Package: cyrus-sasl2 Version: 2.1.28+dfsg-5 Severity: normal Dear maintainer,
cyrus-sasl2 2.1.28 has commit 8aa9ae816ddf66921b4a8a0f422517e6f2e55ac6[1] which makes it use openssl for RC4. debian/sid now has openssl3, which deprecated RC4 and made it part of the legacy provider. Which means that by default it won't be available, unless the application enables the legacy provider, or if said provider is enabled via a system-wide openssl configuration. Those two facts combined mean digest-md5, which uses RC4 if the SSF layer is set to use encryption, is currently unavaliable to applications using the cyrus-sasl2 library, such as openldap: $ ldapwhoami -U ubuntu@lxd -w ubuntusecret -O maxssf=128 SASL/DIGEST-MD5 authentication started SASL username: ubuntu@lxd SASL SSF: 128 SASL data security layer installed. Segmentation fault (core dumped) With maxssf=0 it works, because it then does not use RC4: $ ldapwhoami -U ubuntu@lxd -w ubuntusecret -O maxssf=0 SASL/DIGEST-MD5 authentication started SASL username: ubuntu@lxd SASL SSF: 0 dn:uid=ubuntu@lxd,cn=vms,cn=digest-md5,cn=auth This failure can also be seen in the, currently failing, python-bonsai DEP8 tests[2][3]: tests/test_ldapconnection.py::test_bind_digest Fatal Python error: Segmentation fault cyrus-sasl2 upstream landed[4] a few commits to address this and other things, among which: - gracefully handle failed initializations. This removes the segfault, but the digest-md5 auth with ssf=128 still fails: https://github.com/cyrusimap/cyrus-sasl/pull/653/commits/455417ad5d7da87d22590942a433939bdff986ca - catch errors from EVP_Digest* functions (also related to openssl3): https://github.com/cyrusimap/cyrus-sasl/pull/653/commits/a7db9c89738ea7b42d6cb6eac98d8afc2653de70 >From https://github.com/cyrusimap/cyrus-sasl/pull/668/commits (still in PR state, not merged yet): - Add support for loading the legacy provider. This restores digest-md5 auth with ssf set to encryption https://github.com/cyrusimap/cyrus-sasl/pull/668/commits/4146861caed69ceebd16531fa12f89b5cb1edfa2 1. https://github.com/cyrusimap/cyrus-sasl/commit/8aa9ae816ddf66921b4a8a0f422517e6f2e55ac6 2. https://ci.debian.net/packages/p/python-bonsai/unstable/amd64/ 3. https://ci.debian.net/data/autopkgtest/unstable/amd64/p/python-bonsai/21862951/log.gz 4. https://github.com/cyrusimap/cyrus-sasl/pull/653/commits