(RHSA-2007:0795) Moderate: cyrus-sasl security and bug fix update

The cyrus-sasl package contains the Cyrus implementation of SASL. SASL is
the Simple Authentication and Security Layer, a method for adding
authentication support to connection-based protocols.

A bug was found in cyrus-sasl’s DIGEST-MD5 authentication mechanism. As
part of the DIGEST-MD5 authentication exchange, the client is expected to
send a specific set of information to the server. If one of these items
(the “realm”) was not sent or was malformed, it was possible for a remote
unauthenticated attacker to cause a denial of service (segmentation fault)
on the server. (CVE-2006-1721)

This errata also fixes the following bugs:

• the Kerberos 5 library included in Red Hat Enterprise Linux 4 was not
  thread safe. This update adds functionality which allows it to be used
  safely in a threaded application.

• several memory leak bugs were fixed in cyrus-sasl’s DIGEST-MD5
  authentication plug-in.

• /dev/urandom is now used by default on systems which don’t support
  hwrandom. Previously, dev/random was the default.

• cyrus-sasl needs zlib-devel to build properly. This dependency
  information is now included in the package.

Users are advised to upgrade to this updated cyrus-sasl package, which
resolves these issues.