14fe 2.0/rpms/cyrus-sasl-devel-2.1.15-5tr.i586.rpm 00968a1ae5592795c340fd44b6561f0e 2.0/rpms/cyrus-sasl-md5-2.1.15-5tr.i586.rpm 6342fda511daf5cfe3c61d3652863a26 2.0/rpms/cyrus-sasl-mysql-2.1.15-5tr.i586.rpm 7492025aba5fae1f60f2a86da37fb4cc 2.0/rpms/cyrus-sasl-otp-2.1.15-5tr.i586.rpm 9cdfab8c8b4f4578d29a6b2e7b32254f 2.0/rpms/cyrus-sasl-plain-2.1.15-5tr.i586.rpm e664d84f1661270d06fa1e6b3b089208 2.0/rpms/cyrus-sasl-utils-2.1.15-5tr.i586.rpm 6efcf6483076aa1db6a25ff6f3962222 e-2/rpms/cyrus-sasl-2.1.15-8tr.i586.rpm 9f3778e984587f4f9b053adfc09d84f1 e-2/rpms/cyrus-sasl-devel-2.1.15-8tr.i586.rpm dc9a9ec47f9082378214523c07fe680f e-2/rpms/cyrus-sasl-md5-2.1.15-8tr.i586.rpm 86a4defb48589ebbd8e4631bf4547023 e-2/rpms/cyrus-sasl-mysql-2.1.15-8tr.i586.rpm 2f1c114260d1657f46dcd27a96e97bc7 e-2/rpms/cyrus-sasl-otp-2.1.15-8tr.i586.rpm a4e581f397453cbd9011f61791f177fb e-2/rpms/cyrus-sasl-plain-2.1.15-8tr.i586.rpm 0f5fdc476c7de211efce071166691775 e-2/rpms/cyrus-sasl-utils-2.1.15-8tr.i586.rpm - -------------------------------------------------------------------------- Trustix Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQFBZnu5i8CEzsK9IksRAjevAJ43J5l2zyJ03Jz1edKQyMVOsU8nrgCfTRrf GgOZQ0CItjCX33nVIy7G36M= =NA/g -----END PGP SIGNATURE-----