On Sat, Oct 09, 2004 at 10:25:29AM -0300, Henrique de Moraes Holschuh wrote: > Gentoo found a local privilege escalation bug in SASL. This affects > SASL 1.5 (woody, sarge, sid) and SASL 2.1 (sarge, sid). The security team > has been notified, and packages for stable are on the way.
> NMUs with fixed packages are already on sid. cyrus-sasl was uploaded with > urgency=emergency and should be moved to sarge today, since it is not > frozen (if the hppa autobuider shows up, anyway). > cyrus-sasl2 is frozen, and will require manual action by the release team to > update sarge. It was uploaded with urgency=high, and must wait another day > or two to clear the testing requirements. > I also snuck in a fix for #274087, which is release-critical. The fix has > been in sasl 1.5 since forever, and nobody ever complained that it broke > things. That bug is really hairy: Either the fix for #274087 works, or we > have some bad choices ahead of us: > 1. to remove libnss-ldap from the archive because it it will have a > permanent critical bug (breaks any applications using libsasl2), or > 2. update libldap (removing ALL sasl support from it, or providing a > non-SASL-enabled version, and changing libnss-ldap to use the > non-SASL-version). > Note that openldap is doing things to SASL that no sane person would in a > library (but that might very well be required to get it to work -- this is a > related to a clear design bug in SASL's API). Approved. Thanks, -- Steve Langasek postmodern programmer
signature.asc
Description: Digital signature
