diff --git a/SOURCES/cyrus-sasl-2.1.26-error-message-when-config-has-typo.patch b/SOURCES/cyrus-sasl-2.1.26-error-message-when-config-has-typo.patch
new file mode 100644
index 0000000..939c4c9
--- /dev/null
+++ b/SOURCES/cyrus-sasl-2.1.26-error-message-when-config-has-typo.patch
@@ -0,0 +1,46 @@
+diff --git a/include/sasl.h b/include/sasl.h
+index 8b8a63f..6ae153f 100755
+--- a/include/sasl.h
++++ b/include/sasl.h
+@@ -179,6 +179,7 @@
+ because of some constrains/policy violation */
+
+ #define SASL_BADBINDING -32 /* channel binding failure */
++#define SASL_CONFIGERR -33 /* error when parsing configuration file */
+
+ /* max size of a sasl mechanism name */
+ #define SASL_MECHNAMEMAX 20
+diff --git a/lib/common.c b/lib/common.c
+index 672fe2f..de0adfd 100644
+--- a/lib/common.c
++++ b/lib/common.c
+@@ -1362,6 +1362,7 @@ const char *sasl_errstring(int saslerr,
+ case SASL_CONSTRAINT_VIOLAT: return "sasl_setpass can't store a property because "
+ "of a constraint violation";
+ case SASL_BADBINDING: return "channel binding failure";
++ case SASL_CONFIGERR: return "error when parsing configuration file";
+
+ default: return "undefined error!";
+ }
+diff --git a/lib/config.c b/lib/config.c
+index 7cae302..fde3757 100644
+--- a/lib/config.c
++++ b/lib/config.c
+@@ -91,7 +91,7 @@ int sasl_config_init(const char *filename)
+ }
+ if (*p != ':') {
+ fclose(infile);
+- return SASL_FAIL;
++ return SASL_CONFIGERR;
+ }
+ *p++ = '\0';
+
+@@ -99,7 +99,7 @@ int sasl_config_init(const char *filename)
+
+ if (!*p) {
+ fclose(infile);
+- return SASL_FAIL;
++ return SASL_CONFIGERR;
+ }
+
+ /* Now strip trailing spaces, if any */
diff --git a/SOURCES/cyrus-sasl-2.1.26-gssapi-non-encrypt.patch b/SOURCES/cyrus-sasl-2.1.26-gssapi-non-encrypt.patch
new file mode 100644
index 0000000..b066258
--- /dev/null
+++ b/SOURCES/cyrus-sasl-2.1.26-gssapi-non-encrypt.patch
@@ -0,0 +1,28 @@
+diff -up cyrus-sasl-2.1.26/plugins/gssapi.c.gssapi_non_encrypt cyrus-sasl-2.1.26/plugins/gssapi.c
+--- cyrus-sasl-2.1.26/plugins/gssapi.c.gssapi_non_encrypt 2015-05-19 14:57:57.091212254 +0200
++++ cyrus-sasl-2.1.26/plugins/gssapi.c 2015-05-19 15:01:41.681011361 +0200
+@@ -1159,19 +1159,18 @@ gssapi_server_mech_ssfreq(context_t *tex
+ }
+
+ layerchoice = (int)(((char *)(output_token->value))[0]);
+- if (layerchoice == LAYER_NONE &&
+- (text->qop & LAYER_NONE)) { /* no encryption */
++ if (!(layerchoice & (LAYER_INTEGRITY | LAYER_CONFIDENTIALITY)) &&
++ (text->qop & LAYER_NONE)) { /* no encryption */
+ oparams->encode = NULL;
+ oparams->decode = NULL;
+ oparams->mech_ssf = 0;
+- } else if (layerchoice == LAYER_INTEGRITY &&
++ } else if ((layerchoice & LAYER_INTEGRITY) &&
+ (text->qop & LAYER_INTEGRITY)) { /* integrity */
+ oparams->encode = &gssapi_integrity_encode;
+ oparams->decode = &gssapi_decode;
+ oparams->mech_ssf = 1;
+- } else if ((layerchoice == LAYER_CONFIDENTIALITY ||
+- /* For compatibility with broken clients setting both bits */
+- layerchoice == (LAYER_CONFIDENTIALITY|LAYER_INTEGRITY)) &&
++ } else if (/* For compatibility with broken clients setting both bits */
++ (layerchoice & (LAYER_CONFIDENTIALITY | LAYER_INTEGRITY)) &&
+ (text->qop & LAYER_CONFIDENTIALITY)) { /* privacy */
+ oparams->encode = &gssapi_privacy_encode;
+ oparams->decode = &gssapi_decode;
diff --git a/SOURCES/cyrus-sasl-2.1.26-handle-single-character-mechanisms.patch b/SOURCES/cyrus-sasl-2.1.26-handle-single-character-mechanisms.patch
new file mode 100644
index 0000000..6931d4d
--- /dev/null
+++ b/SOURCES/cyrus-sasl-2.1.26-handle-single-character-mechanisms.patch
@@ -0,0 +1,29 @@
+From 7739268e775e6ed91509727b014cc1d367ad386d Mon Sep 17 00:00:00 2001
+From: Alexey Melnikov <alexey.melnikov@isode.com>
+Date: Sun, 30 Mar 2014 15:13:34 +0100
+Subject: When processing a list of mechanism names, we shouldn't allow a short
+ prefix match the whole mechanism name
+
+"A", "AN", etc where matching "ANONYMOUS". This patch fixes that.
+
+As reported by plautrba@redhat.com
+
+diff --git a/lib/common.c b/lib/common.c
+index e0f59eb..672fe2f 100644
+--- a/lib/common.c
++++ b/lib/common.c
+@@ -2428,6 +2428,11 @@ int _sasl_is_equal_mech(const char *req_mech,
+ *plus = 0;
+ }
+
++ if (n < strlen(plug_mech)) {
++ /* Don't allow arbitrary prefix match */
++ return 0;
++ }
++
+ return (strncasecmp(req_mech, plug_mech, n) == 0);
+ }
+
+--
+cgit v0.10.2
+
diff --git a/SOURCES/cyrus-sasl-2.1.26-make-client-thread-sage.patch b/SOURCES/cyrus-sasl-2.1.26-make-client-thread-sage.patch
new file mode 100644
index 0000000..9deee8b
--- /dev/null
+++ b/SOURCES/cyrus-sasl-2.1.26-make-client-thread-sage.patch
@@ -0,0 +1,66 @@
+From 3d48a475054911856b736ca2720b82f529dd68cf Mon Sep 17 00:00:00 2001
+From: Noriko Hosoi <nhosoi@redhat.com>
+Date: Wed, 1 Oct 2014 14:20:27 -0700
+Subject: [PATCH] Bug 1147659 - cyrus-sasl client library (client.c) is not
+ thread safe
+
+Description: client_dispose (lib/clinet.c) which closes a connection
+of a sasl client frees mech_list if the head of the list differs
+from the head of the global cmechlist->mech_list. But there was a
+possibility that the list appears in the middle of the global mech
+list. By freeing the mech, it crashed a multi-threaded sasl client.
+
+This patch checks each mech if it is in the global mech list or not.
+Only if it is not, the mech is freed.
+---
+ lib/client.c | 27 +++++++++++++++++++++++++++
+ 1 file changed, 27 insertions(+)
+
+diff --git a/lib/client.c b/lib/client.c
+index 31fe346..3f76483 100644
+--- a/lib/client.c
++++ b/lib/client.c
+@@ -324,6 +324,26 @@ int sasl_client_init(const sasl_callback_t *callbacks)
+ return ret;
+ }
+
++/*
++ * If mech is in cmechlist->mech_list, return 1
++ * Otherwise, return 0
++ */
++static int mech_is_in_cmechlist(cmechanism_t *mech)
++{
++ cmechanism_t *m = cmechlist->mech_list;
++ if (NULL == mech) {
++ return 0;
++ }
++
++ while (m && mech) {
++ if (m == mech) {
++ return 1;
++ }
++ m = m->next;
++ }
++ return 0;
++}
++
+ static void client_dispose(sasl_conn_t *pconn)
+ {
+ sasl_client_conn_t *c_conn=(sasl_client_conn_t *) pconn;
+@@ -352,6 +372,13 @@ static void client_dispose(sasl_conn_t *pconn)
+ while (m) {
+ prevm = m;
+ m = m->next;
++ if (mech_is_in_cmechlist(prevm)) {
++ /*
++ * If prevm exists in the global mech_list cmechlist->mech_list,
++ * we should not free it as well as the rest of the list.
++ */
++ break;
++ }
+ sasl_FREE(prevm);
+ }
+ }
+--
+1.9.3
+
diff --git a/SOURCES/cyrus-sasl-2.1.26-revert-gssapi-flags.patch b/SOURCES/cyrus-sasl-2.1.26-revert-gssapi-flags.patch
new file mode 100644
index 0000000..1a1d259
--- /dev/null
+++ b/SOURCES/cyrus-sasl-2.1.26-revert-gssapi-flags.patch
@@ -0,0 +1,16 @@
+--- cyrus-sasl2.orig/plugins/gssapi.c
++++ cyrus-sasl2/plugins/gssapi.c
+@@ -1583,10 +1583,10 @@ static int gssapi_client_mech_step(void
+ }
+
+ /* Setup req_flags properly */
+- req_flags = GSS_C_INTEG_FLAG;
++ req_flags = GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG;
+ if (params->props.max_ssf > params->external_ssf) {
+ /* We are requesting a security layer */
+- req_flags |= GSS_C_MUTUAL_FLAG | GSS_C_SEQUENCE_FLAG;
++ req_flags |= GSS_C_INTEG_FLAG;
+ /* Any SSF bigger than 1 is confidentiality. */
+ /* Let's check if the client of the API requires confidentiality,
+ and it wasn't already provided by an external layer */
+
diff --git a/SOURCES/cyrus-sasl-2.1.26-saslauthd-user.patch b/SOURCES/cyrus-sasl-2.1.26-saslauthd-user.patch
new file mode 100644
index 0000000..cace375
--- /dev/null
+++ b/SOURCES/cyrus-sasl-2.1.26-saslauthd-user.patch
@@ -0,0 +1,33 @@
+diff --git a/saslauthd/saslauthd.mdoc b/saslauthd/saslauthd.mdoc
+index 37c6f6e..5b635ab 100644
+--- a/saslauthd/saslauthd.mdoc
++++ b/saslauthd/saslauthd.mdoc
+@@ -44,7 +44,27 @@ multi-user mode. When running against a protected authentication
+ database (e.g. the
+ .Li shadow
+ mechanism),
+-it must be run as the superuser.
++it must be run as the superuser. Otherwise it is recommended to run
++daemon unprivileged as saslauth:saslauth. You can do so by following
++these steps:
++.Bl -enum -compact
++.It
++create directory
++.Pa /etc/systemd/system/saslauthd.service.d/
++.It
++create file
++.Pa /etc/systemd/system/saslauthd.service.d/user.conf
++with content
++.Bd -literal
++[Service]
++User=saslauth
++Group=saslauth
++
++.Ed
++.It
++Reload systemd service file: run
++.Dq systemctl daemon-reload
++.El
+ .Ss Options
+ Options named by lower\-case letters configure the server itself.
+ Upper\-case options control the behavior of specific authentication
diff --git a/SOURCES/saslauthd.service b/SOURCES/saslauthd.service
index 1dca862..f59ab3e 100644
--- a/SOURCES/saslauthd.service
+++ b/SOURCES/saslauthd.service
@@ -7,6 +7,7 @@ Type=forking
PIDFile=/run/saslauthd/saslauthd.pid
EnvironmentFile=/etc/sysconfig/saslauthd
ExecStart=/usr/sbin/saslauthd -m $SOCKETDIR -a $MECH $FLAGS
+RuntimeDirectory=saslauthd
[Install]
WantedBy=multi-user.target
diff --git a/SOURCES/saslauthd.tmpfiles b/SOURCES/saslauthd.tmpfiles
deleted file mode 100644
index d4809f7..0000000
--- a/SOURCES/saslauthd.tmpfiles
+++ /dev/null
@@ -1 +0,0 @@
-d /run/saslauthd 0755 root root -
diff --git a/SPECS/cyrus-sasl.spec b/SPECS/cyrus-sasl.spec
index 9727469..62f90f6 100644
--- a/SPECS/cyrus-sasl.spec
+++ b/SPECS/cyrus-sasl.spec
@@ -1,5 +1,5 @@
%define username saslauth
-%define hint "Saslauthd user"
+%define hint Saslauthd user
%define homedir /run/saslauthd
%define _plugindir2 %{_libdir}/sasl2
@@ -10,7 +10,7 @@
Summary: The Cyrus SASL library
Name: cyrus-sasl
Version: 2.1.26
-Release: 17%{?dist}
+Release: 19.2%{?dist}
License: BSD with advertising
Group: System Environment/Libraries
# Source0 originally comes from ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/;
@@ -22,7 +22,6 @@ Source7: sasl-mechlist.c
Source8: sasl-checkpass.c
Source9: saslauthd.sysconfig
Source10: make-no-dlcompatorsrp-tarball.sh
-Source11: saslauthd.tmpfiles
URL: http://asg.web.cmu.edu/sasl/sasl-library.html
Requires: %{name}-lib%{?_isa} = %{version}-%{release}
Patch11: cyrus-sasl-2.1.25-no_rpath.patch
@@ -51,6 +50,18 @@ Patch49: cyrus-sasl-2.1.26-md5global.patch
Patch50: cyrus-sasl-2.1.26-sql.patch
# Treat SCRAM-SHA-1/DIGEST-MD5 as more secure than PLAIN (#970718)
Patch51: cyrus-sasl-2.1.26-prefer-SCRAM-SHA-1-over-PLAIN.patch
+# Revert updated GSSAPI flags as in RFC 4752 to restore backward compatibility (#1154566)
+Patch52: cyrus-sasl-2.1.26-revert-gssapi-flags.patch
+# Document ability to run saslauthd unprivileged (#1188065)
+Patch53: cyrus-sasl-2.1.26-saslauthd-user.patch
+# Support non-confidentiality/non-integrity requests from AIX SASL GSSAPI implementation (#1174322)
+Patch54: cyrus-sasl-2.1.26-gssapi-non-encrypt.patch
+# Update client library to be thread safe (#1147659)
+Patch55: cyrus-sasl-2.1.26-make-client-thread-sage.patch
+# Parsing short prefix matches the whole mechanism name (#1089267)
+Patch56: cyrus-sasl-2.1.26-handle-single-character-mechanisms.patch
+# Fix confusing message when config file has typo (#1022479)
+Patch57: cyrus-sasl-2.1.26-error-message-when-config-has-typo.patch
Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: autoconf, automake, libtool, gdbm-devel, groff
@@ -64,6 +75,7 @@ Requires(post): chkconfig, /sbin/service systemd-units
Requires(pre): /usr/sbin/useradd /usr/sbin/groupadd systemd-units
Requires(postun): /usr/sbin/userdel /usr/sbin/groupdel systemd-units
Requires: /sbin/nologin
+Requires: systemd >= 219
Provides: user(%username)
Provides: group(%username)
@@ -193,6 +205,12 @@ chmod -x include/*.h
%patch49 -p1 -b .md5global.h
%patch50 -p1 -b .sql
%patch51 -p1 -b .sha1vsplain
+%patch52 -p1 -b .revert
+%patch53 -p1 -b .man-unprivileged
+%patch54 -p1 -b .gssapi_non_encrypt
+%patch55 -p1 -b .threads
+%patch56 -p1 -b .prefix
+%patch57 -p1 -b .typo
%build
@@ -300,16 +318,11 @@ install -m755 -d $RPM_BUILD_ROOT%{_mandir}/man8/
install -m644 -p saslauthd/saslauthd.mdoc $RPM_BUILD_ROOT%{_mandir}/man8/saslauthd.8
install -m644 -p saslauthd/testsaslauthd.8 $RPM_BUILD_ROOT%{_mandir}/man8/testsaslauthd.8
-# Create the saslauthd listening directory.
-install -m755 -d $RPM_BUILD_ROOT/run/saslauthd
-
# Install the init script for saslauthd and the init script's config file.
install -m755 -d $RPM_BUILD_ROOT/etc/rc.d/init.d $RPM_BUILD_ROOT/etc/sysconfig
install -d -m755 $RPM_BUILD_ROOT/%{_unitdir}
install -m644 -p %{SOURCE5} $RPM_BUILD_ROOT/%{_unitdir}/saslauthd.service
install -m644 -p %{SOURCE9} $RPM_BUILD_ROOT/etc/sysconfig/saslauthd
-install -m755 -d $RPM_BUILD_ROOT/%{_prefix}/lib/tmpfiles.d
-install -m644 -p %{SOURCE11} $RPM_BUILD_ROOT/%{_prefix}/lib/tmpfiles.d/saslauthd.conf
# Install the config dirs if they're not already there.
install -m755 -d $RPM_BUILD_ROOT/%{_sysconfdir}/sasl2
@@ -332,7 +345,7 @@ test "$RPM_BUILD_ROOT" != "/" && rm -rf $RPM_BUILD_ROOT
%pre
getent group %{username} >/dev/null || groupadd -g 76 -r %{username}
-getent passwd %{username} >/dev/null || useradd -r -g %{username} -d %{homedir} -s /sbin/nologin -c \"%{hint}\" %{username}
+getent passwd %{username} >/dev/null || useradd -r -g %{username} -d %{homedir} -s /sbin/nologin -c "%{hint}" %{username}
%post
%systemd_post saslauthd.service
@@ -360,8 +373,7 @@ getent passwd %{username} >/dev/null || useradd -r -g %{username} -d %{homedir}
%{_sbindir}/testsaslauthd
%config(noreplace) /etc/sysconfig/saslauthd
%{_unitdir}/saslauthd.service
-%{_prefix}/lib/tmpfiles.d/saslauthd.conf
-%dir /run/saslauthd
+%ghost /run/saslauthd
%files lib
%defattr(-,root,root)
@@ -422,6 +434,18 @@ getent passwd %{username} >/dev/null || useradd -r -g %{username} -d %{homedir}
%{_sbindir}/sasl2-shared-mechlist
%changelog
+* Thu Jul 16 2015 Jakub Jelen <jjelen@redhat.com> 2.1.26-19.2
+- Revert tmpfiles.d and use new systemd feature RuntimeDirectory (#1188065)
+
+* Wed May 20 2015 Jakub Jelen <jjelen@redhat.com> 2.1.26-18
+- Revert updated GSSAPI flags as in RFC 4752 to restore backward compatibility (#1154566)
+- Add and document ability to run saslauth as non-root user (#1188065)
+- Support AIX SASL GSSAPI (#1174322)
+- Update client library to be thread safe (#1147659)
+- Fix problem, that parsing short prefix matches the whole mechanism name (#1089267)
+- Don't use unnecessary quotes around user description (#1082564)
+- Fix confusing message when config file has typo (#1022479)
+
* Fri Jan 24 2014 Daniel Mach <dmach@redhat.com> - 2.1.26-17
- Mass rebuild 2014-01-24