cyrus-sasl2 (2.1.19.dfsg1-0.1ubuntu3.1) dapper-security; urgency=low * SECURITY UPDATE: base64 encoding could result in unterminated strings, leading to crashes or loss of privacy. - Add debian/patches/50_sasl_encode64_term.diff: backported upstream fixes. - CVE-2009-0688 -- Kees Cook Tue, 23 Jun 2009 11:29:50 -0700 cyrus-sasl2 (2.1.19.dfsg1-0.1ubuntu3) dapper-proposed; urgency=low * debian/rules: configure with --with-devrandom=/dev/urandom to avoid hanging/blocking applications when entropy is exhausted. (LP: #225333) -- Andrew Pollock Thu, 1 May 2008 10:03:51 -0700 cyrus-sasl2 (2.1.19.dfsg1-0.1ubuntu2) dapper; urgency=low * SECURITY UPDATE: Remote DoS with crafted realms during DIGEST-MD5 negotiation. * Add debian/patches/27_upstream_cvs_digest-md5-crash.diff: - plugins/digestmd5.c: Check that the provided realm is valid to avoid crash. - Patch taken from upstream CVS, fixed upstream in 2.1.21: https://bugzilla.andrew.cmu.edu/cgi-bin/cvsweb.cgi/src/sasl/ plugins/digestmd5.c.diff?r1=1.173&r2=1.175&f=u * CVE-2006-1721 -- Martin Pitt Mon, 24 Apr 2006 11:58:30 +0200 cyrus-sasl2 (2.1.19.dfsg1-0.1ubuntu1) dapper; urgency=low * Synchronize to Debian (#28137) * Reapply remaining Ubuntu changes to clean Debian package: - debian/patches/13_libdb42_autotools.diff, debian/control: Build against db4.3 instead of 4.2. - debian/control: Since the libsasl2 package description so clearly states that the library is "completely useless" without one of the libsasl2-modules packages, upgrade the Recommends on a single package to an ORd Depends on the complete list of them. (Ubuntu bug #8046) [Adam Conrad] -- Martin Pitt Mon, 10 Apr 2006 11:46:53 +0200 cyrus-sasl2 (2.1.19.dfsg1-0.1) unstable; urgency=low * Non-maintainer upload. * Remove dlcompat-20010505 subdirectory from source package as it contains non-DFSG-free source. Required regeneration of the orig.tar.gz. Closes: #357527. -- dann frazier Tue, 4 Apr 2006 16:38:20 -0600 cyrus-sasl2 (2.1.19-1.9) unstable; urgency=low * Non-maintainer upload. * debian/patches/26_fix_hurd_build.diff: Fix FTBFS on hurd-i386. Closes: #324288. -- Michael Banck Fri, 20 Jan 2006 15:45:30 +0100 cyrus-sasl2 (2.1.19-1.8) unstable; urgency=medium * Non-maintainer upload. * Medium-urgency upload for RC bugfixes. * Rebuild against current heimdal packages, dropping the build-dependency on the obsolete and soon-to-be-removed krb4 package; also drop the (misnamed) libsasl2-modules-kerberos-heimdal package as a result. Closes: #345737, 345880. * Drop mention of KERBEROS_V4 in the libsasl2 package description. * Build against libmysqlclient15 instead of the obsolete libmysqlclient10 for libsasl2-modules-sql. * debian/patches/25_postgresql_pg_config.diff: Use pg-config --includedir in configure.in, so that cyrus-sasl2 continues to build when the postgresql include path changes as the postgresql maintainers are planning to do; and adjust the include path in plugins/sql.c accordingly. Closes: #315177. -- Steve Langasek Sat, 7 Jan 2006 04:18:58 -0800 cyrus-sasl2 (2.1.19-1.7) unstable; urgency=low * Non-maintainer upload. * fix FTBFS in plugins/ntlm.c with patch 24. Closes: #332703 -- Andreas Barth Sat, 5 Nov 2005 20:07:50 +0100 cyrus-sasl2 (2.1.19-1.6) unstable; urgency=medium * Non-maintainer upload. * Medium-urgency upload for RC bugfixes. * Drop the extern declaration of a static variable global_callbacks, allowing the package to build with gcc-4.0 (closes: #285605). * Build-Depend on libpq-dev instead of on postgresql-dev, as the latter package name is obsolete. (Ref: #315177) -- Steve Langasek Wed, 24 Aug 2005 17:41:57 -0700 cyrus-sasl2 (2.1.19-1.5) unstable; urgency=emergency * NMU * Clean-up 2.1.19-1.4 NMU: + Since we were using an upstream CVS patch, add another patch fixing it instead of changing the (bad) upstream CVS patch; Sent this new patch upstream + Set *path to NULL, not to 0 * Add Build-Conflicts: autoconf2.13, automake1.4 * We want something easy to merge/further fix in sarge, so this cleanup is a good idea -- Henrique de Moraes Holschuh Sat, 16 Oct 2004 17:50:19 -0300 cyrus-sasl2 (2.1.19-1.4) unstable; urgency=low * NMU * fix the security fix: Initialize *path with 0. Closes: #276637. -- Andreas Barth Fri, 15 Oct 2004 20:26:41 +0200 cyrus-sasl2 (2.1.19-1.3) unstable; urgency=high * NMU * Fix minor issue with -1.2 in patch 15, to squash a compiler warning (just in case it becomes more than a warning in some arch): add missing "int" to extern declaration -- Henrique de Moraes Holschuh Fri, 8 Oct 2004 13:06:28 -0300 cyrus-sasl2 (2.1.19-1.2) unstable; urgency=high * NMU, since I am not sure Dima is back yet * SECURITY FIX: SASL_PATH environment variable must not be honoured on setuid environments, otherwise we have a local privilege escalation exploit (CVE: CAN-2004-0884), related advisories: RHSA-2004:546-02; GLSA 200410-05 * upstream CVS: lib/common.c: don't honor SASL_PATH in setuid environment. from Gentoo (CVE CAN-2004-0884); (closes: #275431) * upstream CVS: plugins/kerberos4.c: document weirdness with openssl DES * upstream CVS: plugins/cram.c,plugins/anonymous.c,plugins/login.c, plugins/plain.c,plugins/sasldb.c: Fixed several 64 bit portability warnings * Forward port sasl_set_alloc locking patch from SASL 1.5, to avoid problems with the braindead idea of globals SASL has, and with libraries that think they can get around mucking with them (hello openldap!) (closes: #274087) -- Henrique de Moraes Holschuh Fri, 8 Oct 2004 11:15:39 -0300 cyrus-sasl2 (2.1.19-1.1) unstable; urgency=medium * NMU with permission from the maintainer * Release Manager: SASL 2.1.18 (currently in sarge) is very unusable. Please accept this upload for sarge. The main reasons justifying this are: * Security fixes from upstream: at least one buffer overflow was plugged in 2.1.19, and the code was made more secure, which may have plugged other latent security bugs. * Essential feature: 2.1.18 has a very bad regression in that saslauthd cannot support realms embedded inside the username as previous versions did. However, that regression is exactly how it should be behaving since day one, never mind that too many setups are hopeless with the realm information out-of-band. 2.1.19 adds a "-r" option to saslauthd which restores the former behaviour. Both behaviours are needed, depending on the SASL mechs being used (one sends the realm out-of-band, the other in-band). Users have complained loudly about this issue, not only in Debian, but in the SASL and Cyrus IMAP mailinglists as well. For way too many people and setups, "-r" is essential * Essential bug fixes: Digest-MD5 and GSSAPI are quite broken in 2.1.18, and extensive fixes were applied on them in 2.1.19. In fact, 2.1.18 GSSAPI does _not_ work completely right against Heimdall and MIT kerberos. * ABI version issue: the 2.1.19-1 Debian package was uploaded to _unstable_ before the freeze. Maybe because of that, the maintainer did upgrade the shlibs dependency to 2.1.19 (I have confirmed that to be required for SASL modules, so it appears to be really required). Packages built in _unstable_ since them are being held back due to this issue. The best fix for packages that use libsasl2 *is* getting this new version into sarge, due to all other fixes. * Bugs closed in 2.1.19-1, but not ackwnoleged before: * Fix FTBFS in hppa, due to broken libtool usage, thanks to Steve Langasek for the patch (closes: #245818) * 2.1.19 supports saslauthd "-r" option (closes: #248333, #256808) * Changes in this NMU: * upstream CVS: plugins/digestmd5.c: Fix handling of client realm callback * upstream CVS: plugins/gssapi.c: Memory management cleanup * upstream CVS: configure.in, plugins/gssapi.c: Wrap all GSS calls in mutexes when required by the implementation (closes: #202836) THIS PATCH PROBABLY SHOULD BE SET TO DISABLED BY DEFAULT WHEN MIT KERBEROS 1.3.5 ENTERS UNSTABLE (see https://bugzilla.andrew.cmu.edu/show_bug.cgi?id=2255) * Libtool is refreshed at every build, so this upload closes: #262339 * debian/control: build-depend on debhelper (>= 4) * debian/control: build-depend on libtool (>= 1.5.6) instead of (>= 1.5.2-1) * Fix initscript to return status 0 if stop called when daemon is already stopped (closes: #242184) -- Henrique de Moraes Holschuh Sat, 14 Aug 2004 13:04:38 -0300 cyrus-sasl2 (2.1.19-1) unstable; urgency=medium * New upstream version (Closes: #259503, #259658) * Acknowledge the last NMU (closes: #254818) * Build against libdb4.2 (closes: #253894) * Fixed the path to saslauthd.conf in the saslauthd man page (Closes: #254454) -- Dima Barsky Sun, 4 Jul 2004 20:38:53 +0100 cyrus-sasl2 (2.1.18-4.1) unstable; urgency=low * NMU. * Fix FTBFS, non-PIC in shared lib (closes: #254818). -- Matthias Klose Fri, 21 May 2004 08:02:44 +0200 cyrus-sasl2 (2.1.18-4) unstable; urgency=medium * Added the build dependency on libtool -- Dima Barsky Mon, 19 Apr 2004 13:46:23 +0100 cyrus-sasl2 (2.1.18-3) unstable; urgency=medium * Update config.{sub,guess} at the build time * Added conflict with old MIT kerberos packages (Closes: #240714) -- Dima Barsky Sun, 18 Apr 2004 18:02:48 +0100 cyrus-sasl2 (2.1.18-2) unstable; urgency=low * Renamed libsasl2-modules-mysql to libsasl2-modules-sql * Reduced some packages' priority to optional, only the core remain important. * Enabled KRB4 (should've done it in 2.1.18-1). -- Dima Barsky Sun, 21 Mar 2004 01:07:40 +0000 cyrus-sasl2 (2.1.18-1) unstable; urgency=low * New upstream release (Closes: #232086) * Revised Build-Depends list (Closes: #212615) * Fixed typo in debian/control, thanks to hmh@debian.org (Closes: #213521) * Fixed mutex handling (Closes: #223253) * Use single -a for several mechanisms in /etc/init.d/saslauthd (Closes: #202354) * Fixed sasltestsuite (Closes: #217538) -- Dima Barsky Sat, 13 Mar 2004 16:16:26 +0000 cyrus-sasl2 (2.1.15-6) unstable; urgency=low * Acknowledging the last two NMUs (Closes: #213510, #212945, #212318, #211958) * Added -fno-strict-aliasing flag (Closes: #215862) -- Dima Barsky Sun, 26 Oct 2003 01:26:53 +0100 cyrus-sasl2 (2.1.15-5.2) unstable; urgency=low * NMU * Eeek, kill acinclude.m4 (what the FUCK is it doing there anyway?!) so as to correctly update the libtool environment (Closes: #213510) * While at it fix some stuff in the control file: + Section: libs for libsasl2-* since SASL runtime environment is NOT a devel suite * Document rather bluntly the extreme need for sasl modules for this lib to actually work in README.Debian -- Henrique de Moraes Holschuh Tue, 30 Sep 2003 21:14:56 -0300 cyrus-sasl2 (2.1.15-5.1) unstable; urgency=low * NMU * Rebuild, to get correct heimdal dependencies. Also add comerr-dev to build-dependency list (Closes: #212945) * Build-depend on libtool1.4 (Closes: #212318) -- Henrique de Moraes Holschuh Tue, 30 Sep 2003 13:56:28 -0300 cyrus-sasl2 (2.1.15-5) unstable; urgency=low * Set priority to "important" (Closes: #202876) * Run aclocal,autoconf,automake, and autoheader in saslauthd directory as well as the top one (Closes: #203096) * Registered a conflict between *-heimdal packages and *-mit ones (Closes: #202838) * Grabbed doc/components.html from the SASL CVS (Closes: #202642) -- Dima Barsky Thu, 31 Jul 2003 21:17:09 +0100 cyrus-sasl2 (2.1.15-4) unstable; urgency=low * Removed build dependency on libopenafs-dev, it was only required for SASL1. SASL2 can take the DES library from libssl-dev (Closes: #202569). -- Dima Barsky Wed, 23 Jul 2003 12:50:59 +0100 cyrus-sasl2 (2.1.15-3) unstable; urgency=low * Added build dependency on groff-base -- Dima Barsky Mon, 21 Jul 2003 12:39:50 +0100 cyrus-sasl2 (2.1.15-2) unstable; urgency=low * Added build dependency on dbs and libopenafs-dev -- Dima Barsky Mon, 21 Jul 2003 11:43:38 +0100 cyrus-sasl2 (2.1.15-1) unstable; urgency=low * New upstream release * Added LDAP_SASLAUTHD doc file to sasl2-bin (Closes: #201893) * Added build dependency on automake1.4 and autoconf2.13 -- Dima Barsky Tue, 15 Jul 2003 21:39:08 +0100 cyrus-sasl2 (2.1.14-1) unstable; urgency=low * New upstream release * Changed the build system to dbs. * THe GSSAPI segfault has been fixed upstream (Closes: #192502) * Fixed a typo in the sasl2-bin description (Closes: #197070, #193958) * Made a separate package for the MYSQL plugin (Closes: #188716, #166702, #190673) * Moved libsasldb plugin into the libsasl2 package. -- Dima Barsky Mon, 14 Jul 2003 07:04:47 +0100 cyrus-sasl2 (2.1.12-1) unstable; urgency=low * New upstream release * Changed variable 'c' in testsuite.c:2871 from char to int (Closes: #177426) * Recompiled with the latest heimdal libraries (Closes: #179810) * Removed RFC documents from libsasl2 (Closes: #178987) -- Dima Barsky Sat, 15 Mar 2003 22:29:25 +0000 cyrus-sasl2 (2.1.10-1) unstable; urgency=low * New upstream release (Closes: #172453) * Included sasldbconverter2 (Closes: #170740) * Removed duplicate "--with-ldap" from debian/rules (Closes: #167858) * Added "--sysconfdir=/etc" to debian/rules (Closes: #167855) * Changed libsasl2 -> libsasl2-modules dependency from Suggests to Recommends (Closes: #171938) * Added "--enable-alwaystrue" to debian/rules (Closes: #170495) * Included testsaslauthd (Closes: #167876) * Included sasltestsuite (Closes: #166538) -- Dima Barsky Mon, 23 Dec 2002 16:07:31 +0000 cyrus-sasl2 (2.1.9-5) unstable; urgency=low * Updated libtool files inside saslauthd/config/ (Closes: #166810) * Enabled NTLM module * Enabled LDAP support for saslauthd -- Dima Barsky Mon, 28 Oct 2002 21:12:56 +0000 cyrus-sasl2 (2.1.9-4) unstable; urgency=low * Enabled DO_DLOPEN unconditionally in configure.in -- Dima Barsky Mon, 28 Oct 2002 00:20:55 +0000 cyrus-sasl2 (2.1.9-3) unstable; urgency=low * Added AM_MAINTAINER_MODE to configure.in -- Dima Barsky Sat, 26 Oct 2002 01:46:13 +0100 cyrus-sasl2 (2.1.9-2) unstable; urgency=low * Added dbconverter-2 as /usr/sbin/sasldbconverter-2 * Added build dependency on zlib1g-dev -- Dima Barsky Fri, 25 Oct 2002 22:28:30 +0100 cyrus-sasl2 (2.1.9-1) unstable; urgency=low * New upstream release * shlibs now refers to the current version (Closes: #163845) * sasl2-bin now uses dpkg-statoverride to manage permissions of /var/run/saslauthd and /etc/sasldb2 (Closes: #163042, #164393) -- Dima Barsky Mon, 21 Oct 2002 22:01:01 +0100 cyrus-sasl2 (2.1.7-3) unstable; urgency=low * Added shlibs file (Closes: #162927) -- Dima Barsky Tue, 1 Oct 2002 17:44:36 +0100 cyrus-sasl2 (2.1.7-2) unstable; urgency=low * Build with versioned symbols * Another split: KERBEROS mechanism is now in a separate module (Closes: #154153) * README.Debian has been updated a while ago, we can close bug 146543 now. (Closes: #146543) -- Dima Barsky Mon, 30 Sep 2002 17:23:12 +0100 cyrus-sasl2 (2.1.7-1) unstable; urgency=low * New upstream version (Closes: #156286, #158296) * Enabled ldap and mysql (Closes: #155025, #154965) * /etc/sasldb2 and /var/run/saslauthd now belong to the group "sasl" and are group-readable (Closes: #151798) -- Dima Barsky Thu, 25 Sep 2002 15:51:12 +0100 cyrus-sasl2 (2.1.6-1) unstable; urgency=low * New upstream version * Make sure autoheader is not invoked at the build stage (Closes: #153127) -- Dima Barsky Wed, 17 Jul 2002 12:19:29 +0100 cyrus-sasl2 (2.1.5-7) unstable; urgency=low * Separated heimdal-dependent plugins into the libsasl2-modules-gssapi-heimdal package * Updated libtool to the latest version (Closes: #146229) * Changed permissions on /var/run/saslauthd to 711 (Closes: #151796) -- Dima Barsky Thu, 4 Jul 2002 09:24:42 +0100 cyrus-sasl2 (2.1.5-6) unstable; urgency=low * Removed build dependency on automake -- Dima Barsky Wed, 3 Jul 2002 09:51:47 +0100 cyrus-sasl2 (2.1.5-5) unstable; urgency=low * Added a few packages to the Build-Depends list -- Dima Barsky Tue, 2 Jul 2002 16:22:57 +0100 cyrus-sasl2 (2.1.5-4) unstable; urgency=low * Enabled DES, KERBEROS, and GSSAPI * Merged all modules into the package libsasl2-modules -- Dima Barsky Tue, 2 Jul 2002 13:10:10 +0100 cyrus-sasl2 (2.1.5-3) unstable; urgency=low * Enabled sasldb in saslauthd (Closes: 146791) -- Dima Barsky Tue, 2 Jul 2002 11:50:03 +0100 cyrus-sasl2 (2.1.5-2) unstable; urgency=low * Preserve /usr/lib/sasl2/*.la (Closes: #151567) -- Dima Barsky Mon, 1 Jul 2002 19:24:21 +0100 cyrus-sasl2 (2.1.5-1) unstable; urgency=low * New upstream version (Closes: #133458, #148693, #131792, #150957) * Added explicit rule for building libsasl2.a (Closes: #144200) * Added a warning about /dev/random to README.Debian (Closes: #146982) * /var/run/saslauthd/mux is now world-readable (Closes: #147484) * Modified sasl2-bin.default to make it clear that MECHANISMS is a space separated lists, so it should be quoted if there is more than one item in it (Closes: #146790) -- Dima Barsky Sun, 30 Jun 2002 01:19:16 +0100 cyrus-sasl2 (2.1.2-2) unstable; urgency=low * Fixed saslauthd man page (Closes: #131791) -- Dima Barsky Wed, 27 Mar 2002 15:27:39 +0000 cyrus-sasl2 (2.1.2-1) unstable; urgency=low * New upstream version * Changed --without-gssapi to --disable-gssapi * Closes: #131792 -- Dima Barsky Tue, 26 Mar 2002 22:29:12 +0000 cyrus-sasl2 (2.1.1-0.2) unstable; urgency=low * Fix a naming problem with the init script. * Fix problems with the init script itself. -- Michael Alan Dorman Sun, 17 Mar 2002 15:44:45 -0500 cyrus-sasl2 (2.1.1-0.1) unstable; urgency=low * New upstream version * Total rewrite of debian/rules, fold everything into nice, standard debhelper usage * Functionality to auto-start saslauthd, which configury through /etc/default/saslauthd -- Michael Alan Dorman Sun, 17 Mar 2002 15:09:55 -0500 cyrus-sasl2 (2.1.0-2) unstable; urgency=low * Added build dependency on libopie-dev -- Dima Barsky Sun, 27 Jan 2002 20:07:15 +0000 cyrus-sasl2 (2.1.0-1) unstable; urgency=low * Initial release of cyrus-sasl2 -- Dima Barsky Sun, 20 Jan 2002 14:36:45 +0000