[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#8572) FOR INFO ONLY: SASL SCRAM-SHA-1 authz may fail incorrectly

Full_Name: Bill Clay
Version: 2.4.44
OS: Debian/GNU Linux 7.8 (Wheezy)
Submission from: (NULL) (

Cyrus SASL 2.1.26 plugins/scram.c decode_saslname() may return a corrupt authz

SASL SCRAM-SHA-1 auth with a "dn:" style authzID can return an authzID string
with trailing original (escaped) characters appended.  slapd may then
incorrectly deny the requested proxy authorization because the returned value
may fail match criteria that a correctly-decoded SASL name would pass. (There
may be other SASL SCRAM scenarios in which this flaw would produce incorrect

Cyrus SASL issue: https://github.com/cyrusimap/cyrus-sasl/issues/416