[Touch-packages] [Bug 1988730] [NEW] package libsasl2-modules provides only unsafe SASL bind mechanims

Mon, 05 Sep 2022 02:15:49 -0700 

Public bug reported:

Current Cyrus libsasl2 packaging (Ubuntu Jammy) distributes SASL bind mechanims 
into different packages. Plained and shared secret mechanisms are provided by 
package libsasl2-modules:
/usr/lib/x86_64-linux-gnu/sasl2/libanonymous.so
/usr/lib/x86_64-linux-gnu/sasl2/libanonymous.so.2
/usr/lib/x86_64-linux-gnu/sasl2/libanonymous.so.2.0.25
/usr/lib/x86_64-linux-gnu/sasl2/libcrammd5.so
/usr/lib/x86_64-linux-gnu/sasl2/libcrammd5.so.2
/usr/lib/x86_64-linux-gnu/sasl2/libcrammd5.so.2.0.25
/usr/lib/x86_64-linux-gnu/sasl2/libdigestmd5.so
/usr/lib/x86_64-linux-gnu/sasl2/libdigestmd5.so.2
/usr/lib/x86_64-linux-gnu/sasl2/libdigestmd5.so.2.0.25
/usr/lib/x86_64-linux-gnu/sasl2/liblogin.so
/usr/lib/x86_64-linux-gnu/sasl2/liblogin.so.2
/usr/lib/x86_64-linux-gnu/sasl2/liblogin.so.2.0.25
/usr/lib/x86_64-linux-gnu/sasl2/libntlm.so
/usr/lib/x86_64-linux-gnu/sasl2/libntlm.so.2
/usr/lib/x86_64-linux-gnu/sasl2/libntlm.so.2.0.25
/usr/lib/x86_64-linux-gnu/sasl2/libplain.so
/usr/lib/x86_64-linux-gnu/sasl2/libplain.so.2
/usr/lib/x86_64-linux-gnu/sasl2/libplain.so.2.0.25

The "safest" mechanism in this list is DIGEST-MD5, which is marked as
obsolete by IANA and regarded as unsafe by IETF. Current safest standard
mechanisms are SCRAM based (RFC7677).

All SCRAM family SASL mechanisms of Cyrus SASL are provided by Ubuntu package 
libsasl2-modules-gssapi-mit:
/usr/lib/x86_64-linux-gnu/sasl2/libscram.so
/usr/lib/x86_64-linux-gnu/sasl2/libscram.so.2
/usr/lib/x86_64-linux-gnu/sasl2/libscram.so.2.0.25

But the focus of this package is GSSAPI and GS2 SASL mechanism, which
have nothing to do with SCRAM. In addition, this package conflicts with
package libsasl2-modules-gssapi-heimdal. System administrators have to
choose one package for support of GSSAPI or GSS-SPEGNO. If they prefer
Heimdal there is no safe SASL shared secret mechanism available anymore
on the server/workstation.

** Affects: cyrus-sasl2 (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to cyrus-sasl2 in Ubuntu.
https://bugs.launchpad.net/bugs/1988730

Title:
  package libsasl2-modules provides only unsafe SASL bind mechanims

Status in cyrus-sasl2 package in Ubuntu:
  New

Bug description:
  Current Cyrus libsasl2 packaging (Ubuntu Jammy) distributes SASL bind 
mechanims into different packages. Plained and shared secret mechanisms are 
provided by package libsasl2-modules:
  /usr/lib/x86_64-linux-gnu/sasl2/libanonymous.so
  /usr/lib/x86_64-linux-gnu/sasl2/libanonymous.so.2
  /usr/lib/x86_64-linux-gnu/sasl2/libanonymous.so.2.0.25
  /usr/lib/x86_64-linux-gnu/sasl2/libcrammd5.so
  /usr/lib/x86_64-linux-gnu/sasl2/libcrammd5.so.2
  /usr/lib/x86_64-linux-gnu/sasl2/libcrammd5.so.2.0.25
  /usr/lib/x86_64-linux-gnu/sasl2/libdigestmd5.so
  /usr/lib/x86_64-linux-gnu/sasl2/libdigestmd5.so.2
  /usr/lib/x86_64-linux-gnu/sasl2/libdigestmd5.so.2.0.25
  /usr/lib/x86_64-linux-gnu/sasl2/liblogin.so
  /usr/lib/x86_64-linux-gnu/sasl2/liblogin.so.2
  /usr/lib/x86_64-linux-gnu/sasl2/liblogin.so.2.0.25
  /usr/lib/x86_64-linux-gnu/sasl2/libntlm.so
  /usr/lib/x86_64-linux-gnu/sasl2/libntlm.so.2
  /usr/lib/x86_64-linux-gnu/sasl2/libntlm.so.2.0.25
  /usr/lib/x86_64-linux-gnu/sasl2/libplain.so
  /usr/lib/x86_64-linux-gnu/sasl2/libplain.so.2
  /usr/lib/x86_64-linux-gnu/sasl2/libplain.so.2.0.25

  The "safest" mechanism in this list is DIGEST-MD5, which is marked as
  obsolete by IANA and regarded as unsafe by IETF. Current safest
  standard mechanisms are SCRAM based (RFC7677).

  All SCRAM family SASL mechanisms of Cyrus SASL are provided by Ubuntu package 
libsasl2-modules-gssapi-mit:
  /usr/lib/x86_64-linux-gnu/sasl2/libscram.so
  /usr/lib/x86_64-linux-gnu/sasl2/libscram.so.2
  /usr/lib/x86_64-linux-gnu/sasl2/libscram.so.2.0.25

  But the focus of this package is GSSAPI and GS2 SASL mechanism, which
  have nothing to do with SCRAM. In addition, this package conflicts
  with package libsasl2-modules-gssapi-heimdal. System administrators
  have to choose one package for support of GSSAPI or GSS-SPEGNO. If
  they prefer Heimdal there is no safe SASL shared secret mechanism
  available anymore on the server/workstation.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1988730/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to