| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| 0001-plugins-digestmd5-Remove-debug-log-mech-free.patch | plugins/digestmd5: Remove debug log "mech free" The "DIGEST-MD5 common mech free" debug log message is bothering many users. It is not really helpful, so drop it. Fixes #386. |
Bastian Germann <bage@debian.org> | yes | 2022-04-14 | ||
| 0002-Use-etc-sasldb2-instead-of-.-sasldb-in-the-testsuite.patch | Use /etc/sasldb2 instead of ./sasldb in the testsuite | Debian Cyrus SASL Team | not-needed | 2016-03-24 | ||
| 0003-Update-saslauthd.conf-location-in-documentation.patch | Update saslauthd.conf location in documentation date format (cosmetic). |
Debian Cyrus SASL Team | not-needed | 2016-03-24 | ||
| 0028-utils-Link-libcrypto.patch | utils: Link libcrypto With sasl_checkapop enabled, testsuite uses libcrypto functions. |
Bastian Germann <bage@debian.org> | no | backport, https://github.com/cyrusimap/cyrus-sasl/pull/780 | 2023-07-23 | |
| 0004-Include-dbconverter-2-in-sbin_PROGRAMS-and-set-defau.patch | Include dbconverter-2 in sbin_PROGRAMS and set default sasldb file to /etc/sasldb2 database file to /etc/sasldb2. |
Debian Cyrus SASL Team | not-needed | 2016-03-24 | ||
| 0005-Fix-time-check.patch | Fix <time.h> check We're conditionally including based on HAVE_TIME_H in a bunch of places, but we're not actually checking for time.h, so that's never going to be defined. While at it, add in a missing include in the cram plugin. This fixes a bunch of implicit declaration warnings: ``` * cyrus-sasl-2.1.28/lib/saslutil.c:280:3: warning: implicit declaration of function ‘time’ [-Wimplicit-function-declaration] * cyrus-sasl-2.1.28/lib/saslutil.c:364:41: warning: implicit declaration of function ‘clock’ [-Wimplicit-function-declaration] * cyrus-sasl-2.1.28/plugins/cram.c:132:7: warning: implicit declaration of function ‘time’ [-Wimplicit-function-declaration] * cyrus-sasl-2.1.28/lib/saslutil.c:280:3: warning: implicit declaration of function ‘time’ [-Wimplicit-function-declaration] * cyrus-sasl-2.1.28/lib/saslutil.c:364:41: warning: implicit declaration of function ‘clock’ [-Wimplicit-function-declaration] * cyrus-sasl-2.1.28/plugins/cram.c:132:7: warning: implicit declaration of function ‘time’ [-Wimplicit-function-declaration] ``` |
Sam James <sam@gentoo.org> | no | upstream, https://github.com/cyrusimap/cyrus-sasl/commit/266f0acf7f5e029afbb3e263437039e50cd6c262 | 2022-02-23 | |
| 0006-Makefile.am-Set-date-in-man-pages.patch | Makefile.am: Set date in man pages. The build date is embedded in the man pages by default. Pass arguments to sphinx to use the date defined in SOURCE_DATE_EPOCH. https://reproducible-builds.org/docs/source-date-epoch/ |
Vagrant Cascadian <vagrant@reproducible-builds.org> | not-needed | 2021-09-27 | ||
| 0008-Don-t-overwrite-PIC-objects-with-non-PIC-variant.patch | Don't overwrite PIC objects with non-PIC variant This patch makes sure the non-PIC version of libsasldb.a, which is created out of non-PIC objects, is not going to overwrite the PIC version, which is created out of PIC objects. The PIC version is placed in .libs, and the non-PIC version in the current directory. This ensures that both non-PIC and PIC versions are available in the correct locations. |
Debian Cyrus SASL Team | yes | 2016-03-24 | ||
| 0007-Self-reference-pluginviewer-man-as-saslpluginviewer.patch | Self-reference pluginviewer man as saslpluginviewer pluginviewer is installed as saslpluginviewer in Debian. Edit the self-references in Debian to match the rename. |
Bastian Germann <bage@debian.org> | not-needed | 2022-04-14 | ||
| 0009-Look-for-generic-Berkeley-DB-first.patch | Look for generic Berkeley DB first | Debian Cyrus SASL Team | no | 2016-03-24 | ||
| 0010-Add-sasldbconverter2.8.patch | Add sasldbconverter2.8 The file stems from version 2.1.28 and is not included in the distribution tarball. |
Bastian Germann <bage@debian.org> | yes | 2022-04-15 | ||
| 0011-honor-log_level-option-on-clients-too.patch | Fix #386 - honor log_level option on clients too | Howard Chu <hyc@symas.com> | yes | upstream | upstream, https://github.com/cyrusimap/cyrus-sasl/commit/cb549ef71c5bb646fe583697ebdcaba93267a237 | 2022-04-14 |
| 0015-Replace-MD5-with-OpenSSL-legacy-implementation.patch | Replace MD5 with OpenSSL legacy implementation Require OpenSSL for the build so that it can be used always. Drop the internal MD5 implementation and replace every occurence. Keep the HMAC MD5 implementation for now but base it on OpenSSL. |
Bastian Germann <bage@debian.org> | no | backport, df44e6ae82ffd0f2264972ce14d48a67e008b7d2 | 2023-05-28 | |
| 0012-Make-the-libsasl2-symbols-versioned.patch | Make the libsasl2 symbols versioned | Debian Cyrus SASL Team | no | 2016-03-24 | ||
| 0013-Don-t-use-la-files-for-opening-plugins.patch | Don't use la files for opening plugins | Debian Cyrus SASL Team | no | 2016-03-24 | ||
| 0014-Prevent-recreating-of-md5global.patch | Prevent recreating of md5global | Bastian Germann <bage@debian.org> | no | 2023-04-13 | ||
| 0016-saslauthd-Replace-MD5-with-OpenSSL-EVP-implementation.patch | saslauthd: Replace MD5 with OpenSSL EVP implementation | Bastian Germann <bage@debian.org> | no | 2023-05-28 | ||
| 0017-Just-completely-remove-libobj-from-autotools-files.patch | Just completely remove libobj from autotools files | Ondřej Surý <ondrej@sury.org> | not-needed | 2018-10-02 | ||
| 0018-Temporary-multiarch-fixes.patch | Temporary multiarch fixes | Debian Cyrus SASL Team | not-needed | 2016-03-24 | ||
| 0019-Add-reference-to-LDAP_SASLAUTHD-file-to-the-saslauth.patch | Add reference to LDAP_SASLAUTHD file to the saslauthd documentation | Debian Cyrus SASL Team | not-needed | 2016-03-24 | ||
| 0020-Exclude-md5global.patch | Exclude md5global.h | Bastian Germann <bage@debian.org> | no | 2023-05-29 | ||
| 0021-Replace-custom-memset-with-OPENSSL_cleanse.patch | Replace custom memset with OPENSSL_cleanse memset can be elided by linkers, so rely on a function that prevents that behaviour. Alternatives would be explicit_bzero or the C23 memset_explicit. However, both of them have protability issues. As OpenSSL is in use in this module anyway, use its OPENSSL_cleanse. |
Bastian Germann <bage@debian.org> | no | upstream, 08cab3392d54a97c84f05640f9f89de78a03d36c | 2023-05-30 | |
| 0022-Replace-custom-with-standard-memcpy.patch | Replace custom with standard memcpy | Bastian Germann <bage@debian.org> | no | upstream, 4798f8cae5cedbe5c53ae034e0bbca50896e9094 | 2023-05-30 | |
| 0023-Add-a-note-on-the-RSA-MD-license.patch | Add a note on the RSA-MD license | Bastian Germann <bage@debian.org> | no | upstream, dffe0b3e86925c95e6f30ec0f2de9fb0c439c7bc | 2023-05-30 | |
| 0024-Relicense-md5.patch | Relicense md5.c "As explained in dffe0b3e86925c95e6f30ec0f2de9fb0c439c7bc, the RSA-MD-licensed file md5.c can be relicensed easily because the third-party code that was licensed under RSA-MD is eliminated by now." -- Bastian Germann <bage@debian.org> in GitHub issue #769 The commit referenced was part of GitHub PR #767 and was authored by Bastian Germann. I reviewed the commit history on this file. I concurred with Bastian's original assessment that the relevant detail was Rob Earhart's code, and Bastian agreed with my analysis in the bug. The next step was confirming that the MD5 code that Rob Earhart contributed was/is licensed under the same license as the rest of the project. This is a reasonable assumption, as he was one of the main authors of the original code, and everything else he contributed was under that license. However, to avoid ambiguity or assumptions, I emailed Rob Earhart. He responded today, confirming: On 2023-06-28 12:14, Rob Earhart wrote: > Any code I wrote for the Cyrus SASL project has my permission to be > used under that main license. Fixes #769 |
Richard Laager <rlaager@wiktel.com> | no | upstream, 93e56756838962b0decfe46322a4dc60fd89e739 | 2023-06-28 | |
| 0025-Revert-upstream-soname-bump.patch | Revert upstream soname bump | Ondřej Surý <ondrej@debian.org> | not-needed | 2016-03-24 | ||
| 0026-Gracefully-handle-failed-init.patch | [PATCH] Gracefully handle failed initializations In OpenSSL 3.0 these algorithms have been moved to the legacy provider which is not enabled by default. This means allocation can and do fail. Handle failed allocations by returning an actual error instead of crashing later with a NULL context. |
Simo Sorce <simo@redhat.com> | no | 2021-06-21 | ||
| 0027-Catch-errors-from-EVP_Digest-functions.patch | [PATCH] Catch errors from EVP_Digest* functions In OpenSSL 3.0 digest init can fail simply because a legacy provider is not loaded of FIPS mode is active and the digest is not allowed. If the errors are not handled the application may crash later trying to access uninitialized contexts. |
Simo Sorce <simo@redhat.com> | no | 2021-07-21 | ||
| 0029-Load-OpenSSL3-legacy-provider-digestmd5.patch | [PATCH] Add support for loading legacy provider OpenSSL 3.0 is moving a number of functions into the legacy provider. This provider is not loaded by default, so applications that need to use legacy algorithms must either load them explicitly or admins have to explicitly load the legacy provider to their openssl conf file. The latter is bad as it will enable legacy providers systam-wide, it also requires manual intervention. Programmatically load the legacy provider for older plugins that have no good cipher option to fall back on. |
Simo Sorce <simo@redhat.com> | no | 2021-09-30 | ||
| 0030-testsuite-Replace-MD5-with-OpenSSL-EVP-implementation.patch | testsuite: Replace MD5 with OpenSSL EVP implementation | Bastian Germann <bage@debian.org> | no | upstream, 9b22fbfd520938b3aba684740095dbbeb449b733 | 2023-05-30 | |
| 0031-checkpw-Replace-MD5-with-OpenSSL-EVP-implementation.patch | checkpw: Replace MD5 with OpenSSL EVP implementation | Bastian Germann <bage@debian.org> | no | backport, ca20488a743bf7c0d8fe6f2ab38860a5b9e4fb24 | 2023-05-30 | |
| 0032-Add-with_pgsql-include-postgresql-to-include-path.patch | Add ${with_pgsql}include/postgresql/ to include path | Ondřej Surý <ondrej@sury.org> | yes | 2016-10-25 | ||
| 0033-Check-for-gssapi_krb5.h-before-testing-a-resulting-value.patch | sasl2.m4: Check for gssapi_krb5.h before testing a resulting value When <gssapi/gssapi_krb5.h> stems from Heimdal but build-heimdal/config.h doesn't define HAVE_GSSAPI_GSSAPI_KRB5_H, <gssapi/gssapi_krb5.h> is not included. The header file is only checked if gsskrb5_register_acceptor_identity is not found. Move the header check so that it works for both KRB5 and Heimdal. |
Bastian Germann <bage@debian.org> | no | https://github.com/cyrusimap/cyrus-sasl/pull/826 | 2024-03-18 | |
| 0034-channel-binding-gssapi-gss-spnego.patch | Add Channel Binding support for GSSAPI/GSS-SPNEGO | Simo Sorce <simo@redhat.com> | no | upstream, https://github.com/cyrusimap/cyrus-sasl/commit/975edbb69070eba6b035f08776de771a129cfb57 | 2020-03-20 | |
| 0035-Add-support-for-setting-max-ssf-0-to-GSS-SPNEGO-1.patch | Add support for setting max ssf 0 to GSS-SPNEGO This is needed to interop with Windows within a TLS channel. |
Simo Sorce <simo@redhat.com> | no | backport, https://github.com/cyrusimap/cyrus-sasl/commit/9de4d7e885c96c68a155d2885c980e1d889129c7 | 2019-09-19 | |
| 0035-Add-support-for-setting-max-ssf-0-to-GSS-SPNEGO-2.patch | Be more conformant to RFC4752 Although we need to be able to completely suppress Integrity and Confidentiality flags in GSS-SPNEGO, we also need to be more conformant to RFC4752 for the GSSAPI mechanism. The RFC reuires to always set Integrity for SASL/GSSAPI, it also requires MUTUAL/SEQUENCE flags to only be set if any Security Layer is requested. Finally Confidentiality should be set only when requested so change the code that suppresses MIT krb5 setting CI flags not only in the SSF == 0 case but also when SSF == 1, the integrity flag in that case will be explicitly set by our code and the NO_CI_FLAGS option will unset just the CONF flag. |
Simo Sorce <simo@redhat.com> | no | upstream, https://github.com/cyrusimap/cyrus-sasl/commit/c4c57d85c589d7e78bccdc67d705cdcdf85a2b02 | 2020-06-26 | |
| 0036-Prevent-linking-via-intersphinx.patch | Prevent linking via intersphinx | Bastian Germann <bage@debian.org> | no | 2024-03-19 | ||
| 0037-Extend-the-time_t-format-specifiers-to-64-bit.patch | Extend the time_t format specifiers to long long In some format strings, it is expected that time_t is the same size as long. long is 32 bit for 32 bit architectures, while time_t might be 64 bit. Extend the format string specifiers to long long, which can hold a time_t regardless of the platform and libc configuration. |
Bastian Germann <bage@debian.org> | no | https://github.com/cyrusimap/cyrus-sasl/pull/828 | 2024-03-20 | |
| 0038-Prevent-six-import.patch | Prevent six import | Bastian Germann <bage@debian.org> | no | 2024-03-21 |