Your message dated Tue, 18 Mar 2008 18:17:03 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#431191: fixed in cyrus-sasl2 2.1.22.dfsg1-19
has caused the Debian Bug report #431191,
regarding cyrus-sasl2: don't allow trailing CR/LF/CRLF in base64 data
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
431191: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=431191
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: cyrus-sasl2
Version: 2.1.22.dfsg1-6
Severity: minor
Debian bug #400955 was resolved by Debian patch
0015_saslutil_decode64_fix, which allows base64 input data to be
terminated by CR, LF, or CRLF. This is against RFC 4648, which defines
base64. Upstream fixed their code to be RFC-compliant but since some
applications incorrectly assume the old behaviour, and since it was very
late in the etch release cycle, we decided to err on the side of caution
and not risk breakage in applications using Cyrus SASL.
However, we now have the opportunity to reduce the number of patches in
the Debian version of Cyrus SASL, and to find packages that do not
properly sanitize their base64 data before passing it to libsasl2.
This bug tracks the progress of removing the patch and fixing the
packages which depend on this incorrect behaviour.
A possible workflow is the following:
1. List packages in Debian that have code calling sasl_decode64. For
each such package:
2. Determine if it sanitizes its data before passing it to sasl_decode64.
3. If not, submit a bug against the package, preferably with a patch.
4. When enough packages have been checked, remove the patch.
5. Be alert and help other maintainers to fix their packages.
--
Fabian Fagerholm <[EMAIL PROTECTED]>
--- End Message ---
--- Begin Message ---
Source: cyrus-sasl2
Source-Version: 2.1.22.dfsg1-19
We believe that the bug you reported is fixed in the latest version of
cyrus-sasl2, which is due to be installed in the Debian FTP archive:
cyrus-sasl2-dbg_2.1.22.dfsg1-19_i386.deb
to pool/main/c/cyrus-sasl2/cyrus-sasl2-dbg_2.1.22.dfsg1-19_i386.deb
cyrus-sasl2-doc_2.1.22.dfsg1-19_all.deb
to pool/main/c/cyrus-sasl2/cyrus-sasl2-doc_2.1.22.dfsg1-19_all.deb
cyrus-sasl2_2.1.22.dfsg1-19.diff.gz
to pool/main/c/cyrus-sasl2/cyrus-sasl2_2.1.22.dfsg1-19.diff.gz
cyrus-sasl2_2.1.22.dfsg1-19.dsc
to pool/main/c/cyrus-sasl2/cyrus-sasl2_2.1.22.dfsg1-19.dsc
libsasl2-2_2.1.22.dfsg1-19_i386.deb
to pool/main/c/cyrus-sasl2/libsasl2-2_2.1.22.dfsg1-19_i386.deb
libsasl2-dev_2.1.22.dfsg1-19_i386.deb
to pool/main/c/cyrus-sasl2/libsasl2-dev_2.1.22.dfsg1-19_i386.deb
libsasl2-modules-gssapi-mit_2.1.22.dfsg1-19_i386.deb
to
pool/main/c/cyrus-sasl2/libsasl2-modules-gssapi-mit_2.1.22.dfsg1-19_i386.deb
libsasl2-modules-ldap_2.1.22.dfsg1-19_i386.deb
to pool/main/c/cyrus-sasl2/libsasl2-modules-ldap_2.1.22.dfsg1-19_i386.deb
libsasl2-modules-otp_2.1.22.dfsg1-19_i386.deb
to pool/main/c/cyrus-sasl2/libsasl2-modules-otp_2.1.22.dfsg1-19_i386.deb
libsasl2-modules-sql_2.1.22.dfsg1-19_i386.deb
to pool/main/c/cyrus-sasl2/libsasl2-modules-sql_2.1.22.dfsg1-19_i386.deb
libsasl2-modules_2.1.22.dfsg1-19_i386.deb
to pool/main/c/cyrus-sasl2/libsasl2-modules_2.1.22.dfsg1-19_i386.deb
sasl2-bin_2.1.22.dfsg1-19_i386.deb
to pool/main/c/cyrus-sasl2/sasl2-bin_2.1.22.dfsg1-19_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Fabian Fagerholm <[EMAIL PROTECTED]> (supplier of updated cyrus-sasl2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 18 Mar 2008 20:04:21 +0200
Source: cyrus-sasl2
Binary: sasl2-bin cyrus-sasl2-doc libsasl2-2 libsasl2-modules
libsasl2-modules-ldap libsasl2-modules-otp libsasl2-modules-sql
libsasl2-modules-gssapi-mit libsasl2-dev cyrus-sasl2-dbg
Architecture: source all i386
Version: 2.1.22.dfsg1-19
Distribution: unstable
Urgency: low
Maintainer: Fabian Fagerholm <[EMAIL PROTECTED]>
Changed-By: Fabian Fagerholm <[EMAIL PROTECTED]>
Description:
cyrus-sasl2-dbg - Cyrus SASL - debugging symbols
cyrus-sasl2-doc - Cyrus SASL - documentation
libsasl2-2 - Cyrus SASL - authentication abstraction library
libsasl2-dev - Cyrus SASL - development files for authentication abstraction
lib
libsasl2-modules - Cyrus SASL - pluggable authentication modules
libsasl2-modules-gssapi-mit - Cyrus SASL - pluggable authentication modules
(GSSAPI)
libsasl2-modules-ldap - Cyrus SASL - pluggable authentication modules (LDAP)
libsasl2-modules-otp - Cyrus SASL - pluggable authentication modules (OTP)
libsasl2-modules-sql - Cyrus SASL - pluggable authentication modules (SQL)
sasl2-bin - Cyrus SASL - administration programs for SASL users database
Closes: 327479 431191
Changes:
cyrus-sasl2 (2.1.22.dfsg1-19) unstable; urgency=low
.
[ Fabian Fagerholm ]
* debian/patches/00options, debian/patches/00list: Don't apply symbol
versioning patch when building under ppc64. (Closes: #327479)
* debian/control: Lower priority of -modules-gssapi-mit package to extra,
because it conflicts with the -modules-gssapi-heimdal package. (Policy
section 2.5.)
* debian/patches/0015_saslutil_decode64_fix.dpatch, debian/patches/00list:
Don't allow trailing CR/LF/CRLF in base64 data. (Closes: #431191)
* debian/control: Don't build-depend on -1 revisions.
* debian/cyrus-sasl2-doc.doc-base: Adjust section.
.
[ Roberto C. Sanchez ]
* debian/repack.sh: Automate repackaging of DFSG-compliant tarball
Files:
4fd20d8744c899c9770a099bc4a17950 1412 libs important
cyrus-sasl2_2.1.22.dfsg1-19.dsc
479fbfaae44fdf6985412e31a2137f83 73733 libs important
cyrus-sasl2_2.1.22.dfsg1-19.diff.gz
935b876c07f01e4876de430a5c660174 103872 doc optional
cyrus-sasl2-doc_2.1.22.dfsg1-19_all.deb
f5606ecb97393c671d7bbe9dda78bafa 141808 utils optional
sasl2-bin_2.1.22.dfsg1-19_i386.deb
b19fe496354fb3ebbf23cf1739783972 102416 libs important
libsasl2-2_2.1.22.dfsg1-19_i386.deb
9c10ac06dd0f439b441813bbe5d796c9 142270 libs optional
libsasl2-modules_2.1.22.dfsg1-19_i386.deb
287d0c77465a82145ba725156be75901 56550 libs optional
libsasl2-modules-ldap_2.1.22.dfsg1-19_i386.deb
9542488e40f170c63517cacaa9e184da 74394 libs optional
libsasl2-modules-otp_2.1.22.dfsg1-19_i386.deb
8f88280626de2f9b02f6fa6f893ad6d1 63158 libs optional
libsasl2-modules-sql_2.1.22.dfsg1-19_i386.deb
676b290c227a225adc932d65e32b501d 64540 libs extra
libsasl2-modules-gssapi-mit_2.1.22.dfsg1-19_i386.deb
333faed8f6b66dd97adc8799c0610307 257126 libdevel optional
libsasl2-dev_2.1.22.dfsg1-19_i386.deb
e5bb2452197b8ea6b873ab70b8d55173 571396 libdevel extra
cyrus-sasl2-dbg_2.1.22.dfsg1-19_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFH4AXN76VUNpZBmeIRAme8AJwPT34CYPFOq7fuYuyDK9vKTuxbBwCdHfJA
IWpp85yc3TZhS0fu4hjyVig=
=kLZ3
-----END PGP SIGNATURE-----
--- End Message ---