[Touch-packages] [Bug 1988730] Re: package libsasl2-modules provides only unsafe SASL bind mechanims

Wed, 23 Nov 2022 08:27:15 -0800 

** Changed in: cyrus-sasl2 (Ubuntu Jammy)
     Assignee: (unassigned) => Andreas Hasenack (ahasenack)

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to cyrus-sasl2 in Ubuntu.
https://bugs.launchpad.net/bugs/1988730

Title:
  package libsasl2-modules provides only unsafe SASL bind mechanims

Status in cyrus-sasl2 package in Ubuntu:
  Fix Released
Status in cyrus-sasl2 source package in Jammy:
  Triaged

Bug description:
  Current Cyrus libsasl2 packaging (Ubuntu Jammy) distributes SASL bind 
mechanims into different packages. Plained and shared secret mechanisms are 
provided by package libsasl2-modules:
  /usr/lib/x86_64-linux-gnu/sasl2/libanonymous.so
  /usr/lib/x86_64-linux-gnu/sasl2/libanonymous.so.2
  /usr/lib/x86_64-linux-gnu/sasl2/libanonymous.so.2.0.25
  /usr/lib/x86_64-linux-gnu/sasl2/libcrammd5.so
  /usr/lib/x86_64-linux-gnu/sasl2/libcrammd5.so.2
  /usr/lib/x86_64-linux-gnu/sasl2/libcrammd5.so.2.0.25
  /usr/lib/x86_64-linux-gnu/sasl2/libdigestmd5.so
  /usr/lib/x86_64-linux-gnu/sasl2/libdigestmd5.so.2
  /usr/lib/x86_64-linux-gnu/sasl2/libdigestmd5.so.2.0.25
  /usr/lib/x86_64-linux-gnu/sasl2/liblogin.so
  /usr/lib/x86_64-linux-gnu/sasl2/liblogin.so.2
  /usr/lib/x86_64-linux-gnu/sasl2/liblogin.so.2.0.25
  /usr/lib/x86_64-linux-gnu/sasl2/libntlm.so
  /usr/lib/x86_64-linux-gnu/sasl2/libntlm.so.2
  /usr/lib/x86_64-linux-gnu/sasl2/libntlm.so.2.0.25
  /usr/lib/x86_64-linux-gnu/sasl2/libplain.so
  /usr/lib/x86_64-linux-gnu/sasl2/libplain.so.2
  /usr/lib/x86_64-linux-gnu/sasl2/libplain.so.2.0.25

  The "safest" mechanism in this list is DIGEST-MD5, which is marked as
  obsolete by IANA and regarded as unsafe by IETF. Current safest
  standard mechanisms are SCRAM based (RFC7677).

  All SCRAM family SASL mechanisms of Cyrus SASL are provided by Ubuntu package 
libsasl2-modules-gssapi-mit:
  /usr/lib/x86_64-linux-gnu/sasl2/libscram.so
  /usr/lib/x86_64-linux-gnu/sasl2/libscram.so.2
  /usr/lib/x86_64-linux-gnu/sasl2/libscram.so.2.0.25

  But the focus of this package is GSSAPI and GS2 SASL mechanism, which
  have nothing to do with SCRAM. In addition, this package conflicts
  with package libsasl2-modules-gssapi-heimdal. System administrators
  have to choose one package for support of GSSAPI or GSS-SPEGNO. If
  they prefer Heimdal there is no safe SASL shared secret mechanism
  available anymore on the server/workstation.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1988730/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to