Debian Bug report logs -
#762479
CVE-2014-5351 in krb5-admin-server
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Sam Hartman <hartmans@debian.org>:
Bug#762479; Package krb5-admin-server.
(Mon, 22 Sep 2014 18:39:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Benjamin Kaduk <kaduk@MIT.EDU>:
New Bug report received and forwarded. Copy sent to Sam Hartman <hartmans@debian.org>.
(Mon, 22 Sep 2014 18:39:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: krb5-admin-server
Version: 1.8.3+dfsg-4squeeze7
Tags: security fixed_upstream pending
CVE-2014-5351:
An authenticated remote attacker can retrieve the current keys for a
service principal when generating a new set of keys for that
principal. The attacker needs to be authenticated as a user who has
the elevated privilege for randomizing the keys of other principals.
Normally, when a Kerberos administrator randomizes the keys of a
service principal, kadmind returns only the new keys. This prevents
an administrator who lacks legitimate privileged access to a service
from forging tickets to authenticate to that service. If the
"keepold" flag to the kadmin randkey RPC operation is true, kadmind
retains the old keys in the KDC database as intended, but also
unexpectedly returns the old keys to the client, which exposes the
forgery attacks from the administrator.
A mitigating factor is that legitimate clients of the affected service
will start failing to authenticate to the service once they begin to
receive service tickets encrypted in the new keys. The affected
service will be unable to decrypt the newly issued tickets, possibly
alerting the legitimate administrator of the affected service.
CVSSv2: AV:N/AC:H/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C
http://krbdev.mit.edu/rt/Ticket/Display.html?id=8018
Added tag(s) upstream and fixed-upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 22 Sep 2014 19:06:05 GMT) (full text, mbox, link).
Marked as found in versions krb5/1.8.3+dfsg-4.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 22 Sep 2014 19:06:07 GMT) (full text, mbox, link).
Reply sent
to Benjamin Kaduk <kaduk@mit.edu>:
You have taken responsibility.
(Mon, 22 Sep 2014 19:24:34 GMT) (full text, mbox, link).
Notification sent
to Benjamin Kaduk <kaduk@MIT.EDU>:
Bug acknowledged by developer.
(Mon, 22 Sep 2014 19:24:34 GMT) (full text, mbox, link).
Message #16 received at 762479-close@bugs.debian.org (full text, mbox, reply):
Source: krb5
Source-Version: 1.12.1+dfsg-10
We believe that the bug you reported is fixed in the latest version of
krb5, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 762479@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Benjamin Kaduk <kaduk@mit.edu> (supplier of updated krb5 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 22 Sep 2014 14:53:33 -0400
Source: krb5
Binary: krb5-user krb5-kdc krb5-kdc-ldap krb5-admin-server krb5-multidev libkrb5-dev libkrb5-dbg krb5-pkinit krb5-otp krb5-doc libkrb5-3 libgssapi-krb5-2 libgssrpc4 libkadm5srv-mit9 libkadm5clnt-mit9 libk5crypto3 libkdb5-7 libkrb5support0 libkrad0 krb5-gss-samples krb5-locales libkrad-dev
Architecture: source all amd64
Version: 1.12.1+dfsg-10
Distribution: unstable
Urgency: medium
Maintainer: Sam Hartman <hartmans@debian.org>
Changed-By: Benjamin Kaduk <kaduk@mit.edu>
Description:
krb5-admin-server - MIT Kerberos master server (kadmind)
krb5-doc - Documentation for MIT Kerberos
krb5-gss-samples - MIT Kerberos GSS Sample applications
krb5-kdc - MIT Kerberos key server (KDC)
krb5-kdc-ldap - MIT Kerberos key server (KDC) LDAP plugin
krb5-locales - Internationalization support for MIT Kerberos
krb5-multidev - Development files for MIT Kerberos without Heimdal conflict
krb5-otp - OTP plugin for MIT Kerberos
krb5-pkinit - PKINIT plugin for MIT Kerberos
krb5-user - Basic programs to authenticate using MIT Kerberos
libgssapi-krb5-2 - MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
libgssrpc4 - MIT Kerberos runtime libraries - GSS enabled ONCRPC
libk5crypto3 - MIT Kerberos runtime libraries - Crypto Library
libkadm5clnt-mit9 - MIT Kerberos runtime libraries - Administration Clients
libkadm5srv-mit9 - MIT Kerberos runtime libraries - KDC and Admin Server
libkdb5-7 - MIT Kerberos runtime libraries - Kerberos database
libkrad-dev - MIT Kerberos RADIUS Library Development
libkrad0 - MIT Kerberos runtime libraries - RADIUS library
libkrb5-3 - MIT Kerberos runtime libraries
libkrb5-dbg - Debugging files for MIT Kerberos
libkrb5-dev - Headers and development libraries for MIT Kerberos
libkrb5support0 - MIT Kerberos runtime libraries - Support library
Closes: 762479
Changes:
krb5 (1.12.1+dfsg-10) unstable; urgency=medium
.
* Import upstream's patch for CVE-2014-5351, Closes: #762479
Checksums-Sha1:
2ba168a5840eb2f46578870026f4dd9d60b0e1aa 3161 krb5_1.12.1+dfsg-10.dsc
d361fae88827796aa558bd0158eed43033960b74 104216 krb5_1.12.1+dfsg-10.debian.tar.xz
b49b899f8c522b97d1a116039ab5e79a81b2c632 4687054 krb5-doc_1.12.1+dfsg-10_all.deb
074ba6c59b248b9fa245c499f2e89dcfe8d4bbd5 2647508 krb5-locales_1.12.1+dfsg-10_all.deb
f5f54b149c0086035d5a3fb523a1ce0839c6ac7c 136220 krb5-user_1.12.1+dfsg-10_amd64.deb
b3f4947bed39a3c14ee1295f129f0654544e8805 207412 krb5-kdc_1.12.1+dfsg-10_amd64.deb
5ae850b87919b0a54829f76995a1ab0aedebf1b5 109872 krb5-kdc-ldap_1.12.1+dfsg-10_amd64.deb
c47cfee8b0e3643517ead4910d98406e41819af0 114902 krb5-admin-server_1.12.1+dfsg-10_amd64.deb
84fe284c6f075b107cbf2de305692b907dc42706 143818 krb5-multidev_1.12.1+dfsg-10_amd64.deb
da18bb519a2f0c74e2eb15ab337165c12c0a87b1 41466 libkrb5-dev_1.12.1+dfsg-10_amd64.deb
7eb0ac9623d89df83038b5e5c717c0cb71a8828a 1420890 libkrb5-dbg_1.12.1+dfsg-10_amd64.deb
3ebaefcf1fc71e6412a6ec20de80901df894a38f 82688 krb5-pkinit_1.12.1+dfsg-10_amd64.deb
6246922042b03ff732d5f4ba2aa7aa82459862db 47080 krb5-otp_1.12.1+dfsg-10_amd64.deb
b8ed0ef93701554b52fcd0fc9b64fa72d0dde883 301586 libkrb5-3_1.12.1+dfsg-10_amd64.deb
1788cd35418f3a60afb01f7f5065966e987637bb 149658 libgssapi-krb5-2_1.12.1+dfsg-10_amd64.deb
f5c861f3862dc56d41815b4031bdefd344ce7d04 85166 libgssrpc4_1.12.1+dfsg-10_amd64.deb
f25c15864521ae06e887629b5dabd5e2fe51e6a7 81826 libkadm5srv-mit9_1.12.1+dfsg-10_amd64.deb
1623193347c96e3d8053995b6bbcb71f8199229d 67164 libkadm5clnt-mit9_1.12.1+dfsg-10_amd64.deb
4d519a45cbeb928c94de4c668e657cbf3618cba5 112760 libk5crypto3_1.12.1+dfsg-10_amd64.deb
53b1a3c449a754624740be9207cba65be27d29fb 67336 libkdb5-7_1.12.1+dfsg-10_amd64.deb
353032641dd096b5084655dd376d9ced87cd2b00 57890 libkrb5support0_1.12.1+dfsg-10_amd64.deb
be78a7853dabc5082b2e32359f90c9a6b30c9efa 51528 libkrad0_1.12.1+dfsg-10_amd64.deb
19cc158048c6e2e703af72abed5c03e4faf5c1d4 54760 krb5-gss-samples_1.12.1+dfsg-10_amd64.deb
1967e1da92e912c0e88f155a9bb38eaa163f2b4f 41912 libkrad-dev_1.12.1+dfsg-10_amd64.deb
Checksums-Sha256:
e7532a21ce1e14129e35d47097a87499e7891bd79d0a8053e3ac68d822d2f9bf 3161 krb5_1.12.1+dfsg-10.dsc
20ad87c7723ad2a8656b0ff395f95639ee77a9e5ec0cabb8813ec99f0da6e4e5 104216 krb5_1.12.1+dfsg-10.debian.tar.xz
b03a860b6b5417b4d86949f4511161fb8a6b22cfbbc7c8ba330194e8f96b9d82 4687054 krb5-doc_1.12.1+dfsg-10_all.deb
f4a9f90a87d79c48f3500a4bba555668276c37aa48b1945bc08a3cb2521c5d7d 2647508 krb5-locales_1.12.1+dfsg-10_all.deb
207135dbfa6b5d96d3ec2f3744afc19200fadc15d1dba5515943471d2dfefc2d 136220 krb5-user_1.12.1+dfsg-10_amd64.deb
9b84c04d0cfab2b805c21f07de0553ea6b95620cfae5dc671cf08b5b8e6d2126 207412 krb5-kdc_1.12.1+dfsg-10_amd64.deb
8c7b9a5e15141254882f2f64f5ac08575ba272d1a69d7e14eed71f311d641522 109872 krb5-kdc-ldap_1.12.1+dfsg-10_amd64.deb
e71da4b76bd80eb55819443d181f5bc79a8480d7a03aa861c2b057b6fc2c6fb2 114902 krb5-admin-server_1.12.1+dfsg-10_amd64.deb
6f7ba3a952f5f4db232245c60d684e603a0358956580e6a414c3558cd216004d 143818 krb5-multidev_1.12.1+dfsg-10_amd64.deb
1f3387a1a2973438eedfcbd2d35d63c46c1794cd6fc5b995ec3f5bd960a05982 41466 libkrb5-dev_1.12.1+dfsg-10_amd64.deb
c653e7df9690f169347c7cf9916e538c1fa34ea06c49d00eb4f6705f900ac4b1 1420890 libkrb5-dbg_1.12.1+dfsg-10_amd64.deb
42f62559e0d48864515c616d4a3184624733b5ec0c7bf1b76e3535f15a4023c8 82688 krb5-pkinit_1.12.1+dfsg-10_amd64.deb
330a9c7aeb7f6bd63a101ca579ba4280f8cda947b37b980d03fb92b52047298c 47080 krb5-otp_1.12.1+dfsg-10_amd64.deb
6d00138392eeba8f51f95318ed4181ff141cab837d700cb27cd6875faca1dc49 301586 libkrb5-3_1.12.1+dfsg-10_amd64.deb
f7a84b74b7e32395f73c0fbcc47f899704f30355b8d06a05d707328e72b6be3a 149658 libgssapi-krb5-2_1.12.1+dfsg-10_amd64.deb
6963c0f573049b9024bfcee83c014d25e2d779fcbb8b0c61406382b270a7fe7d 85166 libgssrpc4_1.12.1+dfsg-10_amd64.deb
9fa8f79a499341fe937127acb80567f9c428c06b249e38efb7f916f22d94b5f6 81826 libkadm5srv-mit9_1.12.1+dfsg-10_amd64.deb
28d9bfa25f0f71ec2b028842a9db840a5df4b880e462ceea294af3a2baa46dda 67164 libkadm5clnt-mit9_1.12.1+dfsg-10_amd64.deb
0ac64e8b1a664ab9eccb769e5a0051fd8a9269c13549e68c34b72eaf30924de2 112760 libk5crypto3_1.12.1+dfsg-10_amd64.deb
7f00c5b26b63b281e93438c6e62e18a5555ef20edfdef13a362fb5268312bbe2 67336 libkdb5-7_1.12.1+dfsg-10_amd64.deb
a7e66a80953015c40406edf050e7cf89758ee48da65e9eb36619244c6c28aa0c 57890 libkrb5support0_1.12.1+dfsg-10_amd64.deb
c40615eb6c2c86adc2c2474002d0c82d423017f24af6657f7aa46299c4842cde 51528 libkrad0_1.12.1+dfsg-10_amd64.deb
183bef7930f086935814d4cbf1c030ad7aea0a20e92647632815b0c274cf3eaa 54760 krb5-gss-samples_1.12.1+dfsg-10_amd64.deb
a2e856cbc3454610d75e1fe6cb0885605e9752e9b7762ea2c56d8d804b3f3ef5 41912 libkrad-dev_1.12.1+dfsg-10_amd64.deb
Files:
825be3c630b0495834efa03e1ddc02c1 4687054 doc optional krb5-doc_1.12.1+dfsg-10_all.deb
c1358c92eb65f779735c27f2ed18f528 2647508 localization standard krb5-locales_1.12.1+dfsg-10_all.deb
05e5f98bc702e52e5c60e485d2f96022 136220 net optional krb5-user_1.12.1+dfsg-10_amd64.deb
6d14a516dad655cf6b1bc3fafa8b8e04 207412 net optional krb5-kdc_1.12.1+dfsg-10_amd64.deb
9ade0a22c4afa920de584258c5c729aa 109872 net extra krb5-kdc-ldap_1.12.1+dfsg-10_amd64.deb
5ea0095a00f1c920d999f005a77a98d8 114902 net optional krb5-admin-server_1.12.1+dfsg-10_amd64.deb
7ed032279e3cd6a5007419ee9a0392f0 143818 libdevel optional krb5-multidev_1.12.1+dfsg-10_amd64.deb
607d0a96b28f03e9b171ac5e04defaf3 41466 libdevel extra libkrb5-dev_1.12.1+dfsg-10_amd64.deb
9d66f537b3403d33c7db872bddd47ef6 1420890 debug extra libkrb5-dbg_1.12.1+dfsg-10_amd64.deb
6cc295b8e9b51f8ccb162b69cb5867af 82688 net extra krb5-pkinit_1.12.1+dfsg-10_amd64.deb
aebd742535ce78be5371aa2bcba67e91 47080 net extra krb5-otp_1.12.1+dfsg-10_amd64.deb
e34daae617758300d957fbaad776ad3e 301586 libs standard libkrb5-3_1.12.1+dfsg-10_amd64.deb
1ee62abfe59245302994693306f4d533 149658 libs standard libgssapi-krb5-2_1.12.1+dfsg-10_amd64.deb
73855137f83238fbbed73f81f491b99e 85166 libs standard libgssrpc4_1.12.1+dfsg-10_amd64.deb
e76034aad0199eaf4598fce8b0a71bfb 81826 libs standard libkadm5srv-mit9_1.12.1+dfsg-10_amd64.deb
f7b3ce43c3c3f3471781950677c4919f 67164 libs standard libkadm5clnt-mit9_1.12.1+dfsg-10_amd64.deb
0650571ecd99d1993f15d2a4e26a229d 112760 libs standard libk5crypto3_1.12.1+dfsg-10_amd64.deb
0bad8a81dfd60ed0b5c08834030de069 67336 libs standard libkdb5-7_1.12.1+dfsg-10_amd64.deb
73da7d429f012ccc91051ad21cb910c1 57890 libs standard libkrb5support0_1.12.1+dfsg-10_amd64.deb
df176520149075847894300463d0ad0e 51528 libs standard libkrad0_1.12.1+dfsg-10_amd64.deb
b6077f0f5474c93ba5a10cee1c4d38c9 54760 net extra krb5-gss-samples_1.12.1+dfsg-10_amd64.deb
19fc3f86a4507d420da83c988844c3a5 41912 libdevel extra libkrad-dev_1.12.1+dfsg-10_amd64.deb
49c5f88c882b7bee37be580ffdddd1b5 3161 net standard krb5_1.12.1+dfsg-10.dsc
74b8574f9d96c811beb13c0a6f94cfe5 104216 net standard krb5_1.12.1+dfsg-10.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQGgBAEBCgAGBQJUIHHnAAoJECjZpvNk63USBwMMHi051tKVoSNc6mopHkEc0Nn6
RFYU3L8TI90uZeUaJXoGsP8w34bOYc/TJsAs3KyyPkaIdL89Hiw9Zbhp15EUsMQG
K11E8UB5WIL52M9Kyp9H6xfKGhQXJqg+2Xxqzs1TiVKISQD64+LC+T54W7b/a4C9
irNQuXXGt6gTHBLlctLdPc6XAozJyjcO9sTfu4VM9gn40WKAO3WIAGzETGuoAOyY
wC1Z3UOT3vXn8TWA2jEbkivqXrpdF3437Pp96zrfSpO5QNg9aUfdNZ1lHRaK8jyq
puBIPWmqEuR2E4Sd3kBt8RaIiuXwM/Z/u+4snPOsi6RtCKzI5DQmmVjltuEcgtiA
nJH4NeUZWi24FUoZu9BdimfRdtXaKyHbz3E681D1iGEbBfWtiuZJlMbiOSOaydvw
ybvfQwb3hDJXwanVn8YMkHT3XAvX/Cg4NCrUOkUIWDz4I2pDrZnburlFqxRpG1Hx
EDLTzRid+kxFMxDm8tNpsRsF25B0gOqD3Pfa5jXek+smav4=
=vqeh
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 26 Oct 2014 07:37:50 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:23:30 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon