The attachment "Fix SCRAM support for SASL authentication" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu- reviewers, unsubscribe the team.
[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.] ** Tags added: patch -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to cyrus-sasl2 in Ubuntu. https://bugs.launchpad.net/bugs/1988730 Title: package libsasl2-modules provides only unsafe SASL bind mechanims Status in cyrus-sasl2 package in Ubuntu: New Bug description: Current Cyrus libsasl2 packaging (Ubuntu Jammy) distributes SASL bind mechanims into different packages. Plained and shared secret mechanisms are provided by package libsasl2-modules: /usr/lib/x86_64-linux-gnu/sasl2/libanonymous.so /usr/lib/x86_64-linux-gnu/sasl2/libanonymous.so.2 /usr/lib/x86_64-linux-gnu/sasl2/libanonymous.so.2.0.25 /usr/lib/x86_64-linux-gnu/sasl2/libcrammd5.so /usr/lib/x86_64-linux-gnu/sasl2/libcrammd5.so.2 /usr/lib/x86_64-linux-gnu/sasl2/libcrammd5.so.2.0.25 /usr/lib/x86_64-linux-gnu/sasl2/libdigestmd5.so /usr/lib/x86_64-linux-gnu/sasl2/libdigestmd5.so.2 /usr/lib/x86_64-linux-gnu/sasl2/libdigestmd5.so.2.0.25 /usr/lib/x86_64-linux-gnu/sasl2/liblogin.so /usr/lib/x86_64-linux-gnu/sasl2/liblogin.so.2 /usr/lib/x86_64-linux-gnu/sasl2/liblogin.so.2.0.25 /usr/lib/x86_64-linux-gnu/sasl2/libntlm.so /usr/lib/x86_64-linux-gnu/sasl2/libntlm.so.2 /usr/lib/x86_64-linux-gnu/sasl2/libntlm.so.2.0.25 /usr/lib/x86_64-linux-gnu/sasl2/libplain.so /usr/lib/x86_64-linux-gnu/sasl2/libplain.so.2 /usr/lib/x86_64-linux-gnu/sasl2/libplain.so.2.0.25 The "safest" mechanism in this list is DIGEST-MD5, which is marked as obsolete by IANA and regarded as unsafe by IETF. Current safest standard mechanisms are SCRAM based (RFC7677). All SCRAM family SASL mechanisms of Cyrus SASL are provided by Ubuntu package libsasl2-modules-gssapi-mit: /usr/lib/x86_64-linux-gnu/sasl2/libscram.so /usr/lib/x86_64-linux-gnu/sasl2/libscram.so.2 /usr/lib/x86_64-linux-gnu/sasl2/libscram.so.2.0.25 But the focus of this package is GSSAPI and GS2 SASL mechanism, which have nothing to do with SCRAM. In addition, this package conflicts with package libsasl2-modules-gssapi-heimdal. System administrators have to choose one package for support of GSSAPI or GSS-SPEGNO. If they prefer Heimdal there is no safe SASL shared secret mechanism available anymore on the server/workstation. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cyrus-sasl2/+bug/1988730/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
