cyrus security update

CentOS Errata and Security Advisory CESA-2007:0878

The cyrus-sasl package contains the Cyrus implementation of SASL.
SASL is the Simple Authentication and Security Layer, a method for
adding authentication support to connection-based protocols.

A bug was found in cyrus-sasl’s DIGEST-MD5 authentication mechanism. As
part of the DIGEST-MD5 authentication exchange, the client is expected to
send a specific set of information to the server. If one of these items
(the “realm”) was not sent or was malformed, it was possible for a remote
unauthenticated attacker to cause a denial of service (segmentation fault)
on the server. (CVE-2006-1721)

Users of cyrus-sasl should upgrade to these updated packages, which contain a
backported patch to correct this issue.

Merged security bulletin from advisories:
https://lists.centos.org/pipermail/centos-announce/2007-September/076326.html
https://lists.centos.org/pipermail/centos-announce/2007-September/076327.html
https://lists.centos.org/pipermail/centos-announce/2007-September/076328.html
https://lists.centos.org/pipermail/centos-announce/2007-September/089088.html

Affected packages:
cyrus-sasl
cyrus-sasl-devel
cyrus-sasl-gssapi
cyrus-sasl-md5
cyrus-sasl-plain

Upstream details at:
https://access.redhat.com/errata/RHSA-2007:0878