Related Vulnerabilities: CVE-2017-11103

Source

Debian Bug report logs - #868208
CVE-2017-11103: MitM attack, impersonation of the Kerberos client, know as Orpheus Lyre

Package: src:heimdal; Maintainer for src:heimdal is Brian May <bam@debian.org>;

Reported by: Raphael Hertzog <hertzog@debian.org>

Date: Thu, 13 Jul 2017 05:00:02 UTC

Severity: grave

Tags: fixed-upstream, patch, security, upstream

Found in version heimdal/1.6~git20120403+dfsg1-2

Fixed in versions heimdal/7.4.0.dfsg.1-1, heimdal/7.1.0+dfsg-13+deb9u1, heimdal/1.6~rc2+dfsg-9+deb8u1

Done: Salvatore Bonaccorso <carnil@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Brian May <bam@debian.org>:
Bug#868208; Package src:heimdal. (Thu, 13 Jul 2017 05:00:04 GMT) (full text, mbox, link).

Acknowledgement sent to Raphael Hertzog <hertzog@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Brian May <bam@debian.org>. (Thu, 13 Jul 2017 05:00:05 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Source: heimdal
Severity: grave
Tags: security patch
Version: 1.6~git20120403+dfsg1-2

Hi,

the following vulnerability was published for heimdal.

CVE-2017-11103[0]: MitM attack, impersonation of the Kerberos client, know as Orpheus Lyre

A dedicated website is here:
https://orpheus-lyre.info/

The heimdal patch is here:
https://github.com/heimdal/heimdal/commit/6dd3eb836bbb80a00ffced4ad57077a1cdf227ea

All Debian releases are affected (from wheezy to sid).

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-11103
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11103

Please adjust the affected versions in the BTS as needed.

-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/

Added tag(s) upstream and fixed-upstream. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 13 Jul 2017 21:06:03 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Brian May <bam@debian.org>:
Bug#868208; Package src:heimdal. (Fri, 14 Jul 2017 13:12:03 GMT) (full text, mbox, link).

Acknowledgement sent to Guido Günther <agx@sigxcpu.org>:
Extra info received and forwarded to list. Copy sent to Brian May <bam@debian.org>. (Fri, 14 Jul 2017 13:12:03 GMT) (full text, mbox, link).

Message #12 received at 868208@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Hi Brian,
I've uploaded heimdal with the attached debdiff to delayed/2. Let me
know if you're o.k. with it and I'll reuplod without delay.
Cheers,
 -- Guido

[heimdal-debian_7.1.0+dfsg-13.1.diff (text/x-diff, attachment)]

Added tag(s) pending. Request was from Guido Günther <agx@sigxcpu.org> to control@bugs.debian.org. (Fri, 14 Jul 2017 13:12:06 GMT) (full text, mbox, link).

Reply sent to Brian May <bam@debian.org>:
You have taken responsibility. (Sat, 15 Jul 2017 11:09:11 GMT) (full text, mbox, link).

Notification sent to Raphael Hertzog <hertzog@debian.org>:
Bug acknowledged by developer. (Sat, 15 Jul 2017 11:09:11 GMT) (full text, mbox, link).

Message #19 received at 868208-close@bugs.debian.org (full text, mbox, reply):

Source: heimdal
Source-Version: 7.4.0.dfsg.1-1

We believe that the bug you reported is fixed in the latest version of
heimdal, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 868208@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Brian May <bam@debian.org> (supplier of updated heimdal package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 15 Jul 2017 19:47:32 +1000
Source: heimdal
Binary: heimdal-docs heimdal-kdc heimdal-multidev heimdal-dev heimdal-clients heimdal-kcm heimdal-servers heimdal-dbg libheimbase1-heimdal libasn1-8-heimdal libkrb5-26-heimdal libhdb9-heimdal libkadm5srv8-heimdal libkadm5clnt7-heimdal libgssapi3-heimdal libkafs0-heimdal libroken18-heimdal libotp0-heimdal libsl0-heimdal libkdc2-heimdal libhx509-5-heimdal libheimntlm0-heimdal libwind0-heimdal libhcrypto4-heimdal
Architecture: source i386 all
Version: 7.4.0.dfsg.1-1
Distribution: unstable
Urgency: high
Maintainer: Brian May <bam@debian.org>
Changed-By: Brian May <bam@debian.org>
Description:
 heimdal-clients - Heimdal Kerberos - clients
 heimdal-dbg - Heimdal Kerberos - debugging symbols
 heimdal-dev - Heimdal Kerberos - development files
 heimdal-docs - Heimdal Kerberos - documentation
 heimdal-kcm - Heimdal Kerberos - KCM daemon
 heimdal-kdc - Heimdal Kerberos - key distribution center (KDC)
 heimdal-multidev - Heimdal Kerberos - Multi-implementation Development
 heimdal-servers - Heimdal Kerberos - server programs
 libasn1-8-heimdal - Heimdal Kerberos - ASN.1 library
 libgssapi3-heimdal - Heimdal Kerberos - GSSAPI support library
 libhcrypto4-heimdal - Heimdal Kerberos - crypto library
 libhdb9-heimdal - Heimdal Kerberos - kadmin server library
 libheimbase1-heimdal - Heimdal Kerberos - Base library
 libheimntlm0-heimdal - Heimdal Kerberos - NTLM support library
 libhx509-5-heimdal - Heimdal Kerberos - X509 support library
 libkadm5clnt7-heimdal - Heimdal Kerberos - kadmin client library
 libkadm5srv8-heimdal - Libraries for Heimdal Kerberos
 libkafs0-heimdal - Heimdal Kerberos - KAFS support library
 libkdc2-heimdal - Heimdal Kerberos - KDC support library
 libkrb5-26-heimdal - Heimdal Kerberos - libraries
 libotp0-heimdal - Heimdal Kerberos - OTP support library
 libroken18-heimdal - Heimdal Kerberos - roken support library
 libsl0-heimdal - Heimdal Kerberos - SL support library
 libwind0-heimdal - Heimdal Kerberos - stringprep implementation
Closes: 868208
Changes:
 heimdal (7.4.0.dfsg.1-1) unstable; urgency=high
 .
   * New upstream version.
   * Update standards version to 4.0.0.
   * CVE-2017-11103: Fix Orpheus' Lyre KDC-REP service name validation.
     (Closes: #868208).
Checksums-Sha1:
 2d2c17fd9015bf8386b69100ca1e5f2b3883795e 3652 heimdal_7.4.0.dfsg.1-1.dsc
 4720bf5d230e6048ecbff56d38eedb6ff640b29c 9960312 heimdal_7.4.0.dfsg.1.orig.tar.gz
 3676f5969823fa8e2684ce72383a5079516ae2bd 128172 heimdal_7.4.0.dfsg.1-1.debian.tar.xz
 35af31cf0c32d81bfdb7d81f0596225f42e3335e 183150 heimdal-clients_7.4.0.dfsg.1-1_i386.deb
 d5d7d22c20389d0ac474e82a3c8c64716cc5a931 4747748 heimdal-dbg_7.4.0.dfsg.1-1_i386.deb
 f6687932f6aff98f5a1e8f278643d5659c805f1f 241446 heimdal-dev_7.4.0.dfsg.1-1_i386.deb
 81e497d84715b8c1a486f5407f660b7b90f0ea94 105894 heimdal-docs_7.4.0.dfsg.1-1_all.deb
 10da201e6f6ecd53702a970e91967a0fa2a8a5a9 57556 heimdal-kcm_7.4.0.dfsg.1-1_i386.deb
 49438308da8b4c67b3b241c60ebf57196392d2a5 132356 heimdal-kdc_7.4.0.dfsg.1-1_i386.deb
 8a5ebb3d3e0699e8822ba5610f0e4837819d6e9a 1275326 heimdal-multidev_7.4.0.dfsg.1-1_i386.deb
 a4207e2707bd2b298a6700e24229a300ac6427f6 35376 heimdal-servers_7.4.0.dfsg.1-1_i386.deb
 ebff63e64bda85073b1baa642b132d2de6aafd62 14572 heimdal_7.4.0.dfsg.1-1_i386.buildinfo
 cc5dcff7421ba0ad2193cb5b2984213c0b81df37 217300 libasn1-8-heimdal_7.4.0.dfsg.1-1_i386.deb
 73d4deaa36d32f69bac40c443cb7b362b9e3e47e 133650 libgssapi3-heimdal_7.4.0.dfsg.1-1_i386.deb
 5ea2b4ee0d4881ac2e1e6af72d9852fe76220607 119714 libhcrypto4-heimdal_7.4.0.dfsg.1-1_i386.deb
 bac11f2611a819bc58a085fea867304d07c48d92 95504 libhdb9-heimdal_7.4.0.dfsg.1-1_i386.deb
 1a489e1c83c67d72a79401122220076906554f2b 56552 libheimbase1-heimdal_7.4.0.dfsg.1-1_i386.deb
 8905d8d3845a25f6c363cbce24a447e274835eb3 41902 libheimntlm0-heimdal_7.4.0.dfsg.1-1_i386.deb
 967f99b29efaa983d3d68c376b50389712c62883 143636 libhx509-5-heimdal_7.4.0.dfsg.1-1_i386.deb
 261e36b004754bc049ef907293be3cadfe7f4502 45712 libkadm5clnt7-heimdal_7.4.0.dfsg.1-1_i386.deb
 23c634de8d707ca26c6b20fadd1459b82e2daf70 64524 libkadm5srv8-heimdal_7.4.0.dfsg.1-1_i386.deb
 e7968d5f4f31cbbc4f3390a707c4dbd96f29a76e 42314 libkafs0-heimdal_7.4.0.dfsg.1-1_i386.deb
 3ed8ec45c3259fe14f2a5fbe098a62c3de03816c 85316 libkdc2-heimdal_7.4.0.dfsg.1-1_i386.deb
 c34c20c667965a68346a1d40732c942ef6827dd5 258972 libkrb5-26-heimdal_7.4.0.dfsg.1-1_i386.deb
 b0f10acd55a5729bb69f12b6e81af5233d7244d0 50914 libotp0-heimdal_7.4.0.dfsg.1-1_i386.deb
 3c89cc11691ed2bd229576d8308b501d70e59f6a 69192 libroken18-heimdal_7.4.0.dfsg.1-1_i386.deb
 5e21cf667b793a191f3113904759ebec46d448ab 37932 libsl0-heimdal_7.4.0.dfsg.1-1_i386.deb
 a4be7656ab1ae91c6cb8f36def3272ba3fdf6910 74140 libwind0-heimdal_7.4.0.dfsg.1-1_i386.deb
Checksums-Sha256:
 6755e0c1710068512ae1e81190c8c4c4a17735cf0215eeca05d22a8a5310c2bc 3652 heimdal_7.4.0.dfsg.1-1.dsc
 47ce052bb03af79d8f71d8e5d18647f12fda190bedd9da0f391697049f1feb14 9960312 heimdal_7.4.0.dfsg.1.orig.tar.gz
 f40bebd372b4f8cbd74a517fa21ad7f4a20cb47562f547e0fda6f2addc690eda 128172 heimdal_7.4.0.dfsg.1-1.debian.tar.xz
 da8425c0648eedf28a575fc479059b36500c77b935f6cebafd870ef44b68391c 183150 heimdal-clients_7.4.0.dfsg.1-1_i386.deb
 5bb9bd591ffd3fc486eb40c617007330d4b5888561c53a6a5236b98b5b9b6f25 4747748 heimdal-dbg_7.4.0.dfsg.1-1_i386.deb
 67fc42e23a3860d2b690f9cce43b94adf588c13cf1ab4374c3b8495651b5321a 241446 heimdal-dev_7.4.0.dfsg.1-1_i386.deb
 a53aec2df0c820775432bad11a80b8e7ecc9eb685617471070bbae25ee6e4320 105894 heimdal-docs_7.4.0.dfsg.1-1_all.deb
 a854270fb59af6e42dd9d77b816be7b11c1a9c715a90492a47e3251a17a4d023 57556 heimdal-kcm_7.4.0.dfsg.1-1_i386.deb
 4a0cf3b2e181889a544a44bab6fda083bde23fb059579327c69c64112bf4cf12 132356 heimdal-kdc_7.4.0.dfsg.1-1_i386.deb
 c08b379d441fc848553deee4c5b81a8516900c1ccf6ad22fd299ad6a42a9c775 1275326 heimdal-multidev_7.4.0.dfsg.1-1_i386.deb
 69340992cf3fe5ee2880bd3754b5e00f4cc6e6f76857e76d05ec3b010b6b7f64 35376 heimdal-servers_7.4.0.dfsg.1-1_i386.deb
 b58075d6517dbb1418961fb3377e1f067960b9effefe2ead265dbee1c2099a82 14572 heimdal_7.4.0.dfsg.1-1_i386.buildinfo
 039af01c2616c65da8237c45dd7da3e9a3f61290aad5465ac0e2a3af1be9514e 217300 libasn1-8-heimdal_7.4.0.dfsg.1-1_i386.deb
 2b71a78d0a6b1f21e96bb377aa31a2186f97da7e04710d622cca1b6b2ca3f144 133650 libgssapi3-heimdal_7.4.0.dfsg.1-1_i386.deb
 3216a6c7e6a73499da771340caaf7ff8ddc5bf8a2e6b231f84258246f0bdf9e9 119714 libhcrypto4-heimdal_7.4.0.dfsg.1-1_i386.deb
 7525e2c9a4ca07d357a6837a783bbf5fe2f6a2d7a1f8c64acd48a803315cdde2 95504 libhdb9-heimdal_7.4.0.dfsg.1-1_i386.deb
 466c39a4a3cafdad33901becb12079df922744f5ed5a21ef3ef92e464fc3c1f8 56552 libheimbase1-heimdal_7.4.0.dfsg.1-1_i386.deb
 3ee005efc509c0f0f12607eb0d66f6ded558e52e1a6f84fc28710fcdcf4886da 41902 libheimntlm0-heimdal_7.4.0.dfsg.1-1_i386.deb
 74d2453b3c7f28d8eabecd280b5cc2c8c25ec455688b874775cd28d5e2ae5d75 143636 libhx509-5-heimdal_7.4.0.dfsg.1-1_i386.deb
 c2e06f05b8d0d175204014830028393339ff8219ed3a329f078c0f8deabb7561 45712 libkadm5clnt7-heimdal_7.4.0.dfsg.1-1_i386.deb
 15d82226d14bf5b4da1c4f97dd4a28595d2ce3f3dc9d8443d379a681c9ea214a 64524 libkadm5srv8-heimdal_7.4.0.dfsg.1-1_i386.deb
 753dff71e9ad869d9f22f7cb4c36db8367f9c82c11ec9aab37ece9a3ef36cd34 42314 libkafs0-heimdal_7.4.0.dfsg.1-1_i386.deb
 bbc7d475c6c67e89d56b3c2fa5abf86a4e915c5f73fb206784549dd957168381 85316 libkdc2-heimdal_7.4.0.dfsg.1-1_i386.deb
 336a5ca3209195a02297d9c25a3d3ea488ca4142c0be8f10ba4859bc0727d8a6 258972 libkrb5-26-heimdal_7.4.0.dfsg.1-1_i386.deb
 5e513a8bb4f47625dbfd1c040d2ae0ac01e4c9f0bbbac7c4a4debe2a3e9e60b0 50914 libotp0-heimdal_7.4.0.dfsg.1-1_i386.deb
 6adf5518f9044f52bc5fc3a6cdd84eaed99a7636a61d413e371159de0dee90ad 69192 libroken18-heimdal_7.4.0.dfsg.1-1_i386.deb
 ae09544211b13d46f417717f7898415a1d37207a81719e1ae8580bd3e86c7eac 37932 libsl0-heimdal_7.4.0.dfsg.1-1_i386.deb
 a10f2167b0a897e4275d1370da90a4c0f81ba2b5f02801f00844f065e1bdaf46 74140 libwind0-heimdal_7.4.0.dfsg.1-1_i386.deb
Files:
 f09d1fd4c0fad807be628eeacf3cffaf 3652 net optional heimdal_7.4.0.dfsg.1-1.dsc
 811faa1b41f68f6942e247b668501afb 9960312 net optional heimdal_7.4.0.dfsg.1.orig.tar.gz
 280ded9d077e63a3b32ea64788be052b 128172 net optional heimdal_7.4.0.dfsg.1-1.debian.tar.xz
 3360954a32c31537ff1a4bc4c79cf309 183150 net extra heimdal-clients_7.4.0.dfsg.1-1_i386.deb
 b5cdee332068d24c56a874cf52452d52 4747748 debug extra heimdal-dbg_7.4.0.dfsg.1-1_i386.deb
 92be8203a9f55313a3cfc96830089cbd 241446 devel extra heimdal-dev_7.4.0.dfsg.1-1_i386.deb
 3be7c62d9a9d1fcbad66e134f9395277 105894 doc extra heimdal-docs_7.4.0.dfsg.1-1_all.deb
 035ba72432f2808da240f4f1ba280cfd 57556 net extra heimdal-kcm_7.4.0.dfsg.1-1_i386.deb
 7c6714195a8e22801b8b83c32959bf9b 132356 net extra heimdal-kdc_7.4.0.dfsg.1-1_i386.deb
 60532185691eda8a12e67c4ee6f91e1e 1275326 devel extra heimdal-multidev_7.4.0.dfsg.1-1_i386.deb
 8d7c8f248710b2d7b836a845fbc08ae7 35376 net extra heimdal-servers_7.4.0.dfsg.1-1_i386.deb
 f9bb45cf679c76f951b53a67866395c8 14572 net optional heimdal_7.4.0.dfsg.1-1_i386.buildinfo
 0b571ed5cad463805d3c4b670484ac5e 217300 libs optional libasn1-8-heimdal_7.4.0.dfsg.1-1_i386.deb
 c6efccee9090380296f4788b26d64ae5 133650 libs optional libgssapi3-heimdal_7.4.0.dfsg.1-1_i386.deb
 01e8430d84fe411d3f161e46bf8b8b6f 119714 libs optional libhcrypto4-heimdal_7.4.0.dfsg.1-1_i386.deb
 8b39bfc4c41b92f4e8cb2ff18bc1109d 95504 libs optional libhdb9-heimdal_7.4.0.dfsg.1-1_i386.deb
 618194cb1491a11f002b0ede9f79cfb6 56552 libs optional libheimbase1-heimdal_7.4.0.dfsg.1-1_i386.deb
 d0033f4c00cbbba1d5690545676dd774 41902 libs optional libheimntlm0-heimdal_7.4.0.dfsg.1-1_i386.deb
 52b4206cfe46bac70d2ac245c73f1b28 143636 libs optional libhx509-5-heimdal_7.4.0.dfsg.1-1_i386.deb
 195a0e370c61097cb6399207454bd290 45712 libs optional libkadm5clnt7-heimdal_7.4.0.dfsg.1-1_i386.deb
 4d0265476eae235f81a2997840acb0c8 64524 libs optional libkadm5srv8-heimdal_7.4.0.dfsg.1-1_i386.deb
 119b8e85ece122bc1611e3306af14318 42314 libs extra libkafs0-heimdal_7.4.0.dfsg.1-1_i386.deb
 9383e8a936db4adbdb71f963273b37b7 85316 libs extra libkdc2-heimdal_7.4.0.dfsg.1-1_i386.deb
 67fbd7692e26e94e7d91294b2b3374db 258972 libs optional libkrb5-26-heimdal_7.4.0.dfsg.1-1_i386.deb
 1ec4e5f2aa8b084985c67698ef7a1f54 50914 libs extra libotp0-heimdal_7.4.0.dfsg.1-1_i386.deb
 62afff9e17af3dbde5a865a26aee6c86 69192 libs optional libroken18-heimdal_7.4.0.dfsg.1-1_i386.deb
 0e21bda7aa754d23a5a5b9f81a65e014 37932 libs extra libsl0-heimdal_7.4.0.dfsg.1-1_i386.deb
 8931586d842ed7da58915d13c1b9e830 74140 libs optional libwind0-heimdal_7.4.0.dfsg.1-1_i386.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE1jZRJqkttWDGJ6ztF4RXf4EfbqwFAllp8MQACgkQF4RXf4Ef
bqwxMxAAlUm5Ev6GzGYVP4xvTt43Wh4BaXGKErTZ2JkEDQlJBARgHbnLSjBY0ukr
FXhoLCjcjQrV/c9dsbVdWEeEA0L47Qfk0VFle6PRL4mcmRxOnKGKvyFHQzE9Vsrr
MuBQn4+w+aUqT3iPlVsJlwgKbzzvvPhVvX+AMa7jf9ws6v3y7e8kZJe07Pl0T153
YIP4qe8g73/eCn/D3Kl8nJc7twMPTzKJVN26kxKroQgh9T2Q5/yw+gNSLn5N647Q
vPPn+lFnW4T107ZTD7P7PoltFBbx7+HCf1175C5Q9QVASxZslLoVNLyHu4Hn/Ae9
psPZEFhuczyqhi8qWWmXYQfqSOTllXaIa58+zZmUBjAeuZ5R/7psiWUake76m89l
NrcFlcn4+hhGD2yv8GqbzYeJhth4tlh8lS1MTgDWRt7GL/83rc2IgAA6TfugfysZ
HYqZ0kVaQL4LbHX6pLLQy3/AkfsyLr9Y0JsUR2lLkWf9aRVgorVDDad9VUeBJNl+
OhsJhHAkDYSRimm905sr0kPZAoPk5b6hv8q0rMSB5We+vTxDOXvYl6qUmUNg8eAU
XKGVH7+lFrPDPqGSp6oXPKrwjR1yeO/GO82wzPNwccCvfGVN7zA2QFSf2cWYo0fG
45lg08r0pHhbeQ1z9VH16MSnjFHc2hPTE31b6P1f4eozYNSJO/g=
=MgKw
-----END PGP SIGNATURE-----

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#868208; Package src:heimdal. (Sat, 15 Jul 2017 11:09:13 GMT) (full text, mbox, link).

Acknowledgement sent to Brian May <bam@debian.org>:
Extra info received and forwarded to list. (Sat, 15 Jul 2017 11:09:13 GMT) (full text, mbox, link).

Message #24 received at 868208@bugs.debian.org (full text, mbox, reply):

Guido Günther <agx@sigxcpu.org> writes:

> I've uploaded heimdal with the attached debdiff to delayed/2. Let me
> know if you're o.k. with it and I'll reuplod without delay.

Thanks a lot for this.

I just uploaded version 7.4.0 so your upload is not required.
-- 
Brian May <bam@debian.org>

Information forwarded to debian-bugs-dist@lists.debian.org, Brian May <bam@debian.org>:
Bug#868208; Package src:heimdal. (Sat, 15 Jul 2017 17:18:02 GMT) (full text, mbox, link).

Acknowledgement sent to Guido Günther <agx@sigxcpu.org>:
Extra info received and forwarded to list. Copy sent to Brian May <bam@debian.org>. (Sat, 15 Jul 2017 17:18:02 GMT) (full text, mbox, link).

Message #29 received at 868208@bugs.debian.org (full text, mbox, reply):

Hi,
On Sat, Jul 15, 2017 at 09:08:37PM +1000, Brian May wrote:
> Guido Günther <agx@sigxcpu.org> writes:
> 
> > I've uploaded heimdal with the attached debdiff to delayed/2. Let me
> > know if you're o.k. with it and I'll reuplod without delay.
> 
> Thanks a lot for this.
> 
> I just uploaded version 7.4.0 so your upload is not required.

Great. Are you going to handle stable and oldstable as well?
Cheers,
 -- Guido

> -- 
> Brian May <bam@debian.org>
>

Information forwarded to debian-bugs-dist@lists.debian.org, Brian May <bam@debian.org>:
Bug#868208; Package src:heimdal. (Sun, 16 Jul 2017 08:00:03 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Brian May <bam@debian.org>. (Sun, 16 Jul 2017 08:00:03 GMT) (full text, mbox, link).

Message #34 received at 868208@bugs.debian.org (full text, mbox, reply):

Hi

On Sat, Jul 15, 2017 at 07:14:29PM +0200, Guido Günther wrote:
> Hi,
> On Sat, Jul 15, 2017 at 09:08:37PM +1000, Brian May wrote:
> > Guido Günther <agx@sigxcpu.org> writes:
> > 
> > > I've uploaded heimdal with the attached debdiff to delayed/2. Let me
> > > know if you're o.k. with it and I'll reuplod without delay.
> > 
> > Thanks a lot for this.
> > 
> > I just uploaded version 7.4.0 so your upload is not required.
> 
> Great. Are you going to handle stable and oldstable as well?

I just have prepared both and uploading to security-master for jessie-
and stretch-security (the patch applied straightforward).

Regards,
Salvatore

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#868208; Package src:heimdal. (Sun, 16 Jul 2017 08:00:05 GMT) (full text, mbox, link).

Acknowledgement sent to Brian May <bam@debian.org>:
Extra info received and forwarded to list. (Sun, 16 Jul 2017 08:00:05 GMT) (full text, mbox, link).

Message #39 received at 868208@bugs.debian.org (full text, mbox, reply):

Salvatore Bonaccorso <carnil@debian.org> writes:

> I just have prepared both and uploading to security-master for jessie-
> and stretch-security (the patch applied straightforward).

Thanks!
-- 
Brian May <bam@debian.org>

Reply sent to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility. (Sun, 16 Jul 2017 18:36:06 GMT) (full text, mbox, link).

Notification sent to Raphael Hertzog <hertzog@debian.org>:
Bug acknowledged by developer. (Sun, 16 Jul 2017 18:36:06 GMT) (full text, mbox, link).

Message #44 received at 868208-close@bugs.debian.org (full text, mbox, reply):

Source: heimdal
Source-Version: 7.1.0+dfsg-13+deb9u1

We believe that the bug you reported is fixed in the latest version of
heimdal, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 868208@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated heimdal package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 16 Jul 2017 09:41:52 +0200
Source: heimdal
Binary: heimdal-docs heimdal-kdc heimdal-multidev heimdal-dev heimdal-clients heimdal-kcm heimdal-servers heimdal-dbg libheimbase1-heimdal libasn1-8-heimdal libkrb5-26-heimdal libhdb9-heimdal libkadm5srv8-heimdal libkadm5clnt7-heimdal libgssapi3-heimdal libkafs0-heimdal libroken18-heimdal libotp0-heimdal libsl0-heimdal libkdc2-heimdal libhx509-5-heimdal libheimntlm0-heimdal libwind0-heimdal libhcrypto4-heimdal
Architecture: source
Version: 7.1.0+dfsg-13+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Brian May <bam@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 868208
Description: 
 heimdal-clients - Heimdal Kerberos - clients
 heimdal-dbg - Heimdal Kerberos - debugging symbols
 heimdal-dev - Heimdal Kerberos - development files
 heimdal-docs - Heimdal Kerberos - documentation
 heimdal-kcm - Heimdal Kerberos - KCM daemon
 heimdal-kdc - Heimdal Kerberos - key distribution center (KDC)
 heimdal-multidev - Heimdal Kerberos - Multi-implementation Development
 heimdal-servers - Heimdal Kerberos - server programs
 libasn1-8-heimdal - Heimdal Kerberos - ASN.1 library
 libgssapi3-heimdal - Heimdal Kerberos - GSSAPI support library
 libhcrypto4-heimdal - Heimdal Kerberos - crypto library
 libhdb9-heimdal - Heimdal Kerberos - kadmin server library
 libheimbase1-heimdal - Heimdal Kerberos - Base library
 libheimntlm0-heimdal - Heimdal Kerberos - NTLM support library
 libhx509-5-heimdal - Heimdal Kerberos - X509 support library
 libkadm5clnt7-heimdal - Heimdal Kerberos - kadmin client library
 libkadm5srv8-heimdal - Libraries for Heimdal Kerberos
 libkafs0-heimdal - Heimdal Kerberos - KAFS support library
 libkdc2-heimdal - Heimdal Kerberos - KDC support library
 libkrb5-26-heimdal - Heimdal Kerberos - libraries
 libotp0-heimdal - Heimdal Kerberos - OTP support library
 libroken18-heimdal - Heimdal Kerberos - roken support library
 libsl0-heimdal - Heimdal Kerberos - SL support library
 libwind0-heimdal - Heimdal Kerberos - stringprep implementation
Changes:
 heimdal (7.1.0+dfsg-13+deb9u1) stretch-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation
     (Closes: #868208)
Checksums-Sha1: 
 40cadcce2ee9f636009aa56a94257b182c7b27c3 3822 heimdal_7.1.0+dfsg-13+deb9u1.dsc
 8d808fa1eeb26c6263cc3b0b4c13bcf4c84ed268 8959650 heimdal_7.1.0+dfsg.orig.tar.gz
 79646fef8a0ab32a05668d48f71546a328fdd0fd 69600 heimdal_7.1.0+dfsg-13+deb9u1.debian.tar.xz
Checksums-Sha256: 
 78b48d4bbdced8c4026d1ca6f6f4ea6ac5a7e921b1143444ff104a7c3506de50 3822 heimdal_7.1.0+dfsg-13+deb9u1.dsc
 47a1439910d05ea884ad254646e7c48a9400a2c30f087ed8e8e0854697a480f9 8959650 heimdal_7.1.0+dfsg.orig.tar.gz
 49abab3006dc83c0b46e66c5895ba685e9cd20e378c9c9cf1c21bbf2e4f0bf9b 69600 heimdal_7.1.0+dfsg-13+deb9u1.debian.tar.xz
Files: 
 8e23cb1f907ab1f8e1bf2fa2e01671a8 3822 net optional heimdal_7.1.0+dfsg-13+deb9u1.dsc
 8a0ef9f85770b7a35072f0f32ec671ea 8959650 net optional heimdal_7.1.0+dfsg.orig.tar.gz
 78a212a5058cf54d8c5d42a6acd0569b 69600 net optional heimdal_7.1.0+dfsg-13+deb9u1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAllrHIpfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EqdAP+wQf1t5T9D7YiMfbnuSBFRdGS1vuAxY0
Sp/QkTdrwNApfLNx/2k53g0z/v2zubu+i24qmT8eaWAH580FfFsHNod7lc1pFLey
L/PeIbKWl9mQmjoqlYDGEfxpudKOFj4KxTKee8EkheZOrjzNYKHpLUacmnzevuSe
mpCzEf9FN2IeWW12rq5avZm+6CNRJgROcodqcy7XO3TGnlC67H390q9lczxItPcR
FfarqcMobfbEYhTnaJamDrMxcsslEOGQKsqz9z617ihqBXdaYEWOgJJLHGLKEi4o
WQEpYIYCJdX/B5AIdwbWb6LRT+VFXC4OoxdQiTbGtBxS2+bEi3vi9TU+jf2qIHTZ
D2OEf3WZAAeTVFNWkjolmdbRiXdClh4u33CbG2WZRo05icgdQHGNJ8WmbgKFfww2
KLClRvvRGAVynAidE3tcct0tn2YLKL3iYVaqon7dXAkuxHyohwLab9dVZIIecK9j
iCON8sGQXq2YvOjd7K98yJX0l76PFmTMwWIw8uy3oNhk5gUx74CtcPthTO0raVLs
rth7vVEBcwJX4txN7meC+h59XcR5rTx5yVgKs0+uXNp7kzR/Xt02OxuaEsoc1/EQ
6Q02RLP9/6kk31x83teVcHVg7JkP1oWYbonPbMvc4DYCx8Sas5fGzuFcsUrXbZwZ
aceh7JaSkoWC
=8h5k
-----END PGP SIGNATURE-----

Reply sent to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility. (Sun, 16 Jul 2017 18:36:08 GMT) (full text, mbox, link).

Notification sent to Raphael Hertzog <hertzog@debian.org>:
Bug acknowledged by developer. (Sun, 16 Jul 2017 18:36:08 GMT) (full text, mbox, link).

Message #49 received at 868208-close@bugs.debian.org (full text, mbox, reply):

Source: heimdal
Source-Version: 1.6~rc2+dfsg-9+deb8u1

We believe that the bug you reported is fixed in the latest version of
heimdal, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 868208@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated heimdal package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 16 Jul 2017 10:01:46 +0200
Source: heimdal
Binary: heimdal-docs heimdal-kdc heimdal-multidev heimdal-dev heimdal-clients-x heimdal-clients heimdal-kcm heimdal-servers-x heimdal-servers heimdal-dbg libheimbase1-heimdal libasn1-8-heimdal libkrb5-26-heimdal libhdb9-heimdal libkadm5srv8-heimdal libkadm5clnt7-heimdal libgssapi3-heimdal libkafs0-heimdal libroken18-heimdal libotp0-heimdal libsl0-heimdal libkdc2-heimdal libhx509-5-heimdal libheimntlm0-heimdal libwind0-heimdal libhcrypto4-heimdal
Architecture: all source
Version: 1.6~rc2+dfsg-9+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Brian May <bam@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 868208
Description: 
 heimdal-clients - Heimdal Kerberos - clients
 heimdal-clients-x - Heimdal Kerberos - X11 client programs
 heimdal-dbg - Heimdal Kerberos - debugging symbols
 heimdal-dev - Heimdal Kerberos - development files
 heimdal-docs - Heimdal Kerberos - documentation
 heimdal-kcm - Heimdal Kerberos - KCM daemon
 heimdal-kdc - Heimdal Kerberos - key distribution center (KDC)
 heimdal-multidev - Heimdal Kerberos - Multi-implementation Development
 heimdal-servers - Heimdal Kerberos - server programs
 heimdal-servers-x - Heimdal Kerberos - X11 server programs
 libasn1-8-heimdal - Heimdal Kerberos - ASN.1 library
 libgssapi3-heimdal - Heimdal Kerberos - GSSAPI support library
 libhcrypto4-heimdal - Heimdal Kerberos - crypto library
 libhdb9-heimdal - Heimdal Kerberos - kadmin server library
 libheimbase1-heimdal - Heimdal Kerberos - Base library
 libheimntlm0-heimdal - Heimdal Kerberos - NTLM support library
 libhx509-5-heimdal - Heimdal Kerberos - X509 support library
 libkadm5clnt7-heimdal - Heimdal Kerberos - kadmin client library
 libkadm5srv8-heimdal - Libraries for Heimdal Kerberos
 libkafs0-heimdal - Heimdal Kerberos - KAFS support library
 libkdc2-heimdal - Heimdal Kerberos - KDC support library
 libkrb5-26-heimdal - Heimdal Kerberos - libraries
 libotp0-heimdal - Heimdal Kerberos - OTP support library
 libroken18-heimdal - Heimdal Kerberos - roken support library
 libsl0-heimdal - Heimdal Kerberos - SL support library
 libwind0-heimdal - Heimdal Kerberos - stringprep implementation
Changes:
 heimdal (1.6~rc2+dfsg-9+deb8u1) jessie-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation
     (Closes: #868208)
Checksums-Sha1: 
 b21ca1bfc7352a6a94f8190a3f6020d53a6b5807 3894 heimdal_1.6~rc2+dfsg-9+deb8u1.dsc
 3aeb2545842b5a8ba3c3e1e87b61cdde1a26cb4c 8985939 heimdal_1.6~rc2+dfsg.orig.tar.gz
 fb467a614b0d0c2b2ae0f9ff7e04ea251dfe5628 71084 heimdal_1.6~rc2+dfsg-9+deb8u1.debian.tar.xz
 8b5e41078898c62ae91071ee43b47ec5efdbd374 102040 heimdal-docs_1.6~rc2+dfsg-9+deb8u1_all.deb
Checksums-Sha256: 
 044b1418c0d482ee4093b4c337257cb6c2b08603adfe370bbf073360fbaa2ae2 3894 heimdal_1.6~rc2+dfsg-9+deb8u1.dsc
 6742e40a39aa256d518fb66fdacb992392e40562ff6ea011de4fe214862059ac 8985939 heimdal_1.6~rc2+dfsg.orig.tar.gz
 faf00bc223e2d496d0f612fb658bb96da8f9f331cfa5b617e78212d5471c805c 71084 heimdal_1.6~rc2+dfsg-9+deb8u1.debian.tar.xz
 6ffd9aae405e1fc1d22545d51636a844e2a3daf8ff3cb4481bef2331377c3bcb 102040 heimdal-docs_1.6~rc2+dfsg-9+deb8u1_all.deb
Files: 
 2989884b99aa1ad37ea4b0acfafc06b5 3894 net optional heimdal_1.6~rc2+dfsg-9+deb8u1.dsc
 811a228f6a636c548072eabf1dc16093 8985939 net optional heimdal_1.6~rc2+dfsg.orig.tar.gz
 8e508fcc46d086df046cade8715d7f8b 71084 net optional heimdal_1.6~rc2+dfsg-9+deb8u1.debian.tar.xz
 0e2b0b5f8d6b21979d4627000cf869bd 102040 doc extra heimdal-docs_1.6~rc2+dfsg-9+deb8u1_all.deb

-----BEGIN PGP SIGNATURE-----

iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAllrIZtfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EYIAQAKEmmT4W9m2DeByv02zT5mHZCACXS8Ut
Mm1Z9ggEgUHr2WdqWkrh4Vdu93H4GMhmOFSe/MakoiiaFRciPM2q4uXZAhjdJmuh
+4irByG+VRCqAY/rLA54rH6d8RjDHy2NUahEvmfA5X0NpSNf+bD0mEWervzzVbzn
iUHa7Uqwi648iLvHc62RdUJmvwjRP2rL7hGL5611uSnzwP1YV57hrW10YOXumG05
/IOHp3rzwdaQkC0Op8QSJq7c2VMW8VWhxB/BXGIjcO/U/OmtfIGe1oQ1EB/jRm1l
2B0s17AZVaOLScTGDuXAZS6ch4TrhilGQDT74Q0BK4d/YI1peW8MvV7r4DQuMSKk
Pp4tDhMDlEjy4BYK8qslRpnJDUyBmWoxAgG2RIVRuXAuZmUg0trJYydej7c/wOVr
UCiULAzquyAT7s7iIWWLucIS+Pgzl6o7IMDwreFFD67u17PiDfv3+XEaNDe8l9l7
XEvx8owOIVbd6fE/ua4aP/TDCSky7MPF8EDtfF2u5hmilBXIPB2/+5CufP5Eu799
bbpny0LgbRET41Lktj0uqOV2EKqoP7R7FJ+3OK9bfxJ6cm/Mmar8asSplTrn6UY5
hkzS/6TC1wqyk6i0xetav8TeXrRj6w+eQfMDQTCuQ8Uc21klRigLWFODXMsnTGra
itYTJjrLxUX1
=eWsz
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 20 Aug 2017 07:26:11 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 16:21:40 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

CVE-2017-11103: MitM attack, impersonation of the Kerberos client, know as Orpheus Lyre

Debian Bug report logs - #868208
CVE-2017-11103: MitM attack, impersonation of the Kerberos client, know as Orpheus Lyre

Vulmon Search

About

Products

Connect

CVE-2017-11103: MitM attack, impersonation of the Kerberos client, know as Orpheus Lyre

Debian Bug report logs - #868208 CVE-2017-11103: MitM attack, impersonation of the Kerberos client, know as Orpheus Lyre

Vulmon Search

About

Products

Connect

Debian Bug report logs - #868208
CVE-2017-11103: MitM attack, impersonation of the Kerberos client, know as Orpheus Lyre