Your message dated Thu, 19 May 2022 20:34:16 +0000
with message-id <[email protected]>
and subject line Bug#1011249: fixed in cyrus-sasl2 2.1.28+dfsg-6
has caused the Debian Bug report #1011249,
regarding cyrus-sasl2: broken DIGEST-MD5 with openssl3
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1011249: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1011249
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: cyrus-sasl2
Version: 2.1.28+dfsg-5
Severity: normal
Dear maintainer,
cyrus-sasl2 2.1.28 has commit
8aa9ae816ddf66921b4a8a0f422517e6f2e55ac6[1] which makes it use openssl
for RC4.
debian/sid now has openssl3, which deprecated RC4 and made it part of
the legacy provider. Which means that by default it won't be
available, unless the application enables the legacy provider, or if
said provider is enabled via a system-wide openssl configuration.
Those two facts combined mean digest-md5, which uses RC4 if the SSF
layer is set to use encryption, is currently unavaliable to
applications using the cyrus-sasl2 library, such as openldap:
$ ldapwhoami -U ubuntu@lxd -w ubuntusecret -O maxssf=128
SASL/DIGEST-MD5 authentication started
SASL username: ubuntu@lxd
SASL SSF: 128
SASL data security layer installed.
Segmentation fault (core dumped)
With maxssf=0 it works, because it then does not use RC4:
$ ldapwhoami -U ubuntu@lxd -w ubuntusecret -O maxssf=0
SASL/DIGEST-MD5 authentication started
SASL username: ubuntu@lxd
SASL SSF: 0
dn:uid=ubuntu@lxd,cn=vms,cn=digest-md5,cn=auth
This failure can also be seen in the, currently failing, python-bonsai
DEP8 tests[2][3]:
tests/test_ldapconnection.py::test_bind_digest Fatal Python error:
Segmentation fault
cyrus-sasl2 upstream landed[4] a few commits to address this and other
things, among which:
- gracefully handle failed initializations. This removes the segfault,
but the digest-md5 auth with ssf=128 still fails:
https://github.com/cyrusimap/cyrus-sasl/pull/653/commits/455417ad5d7da87d22590942a433939bdff986ca
- catch errors from EVP_Digest* functions (also related to openssl3):
https://github.com/cyrusimap/cyrus-sasl/pull/653/commits/a7db9c89738ea7b42d6cb6eac98d8afc2653de70
>From https://github.com/cyrusimap/cyrus-sasl/pull/668/commits (still
in PR state, not merged yet):
- Add support for loading the legacy provider. This restores
digest-md5 auth with ssf set to encryption
https://github.com/cyrusimap/cyrus-sasl/pull/668/commits/4146861caed69ceebd16531fa12f89b5cb1edfa2
1.
https://github.com/cyrusimap/cyrus-sasl/commit/8aa9ae816ddf66921b4a8a0f422517e6f2e55ac6
2. https://ci.debian.net/packages/p/python-bonsai/unstable/amd64/
3.
https://ci.debian.net/data/autopkgtest/unstable/amd64/p/python-bonsai/21862951/log.gz
4. https://github.com/cyrusimap/cyrus-sasl/pull/653/commits
--- End Message ---
--- Begin Message ---
Source: cyrus-sasl2
Source-Version: 2.1.28+dfsg-6
Done: Bastian Germann <[email protected]>
We believe that the bug you reported is fixed in the latest version of
cyrus-sasl2, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bastian Germann <[email protected]> (supplier of updated cyrus-sasl2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 19 May 2022 22:10:49 +0200
Source: cyrus-sasl2
Architecture: source
Version: 2.1.28+dfsg-6
Distribution: unstable
Urgency: high
Maintainer: Debian Cyrus Team <[email protected]>
Changed-By: Bastian Germann <[email protected]>
Closes: 1011249
Changes:
cyrus-sasl2 (2.1.28+dfsg-6) unstable; urgency=high
.
* d/copyright: Add debian/tests info
.
[ Andreas Hasenack ]
* d/p/0026-Gracefully-handle-failed-init.patch (Closes: #1011249)
* d/p/0027-Catch-errors-from-EVP_Digest-functions.patch
* d/p/0029-Load-OpenSSL3-legacy-provider-digestmd5.patch
* d/t/{control,shared-secret-mechs}: test shared secret mechanisms
Checksums-Sha1:
846189ee88a9c1ae8df31745a4b71c5d21dad0e4 3313 cyrus-sasl2_2.1.28+dfsg-6.dsc
b639aefe099168e704c166483e49a42b476936ea 93528
cyrus-sasl2_2.1.28+dfsg-6.debian.tar.xz
79fac702bc2a374f4a6e9f823c8fb697ad53e10a 7179
cyrus-sasl2_2.1.28+dfsg-6_source.buildinfo
Checksums-Sha256:
837f5ff067a74d41cae1da4539fca6b260ca244defb7a4997fa38fe75427a59b 3313
cyrus-sasl2_2.1.28+dfsg-6.dsc
43d78168bbedd71a492d6f3aac892292f410d8f9ebb2179d8c84a2be36711a4d 93528
cyrus-sasl2_2.1.28+dfsg-6.debian.tar.xz
ac35be0dd0dd2f6add77a4b7cb7164ec6941c4f796bf0e88d4792770638da7b2 7179
cyrus-sasl2_2.1.28+dfsg-6_source.buildinfo
Files:
71ca14d660252f91ccd486ffd3021aeb 3313 libs optional
cyrus-sasl2_2.1.28+dfsg-6.dsc
70713aace5d40d811e2dfac705e1e838 93528 libs optional
cyrus-sasl2_2.1.28+dfsg-6.debian.tar.xz
bd5e84cbac6a191f5098720d969afd4f 7179 libs optional
cyrus-sasl2_2.1.28+dfsg-6_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQHEBAEBCgAuFiEEQGIgyLhVKAI3jM5BH1x6i0VWQxQFAmKGqL8QHGJhZ2VAZGVi
aWFuLm9yZwAKCRAfXHqLRVZDFNx8DACTjmMHeDdlNpeu38a6xXDNE0kAXVJwpltE
zs+qG+krAaJ/2VTUN7dkfzS3sNMggJ/wiy1aUcJkEsqMlJRVGVMUai/7/0tWCBo8
yj2msXgFA899fSnYP99Rc5rl2C5QEw8ML+WRpiIJHnceOM43U2j7C9qPoBMW6JjS
B4EKST8bMtdwMWReOT407GooNJ7l1fAOj0d59HQ3vQkyRSJUbECx2GK6/KpXWq7f
Jr16vI2zIGEnkNkggCboj0LchoydAIeaLuw7TWbkoWbLsRrsDewVf3ZYo6XbG0rr
E7ilGCoqnosmGalDatlakPqntNZAMjl/wde33pAdujRqwu8WKB82hLEvGdl2ZF2P
HdSf02nB+x7+0QnCzqvSeHY2pwjVe5w5YpwL+sxFKCbjNnheEn1NvbSGhNFj4he7
6Szw2AMdiwbzGNwFC91f/RbdF9ij8LR7DQfzrGVv7iwAdOemIirJI9Mv3Lsy27RS
GO9gRe4cZwRdKj5Wd/gCbPdzAhIo1Pc=
=9wen
-----END PGP SIGNATURE-----
--- End Message ---
