RedHat has issued an advisory today (February 23): https://access.redhat.com/errata/RHSA-2022:0658 The issue is fixed upstream in 2.1.28: https://github.com/cyrusimap/cyrus-sasl/releases/tag/cyrus-sasl-2.1.28 https://www.cyrusimap.org/sasl/sasl/release-notes/2.1/index.html#new-in-2-1-28 Mageia 8 is also affected.
Whiteboard: (none) => MGA8TOOStatus comment: (none) => Fixed upstream in 2.1.28
Ubuntu has issued an advisory for this on February 22: https://ubuntu.com/security/notices/USN-5301-1
A homeless SRPM necessitating global assignment for this update.
Assignee: bugsquad => pkg-bugs
Suggested advisory: ======================== The updated packages fix a security vulnerability: In Cyrus SASL 2.1.17 through 2.1.27 before 2.1.28, plugins/sql.c does not escape the password for a SQL INSERT or UPDATE statement. (CVE-2022-24407) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24407 https://www.cyrusimap.org/sasl/sasl/release-notes/2.1/index.html#new-in-2-1-28 https://ubuntu.com/security/notices/USN-5301-1 ======================== Updated packages in core/updates_testing: ======================== lib(64)sasl2-plug-srp-2.1.27-3.1.mga8 lib(64)sasl2-plug-gssapi-2.1.27-3.1.mga8 lib(64)sasl2-plug-otp-2.1.27-3.1.mga8 lib(64)sasl2_3-2.1.27-3.1.mga8 lib(64)sasl2-devel-2.1.27-3.1.mga8 lib(64)sasl2-plug-plain-2.1.27-3.1.mga8 lib(64)sasl2-plug-ldapdb-2.1.27-3.1.mga8 lib(64)sasl2-plug-digestmd5-2.1.27-3.1.mga8 lib(64)sasl2-plug-anonymous-2.1.27-3.1.mga8 lib(64)sasl2-plug-sqlite3-2.1.27-3.1.mga8 lib(64)sasl2-plug-scram-2.1.27-3.1.mga8 lib(64)sasl2-plug-mysql-2.1.27-3.1.mga8 lib(64)sasl2-plug-pgsql-2.1.27-3.1.mga8 lib(64)sasl2-plug-sasldb-2.1.27-3.1.mga8 lib(64)sasl2-plug-crammd5-2.1.27-3.1.mga8 lib(64)sasl2-plug-login-2.1.27-3.1.mga8 lib(64)sasl2-plug-ntlm-2.1.27-3.1.mga8 cyrus-sasl-2.1.27-3.1.mga8 from SRPM: cyrus-sasl-2.1.27-3.1.mga8.src.rpm
Status comment: Fixed upstream in 2.1.28 => (none)CVE: (none) => CVE-2022-24407Whiteboard: MGA8TOO => (none)CC: (none) => nicolas.salgueroAssignee: pkg-bugs => qa-bugsSource RPM: cyrus-sasl-2.1.27-4.mga9.src.rpm => cyrus-sasl-2.1.27-3.mga8.src.rpmStatus: NEW => ASSIGNEDVersion: Cauldron => 8
MGA8-64 Plasma on Lenovo B50 in Dutch No installation issues. Ref bug 25914 for testing. # systemctl -l status saslauthd ● saslauthd.service - SASL authentication daemon. Loaded: loaded (/usr/lib/systemd/system/saslauthd.service; disabled; vendor preset: disabled) Active: inactive (dead) # systemctl -l start saslauthd # systemctl -l status saslauthd ● saslauthd.service - SASL authentication daemon. Loaded: loaded (/usr/lib/systemd/system/saslauthd.service; disabled; vendor preset: disabled) Active: active (running) since Thu 2022-02-24 14:55:40 CET; 9s ago Process: 15838 ExecStart=/usr/sbin/saslauthd -m /run/saslauthd -a $SASL_AUTHMECH $SASLAUTHD_OPTS (code=exited, status=0/SUCCESS) Main PID: 15839 (saslauthd) Tasks: 5 (limit: 9397) Memory: 1.3M CPU: 4ms CGroup: /system.slice/saslauthd.service ├─15839 /usr/sbin/saslauthd -m /run/saslauthd -a pam ├─15840 /usr/sbin/saslauthd -m /run/saslauthd -a pam ├─15841 /usr/sbin/saslauthd -m /run/saslauthd -a pam ├─15842 /usr/sbin/saslauthd -m /run/saslauthd -a pam └─15843 /usr/sbin/saslauthd -m /run/saslauthd -a pam feb 24 14:55:40 mach5.hviaene.thuis systemd[1]: Starting SASL authentication daemon.... feb 24 14:55:40 mach5.hviaene.thuis saslauthd[15839]: : master pid is: 15839 feb 24 14:55:40 mach5.hviaene.thuis saslauthd[15839]: : listening on socket: /run/saslauthd/mux feb 24 14:55:40 mach5.hviaene.thuis systemd[1]: Started SASL authentication daemon.. Also wanted to test with smb # mount -t cifs //mach1/beelden /mnt/beeldensmb/ -o username=herman Password for herman@//mach1/beelden: The mount worked: I can see the share in dolphin, but # smbtree -S does not return anything at all. I don't get it.
CC: (none) => herman.viaene
Fedora has issued an advisory for this on March 8: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ZZC6BMPI3V3MC2IGNLN377ETUWO7QBIH/
I'm fumbling around in the dark on this, Herman, so I don't have a clue of what to tell you. But, the stuff before the smb trial agrees with what your test in Bug 25914 showed. It was good enough for that update, so I'm going to hope it's good enough this time, too. I'm going to send this on its way. I'm sure that if that's the wrong thing to do, someone will let us know. Validating. Advisory in Comment 3.
CC: (none) => andrewsfarm, sysadmin-bugsWhiteboard: (none) => MGA8-64-OKKeywords: (none) => validated_update
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0111.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED