Multiple crashes in cyrus-imapd-3.0.1 (httpd)

Fritz Elfert fritz at
Wed May 10 15:09:07 EDT 2017

On 10.05.2017 18:45, Ken Murchison wrote:

>> ***It would be interesting to know, what the original author of that
>> suspicious line in httpd.c had intended.***
> Setting maxbufsize to zero disables integrity and security protection
> since no HTTP client that I found uses qop=auth-int
Which cyrus-sasl version did you use?

At least *here* using *Fedoras* packaged cyrus-sasl-2.1.26 (which
admittingly turned out to be heavily patched by RedHat - for security?),
the invocation of either

sasl_setprop(httpd_saslconn, SASL_SEC_PROPS, secprops)


sasl_setprop(httpd_saslconn, SASL_SSF_EXTERNAL, &extprops_ssf)

returns a value != SASL_OK.

Both printed the same error message (changes with my pull request) which
is why I can't tell which one failed (most likely the first one though).

If you like to have a look at RedHat's patches to cyrus-sasl-2.1.26, you
can browse them here:


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the Cyrus-devel mailing list