Debian Patches

Status for cyrus-sasl2/2.1.28+dfsg1-6

Patch Description Author Forwarded Bugs Origin Last update
0001-plugins-digestmd5-Remove-debug-log-mech-free.patch plugins/digestmd5: Remove debug log "mech free"
The "DIGEST-MD5 common mech free" debug log message is bothering many users.
It is not really helpful, so drop it.

Fixes #386.
Bastian Germann <> yes 2022-04-14
0002-Use-etc-sasldb2-instead-of-.-sasldb-in-the-testsuite.patch Use /etc/sasldb2 instead of ./sasldb in the testsuite Debian Cyrus SASL Team not-needed 2016-03-24
0003-Update-saslauthd.conf-location-in-documentation.patch Update saslauthd.conf location in documentation
date format (cosmetic).
Debian Cyrus SASL Team not-needed 2016-03-24
0028-utils-Link-libcrypto.patch utils: Link libcrypto
With sasl_checkapop enabled, testsuite uses libcrypto functions.
Bastian Germann <> no backport, 2023-07-23
0004-Include-dbconverter-2-in-sbin_PROGRAMS-and-set-defau.patch Include dbconverter-2 in sbin_PROGRAMS and set default sasldb file to /etc/sasldb2

database file to /etc/sasldb2.
Debian Cyrus SASL Team not-needed 2016-03-24
0005-Fix-time-check.patch Fix <time.h> check
We're conditionally including based on HAVE_TIME_H in a bunch of places,
but we're not actually checking for time.h, so that's never going to be defined.

While at it, add in a missing include in the cram plugin.

This fixes a bunch of implicit declaration warnings:
* cyrus-sasl-2.1.28/lib/saslutil.c:280:3: warning: implicit declaration of function ‘time’ [-Wimplicit-function-declaration]
* cyrus-sasl-2.1.28/lib/saslutil.c:364:41: warning: implicit declaration of function ‘clock’ [-Wimplicit-function-declaration]
* cyrus-sasl-2.1.28/plugins/cram.c:132:7: warning: implicit declaration of function ‘time’ [-Wimplicit-function-declaration]
* cyrus-sasl-2.1.28/lib/saslutil.c:280:3: warning: implicit declaration of function ‘time’ [-Wimplicit-function-declaration]
* cyrus-sasl-2.1.28/lib/saslutil.c:364:41: warning: implicit declaration of function ‘clock’ [-Wimplicit-function-declaration]
* cyrus-sasl-2.1.28/plugins/cram.c:132:7: warning: implicit declaration of function ‘time’ [-Wimplicit-function-declaration]
Sam James <> no upstream, 2022-02-23 Set date in man pages.
The build date is embedded in the man pages by default. Pass arguments
to sphinx to use the date defined in SOURCE_DATE_EPOCH.
Vagrant Cascadian <> not-needed 2021-09-27
0008-Don-t-overwrite-PIC-objects-with-non-PIC-variant.patch Don't overwrite PIC objects with non-PIC variant
This patch makes sure the non-PIC version of libsasldb.a, which
is created out of non-PIC objects, is not going to overwrite the PIC version,
which is created out of PIC objects. The PIC version is placed in .libs, and
the non-PIC version in the current directory. This ensures that both non-PIC
and PIC versions are available in the correct locations.
Debian Cyrus SASL Team yes 2016-03-24
0007-Self-reference-pluginviewer-man-as-saslpluginviewer.patch Self-reference pluginviewer man as saslpluginviewer
pluginviewer is installed as saslpluginviewer in Debian.
Edit the self-references in Debian to match the rename.
Bastian Germann <> not-needed 2022-04-14
0009-Look-for-generic-Berkeley-DB-first.patch Look for generic Berkeley DB first Debian Cyrus SASL Team no 2016-03-24
0010-Add-sasldbconverter2.8.patch Add sasldbconverter2.8
The file stems from version 2.1.28 and is not included in the distribution
Bastian Germann <> yes 2022-04-15
0011-honor-log_level-option-on-clients-too.patch Fix #386 - honor log_level option on clients too Howard Chu <> yes upstream upstream, 2022-04-14
0015-Replace-MD5-with-OpenSSL-legacy-implementation.patch Replace MD5 with OpenSSL legacy implementation
Require OpenSSL for the build so that it can be used always.
Drop the internal MD5 implementation and replace every occurence.
Keep the HMAC MD5 implementation for now but base it on OpenSSL.
Bastian Germann <> no backport, df44e6ae82ffd0f2264972ce14d48a67e008b7d2 2023-05-28
0012-Make-the-libsasl2-symbols-versioned.patch Make the libsasl2 symbols versioned Debian Cyrus SASL Team no 2016-03-24
0013-Don-t-use-la-files-for-opening-plugins.patch Don't use la files for opening plugins Debian Cyrus SASL Team no 2016-03-24
0014-Prevent-recreating-of-md5global.patch Prevent recreating of md5global Bastian Germann <> no 2023-04-13
0016-saslauthd-Replace-MD5-with-OpenSSL-EVP-implementation.patch saslauthd: Replace MD5 with OpenSSL EVP implementation Bastian Germann <> no 2023-05-28
0017-Just-completely-remove-libobj-from-autotools-files.patch Just completely remove libobj from autotools files Ondřej Surý <> not-needed 2018-10-02
0018-Temporary-multiarch-fixes.patch Temporary multiarch fixes Debian Cyrus SASL Team not-needed 2016-03-24
0019-Add-reference-to-LDAP_SASLAUTHD-file-to-the-saslauth.patch Add reference to LDAP_SASLAUTHD file to the saslauthd documentation Debian Cyrus SASL Team not-needed 2016-03-24
0020-Exclude-md5global.patch Exclude md5global.h Bastian Germann <> no 2023-05-29
0021-Replace-custom-memset-with-OPENSSL_cleanse.patch Replace custom memset with OPENSSL_cleanse
memset can be elided by linkers, so rely on a function that prevents
that behaviour. Alternatives would be explicit_bzero or the C23
memset_explicit. However, both of them have protability issues.

As OpenSSL is in use in this module anyway, use its OPENSSL_cleanse.
Bastian Germann <> no upstream, 08cab3392d54a97c84f05640f9f89de78a03d36c 2023-05-30
0022-Replace-custom-with-standard-memcpy.patch Replace custom with standard memcpy Bastian Germann <> no upstream, 4798f8cae5cedbe5c53ae034e0bbca50896e9094 2023-05-30
0023-Add-a-note-on-the-RSA-MD-license.patch Add a note on the RSA-MD license Bastian Germann <> no upstream, dffe0b3e86925c95e6f30ec0f2de9fb0c439c7bc 2023-05-30
0024-Relicense-md5.patch Relicense md5.c
"As explained in dffe0b3e86925c95e6f30ec0f2de9fb0c439c7bc, the
RSA-MD-licensed file md5.c can be relicensed easily because the
third-party code that was licensed under RSA-MD is eliminated by now."
-- Bastian Germann <> in GitHub issue #769

The commit referenced was part of GitHub PR #767 and was authored by
Bastian Germann.

I reviewed the commit history on this file. I concurred with Bastian's
original assessment that the relevant detail was Rob Earhart's code,
and Bastian agreed with my analysis in the bug.

The next step was confirming that the MD5 code that Rob Earhart
contributed was/is licensed under the same license as the rest of the
project. This is a reasonable assumption, as he was one of the main
authors of the original code, and everything else he contributed was
under that license.

However, to avoid ambiguity or assumptions, I emailed Rob Earhart.
He responded today, confirming:

On 2023-06-28 12:14, Rob Earhart wrote:
> Any code I wrote for the Cyrus SASL project has my permission to be
> used under that main license.

Fixes #769
Richard Laager <> no upstream, 93e56756838962b0decfe46322a4dc60fd89e739 2023-06-28
0025-Revert-upstream-soname-bump.patch Revert upstream soname bump Ondřej Surý <> not-needed 2016-03-24
0026-Gracefully-handle-failed-init.patch [PATCH] Gracefully handle failed initializations
In OpenSSL 3.0 these algorithms have been moved to the legacy provider
which is not enabled by default. This means allocation can and do fail.
Handle failed allocations by returning an actual error instead of
crashing later with a NULL context.
Simo Sorce <> no 2021-06-21
0027-Catch-errors-from-EVP_Digest-functions.patch [PATCH] Catch errors from EVP_Digest* functions
In OpenSSL 3.0 digest init can fail simply because a legacy provider is
not loaded of FIPS mode is active and the digest is not allowed.
If the errors are not handled the application may crash later trying to
access uninitialized contexts.
Simo Sorce <> no 2021-07-21
0029-Load-OpenSSL3-legacy-provider-digestmd5.patch [PATCH] Add support for loading legacy provider
OpenSSL 3.0 is moving a number of functions into the legacy provider.
This provider is not loaded by default, so applications that need to
use legacy algorithms must either load them explicitly or admins
have to explicitly load the legacy provider to their openssl conf file.

The latter is bad as it will enable legacy providers systam-wide, it
also requires manual intervention. Programmatically load the legacy
provider for older plugins that have no good cipher option to fall
back on.
Simo Sorce <> no 2021-09-30
0030-testsuite-Replace-MD5-with-OpenSSL-EVP-implementation.patch testsuite: Replace MD5 with OpenSSL EVP implementation Bastian Germann <> no upstream, 9b22fbfd520938b3aba684740095dbbeb449b733 2023-05-30
0031-checkpw-Replace-MD5-with-OpenSSL-EVP-implementation.patch checkpw: Replace MD5 with OpenSSL EVP implementation Bastian Germann <> no backport, ca20488a743bf7c0d8fe6f2ab38860a5b9e4fb24 2023-05-30
0032-Add-with_pgsql-include-postgresql-to-include-path.patch Add ${with_pgsql}include/postgresql/ to include path Ondřej Surý <> yes 2016-10-25
0033-Check-for-gssapi_krb5.h-before-testing-a-resulting-value.patch sasl2.m4: Check for gssapi_krb5.h before testing a resulting value
When <gssapi/gssapi_krb5.h> stems from Heimdal but
build-heimdal/config.h doesn't define HAVE_GSSAPI_GSSAPI_KRB5_H,
<gssapi/gssapi_krb5.h> is not included.

The header file is only checked if gsskrb5_register_acceptor_identity is
not found.

Move the header check so that it works for both KRB5 and Heimdal.
Bastian Germann <> no 2024-03-18
0034-channel-binding-gssapi-gss-spnego.patch Add Channel Binding support for GSSAPI/GSS-SPNEGO Simo Sorce <> no upstream, 2020-03-20
0035-Add-support-for-setting-max-ssf-0-to-GSS-SPNEGO-1.patch Add support for setting max ssf 0 to GSS-SPNEGO
This is needed to interop with Windows within a TLS channel.
Simo Sorce <> no backport, 2019-09-19
0035-Add-support-for-setting-max-ssf-0-to-GSS-SPNEGO-2.patch Be more conformant to RFC4752
Although we need to be able to completely suppress Integrity and
Confidentiality flags in GSS-SPNEGO, we also need to be more conformant
to RFC4752 for the GSSAPI mechanism.

The RFC reuires to always set Integrity for SASL/GSSAPI, it also
requires MUTUAL/SEQUENCE flags to only be set if any Security Layer is

Finally Confidentiality should be set only when requested so change the
code that suppresses MIT krb5 setting CI flags not only in the SSF == 0
case but also when SSF == 1, the integrity flag in that case will be
explicitly set by our code and the NO_CI_FLAGS option will unset just
the CONF flag.
Simo Sorce <> no upstream, 2020-06-26
0036-Prevent-linking-via-intersphinx.patch Prevent linking via intersphinx Bastian Germann <> no 2024-03-19
0037-Extend-the-time_t-format-specifiers-to-64-bit.patch Extend the time_t format specifiers to long long
In some format strings, it is expected that time_t is the same size as long.
long is 32 bit for 32 bit architectures, while time_t might be 64 bit.
Extend the format string specifiers to long long, which can hold a
time_t regardless of the platform and libc configuration.
Bastian Germann <> no 2024-03-20
0038-Prevent-six-import.patch Prevent six import Bastian Germann <> no 2024-03-21

All known versions for source package 'cyrus-sasl2'