diff --git a/cyrus-sasl-bdb.changes b/cyrus-sasl-bdb.changes index f963525..6125169 100644 --- a/cyrus-sasl-bdb.changes +++ b/cyrus-sasl-bdb.changes @@ -1,10 +1,17 @@ +------------------------------------------------------------------- +Thu Feb 25 18:03:26 UTC 2021 - Peter Varkoly + +- Fix build: Do not build libsasl2-3 in the bdb package. This will + not be linked to berkely db. libsasl2-3 is now defined as + %BuildRequires and %Requires + ------------------------------------------------------------------- Tue Dec 8 13:33:33 UTC 2020 - Peter Varkoly - Remove Berkeley DB dependency (JIRA#SLE-12190) - The pacakges cyrus-sasl and cyrus-sasl-saslauthd are build + The packages cyrus-sasl and cyrus-sasl-saslauthd are built without Berkely DB support. gdbm will be used instead of BDB. - The pacakges cyrus-sasl-bdb and cyrus-sasl-saslauthd-bdb are build + The packages cyrus-sasl-bdb and cyrus-sasl-saslauthd-bdb are built with Berkely DB support. - Update to 2.1.27 * Added support for OpenSSL 1.1 diff --git a/cyrus-sasl-bdb.spec b/cyrus-sasl-bdb.spec index 924f923..0d3b7ee 100644 --- a/cyrus-sasl-bdb.spec +++ b/cyrus-sasl-bdb.spec @@ -1,7 +1,7 @@ # # spec file for package cyrus-sasl-bdb # -# Copyright (c) 2020 SUSE LLC +# Copyright (c) 2021 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -36,8 +36,10 @@ Patch5: cyrus-sasl-no_rpath.patch Patch6: cyrus-sasl-lfs.patch Patch7: fix_libpq-fe_include.diff BuildRoot: %{_tmppath}/%{name}-%{version}-build +Requires: libsasl2-3 BuildRequires: db-devel BuildRequires: krb5-mini-devel +BuildRequires: libsasl2-3 BuildRequires: libtool BuildRequires: openssl-devel BuildRequires: opie @@ -52,49 +54,49 @@ Conflicts: cyrus-sasl %package gssapi Summary: Plugin for the GSSAPI SASL mechanism Group: Productivity/Networking/Other -Requires: cyrus-sasl = %{version} +Requires: cyrus-sasl-bdb = %{version} Conflicts: cyrus-sasl-gssapi %package crammd5 Summary: Plugin for the CRAMMD5 SASL mechanism Group: Productivity/Networking/Other -Requires: cyrus-sasl = %{version} +Requires: cyrus-sasl-bdb = %{version} Conflicts: cyrus-sasl-crammd5 %package digestmd5 Summary: Plugin for the DIGESTMD5 SASL mechanism Group: Productivity/Networking/Other -Requires: cyrus-sasl = %{version} +Requires: cyrus-sasl-bdb = %{version} Conflicts: cyrus-sasl-digestmd5 %package otp Summary: Plugin for the OTP SASL mechanism Group: Productivity/Networking/Other -Requires: cyrus-sasl = %{version} +Requires: cyrus-sasl-bdb = %{version} Conflicts: cyrus-sasl-otp %package plain Summary: Plugin for the PLAIN SASL mechanism Group: Productivity/Networking/Other -Requires: cyrus-sasl = %{version} +Requires: cyrus-sasl-bdb = %{version} Conflicts: cyrus-sasl-plain %package ntlm Summary: Plugin for the NTLM SASL mechanism Group: Productivity/Networking/Other -Requires: cyrus-sasl = %{version} +Requires: cyrus-sasl-bdb = %{version} Conflicts: cyrus-sasl-ntlm %package gs2 Summary: Plugin for the GS2 SASL mechanism Group: Productivity/Networking/Other -Requires: cyrus-sasl = %{version} +Requires: cyrus-sasl-bdb = %{version} Conflicts: cyrus-sasl-gs2 %package scram Summary: Plugin for the SCRAM SASL mechanism Group: Productivity/Networking/Other -Requires: cyrus-sasl = %{version} +Requires: cyrus-sasl-bdb = %{version} Conflicts: cyrus-sasl-scram %package devel diff --git a/cyrus-sasl-saslauthd-bdb.changes b/cyrus-sasl-saslauthd-bdb.changes index f963525..92922ce 100644 --- a/cyrus-sasl-saslauthd-bdb.changes +++ b/cyrus-sasl-saslauthd-bdb.changes @@ -2,9 +2,9 @@ Tue Dec 8 13:33:33 UTC 2020 - Peter Varkoly - Remove Berkeley DB dependency (JIRA#SLE-12190) - The pacakges cyrus-sasl and cyrus-sasl-saslauthd are build + The packages cyrus-sasl and cyrus-sasl-saslauthd are built without Berkely DB support. gdbm will be used instead of BDB. - The pacakges cyrus-sasl-bdb and cyrus-sasl-saslauthd-bdb are build + The packages cyrus-sasl-bdb and cyrus-sasl-saslauthd-bdb are built with Berkely DB support. - Update to 2.1.27 * Added support for OpenSSL 1.1 diff --git a/cyrus-sasl-saslauthd-bdb.spec b/cyrus-sasl-saslauthd-bdb.spec index 3014dd6..f50029a 100644 --- a/cyrus-sasl-saslauthd-bdb.spec +++ b/cyrus-sasl-saslauthd-bdb.spec @@ -1,7 +1,7 @@ # # spec file for package cyrus-sasl-saslauthd-bdb # -# Copyright (c) 2020 SUSE LLC +# Copyright (c) 2021 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed diff --git a/cyrus-sasl-saslauthd.spec b/cyrus-sasl-saslauthd.spec index 3f678bf..74f7845 100644 --- a/cyrus-sasl-saslauthd.spec +++ b/cyrus-sasl-saslauthd.spec @@ -1,7 +1,7 @@ # # spec file for package cyrus-sasl-saslauthd # -# Copyright (c) 2020 SUSE LLC +# Copyright (c) 2021 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed diff --git a/cyrus-sasl.changes b/cyrus-sasl.changes index f963525..f97c315 100644 --- a/cyrus-sasl.changes +++ b/cyrus-sasl.changes @@ -1,10 +1,18 @@ +------------------------------------------------------------------- +Fri Jan 8 11:32:42 UTC 2021 - Peter Varkoly + +- CVE-2020-8032: cyrus-sasl: Local privilege escalation to root + due to insecure tmp file usage. (bsc#1180669) + Use /var/adm/update-scripts/ instead of /tmp. Clean up temporary + files. + ------------------------------------------------------------------- Tue Dec 8 13:33:33 UTC 2020 - Peter Varkoly - Remove Berkeley DB dependency (JIRA#SLE-12190) - The pacakges cyrus-sasl and cyrus-sasl-saslauthd are build + The packages cyrus-sasl and cyrus-sasl-saslauthd are built without Berkely DB support. gdbm will be used instead of BDB. - The pacakges cyrus-sasl-bdb and cyrus-sasl-saslauthd-bdb are build + The packages cyrus-sasl-bdb and cyrus-sasl-saslauthd-bdb are built with Berkely DB support. - Update to 2.1.27 * Added support for OpenSSL 1.1 diff --git a/cyrus-sasl.spec b/cyrus-sasl.spec index bd97702..e0dcc24 100644 --- a/cyrus-sasl.spec +++ b/cyrus-sasl.spec @@ -1,7 +1,7 @@ # # spec file for package cyrus-sasl # -# Copyright (c) 2020 SUSE LLC +# Copyright (c) 2021 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -112,7 +112,6 @@ Conflicts: cyrus-sasl-devel-bdb %package -n libsasl2-3 Summary: Simple Authentication and Security Layer (SASL) library Group: System/Libraries -Conflicts: libsasl2-3-bdb %description This is the Cyrus SASL API. It can be used on the client or server side @@ -218,7 +217,7 @@ find "%buildroot" -type f -name "*.la" -print -delete #Convert password file from berkely into gdbm #In %pre the existing file will be dumped out if [ -e /etc/sasldb2 ]; then -cat < /tmp/saslpw.awk +cat < /var/adm/update-scripts/saslpw.awk { split(\$0,b,/\\\00/) if( b[3] == "userPassword" ) { @@ -233,7 +232,8 @@ cat < /tmp/saslpw.awk } } EOF -db_dump -p /etc/sasldb2 | gawk -f /tmp/saslpw.awk > /var/adm/update-scripts/saslpwd +db_dump -p /etc/sasldb2 | gawk -f /var/adm/update-scripts/saslpw.awk > /var/adm/update-scripts/saslpwd +rm -f /var/adm/update-scripts/saslpw.awk mv /etc/sasldb2 /etc/sasldb2-back fi @@ -241,6 +241,7 @@ fi if [ -e /var/adm/update-scripts/saslpwd ]; then chmod 755 /var/adm/update-scripts/saslpwd /var/adm/update-scripts/saslpwd + rm -f /var/adm/update-scripts/saslpwd fi %post -n %lname -p /sbin/ldconfig