Full_Name: Bill Clay Version: 2.4.44 OS: Debian/GNU Linux 7.8 (Wheezy) URL: Submission from: (NULL) (79.12.44.250)

Cyrus SASL 2.1.26 plugins/scram.c decode_saslname() may return a corrupt authz name.

SASL SCRAM-SHA-1 auth with a "dn:" style authzID can return an authzID string with trailing original (escaped) characters appended. slapd may then incorrectly deny the requested proxy authorization because the returned value may fail match criteria that a correctly-decoded SASL name would pass. (There may be other SASL SCRAM scenarios in which this flaw would produce incorrect results.)

Cyrus SASL issue: https://github.com/cyrusimap/cyrus-sasl/issues/416