Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

CVE-2010-0628 (MITKRB5-SA-2010-002)

Related Vulnerabilities: CVE-2010-0628  

Source

Debian Bug report logs - #575740
CVE-2010-0628 (MITKRB5-SA-2010-002)

version graph

Package: krb5; Maintainer for krb5 is Sam Hartman <hartmans@debian.org>;

Reported by: Giuseppe Iuculano <iuculano@debian.org>

Date: Sun, 28 Mar 2010 21:03:01 UTC

Severity: grave

Tags: patch, security

Found in version 1.8+dfsg~alpha1-7

Fixed in version krb5/1.8+dfsg-1.1

Done: Giuseppe Iuculano <iuculano@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Sam Hartman <hartmans@debian.org>:
Bug#575740; Package krb5. (Sun, 28 Mar 2010 21:03:05 GMT) (full text, mbox, link).

Acknowledgement sent to Giuseppe Iuculano <iuculano@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Sam Hartman <hartmans@debian.org>. (Sun, 28 Mar 2010 21:03:05 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Giuseppe Iuculano <iuculano@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2010-0628 (MITKRB5-SA-2010-002)
Date: Sun, 28 Mar 2010 22:59:39 +0200
Package: krb5
Version: 1.8+dfsg~alpha1-7
Severity: grave
Tags: security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for krb5.

CVE-2010-0628[0]:
| The spnego_gss_accept_sec_context function in
| lib/gssapi/spnego/spnego_mech.c in the SPNEGO GSS-API functionality in
| MIT Kerberos 5 (aka krb5) 1.7 before 1.7.2 and 1.8 before 1.8.1 allows
| remote attackers to cause a denial of service (assertion failure and
| daemon crash) via an invalid packet that triggers incorrect
| preparation of an error token.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0628
    http://security-tracker.debian.org/tracker/CVE-2010-0628


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkuvwzgACgkQNxpp46476apSagCfbj0ouyXv6uz8gDdtq9uYC+xm
PmYAoJcaMNl/MUL0640VxwW4yZByKIjq
=0mge
-----END PGP SIGNATURE-----

Information forwarded to debian-bugs-dist@lists.debian.org, Sam Hartman <hartmans@debian.org>:
Bug#575740; Package krb5. (Fri, 09 Apr 2010 18:03:09 GMT) (full text, mbox, link).

Acknowledgement sent to Giuseppe Iuculano <iuculano@debian.org>:
Extra info received and forwarded to list. Copy sent to Sam Hartman <hartmans@debian.org>. (Fri, 09 Apr 2010 18:03:09 GMT) (full text, mbox, link).

Message #10 received at 575740@bugs.debian.org (full text, mbox, reply):

From: Giuseppe Iuculano <iuculano@debian.org>
To: 574703@bugs.debian.org, 575740@bugs.debian.org
Subject: krb5: diff for NMU version 1.8+dfsg-1.1
Date: Fri, 9 Apr 2010 19:52:42 +0200
[Message part 1 (text/plain, inline)]
tags 574703 + patch
tags 575740 + patch
thanks

Dear maintainer,

I've prepared an NMU for krb5 (versioned as 1.8+dfsg-1.1). The diff
is attached to this message.

Regards.

[krb5-1.8+dfsg-1.1-nmu.diff (text/x-diff, attachment)]
[signature.asc (application/pgp-signature, inline)]

Added tag(s) patch. Request was from Giuseppe Iuculano <iuculano@debian.org> to control@bugs.debian.org. (Fri, 09 Apr 2010 18:03:13 GMT) (full text, mbox, link).

Reply sent to Giuseppe Iuculano <iuculano@debian.org>:
You have taken responsibility. (Fri, 09 Apr 2010 18:27:13 GMT) (full text, mbox, link).

Notification sent to Giuseppe Iuculano <iuculano@debian.org>:
Bug acknowledged by developer. (Fri, 09 Apr 2010 18:27:13 GMT) (full text, mbox, link).

Message #17 received at 575740-close@bugs.debian.org (full text, mbox, reply):

From: Giuseppe Iuculano <iuculano@debian.org>
To: 575740-close@bugs.debian.org
Subject: Bug#575740: fixed in krb5 1.8+dfsg-1.1
Date: Fri, 09 Apr 2010 18:20:47 +0000
Source: krb5
Source-Version: 1.8+dfsg-1.1

We believe that the bug you reported is fixed in the latest version of
krb5, which is due to be installed in the Debian FTP archive:

krb5-admin-server_1.8+dfsg-1.1_i386.deb
  to main/k/krb5/krb5-admin-server_1.8+dfsg-1.1_i386.deb
krb5-doc_1.8+dfsg-1.1_all.deb
  to main/k/krb5/krb5-doc_1.8+dfsg-1.1_all.deb
krb5-kdc-ldap_1.8+dfsg-1.1_i386.deb
  to main/k/krb5/krb5-kdc-ldap_1.8+dfsg-1.1_i386.deb
krb5-kdc_1.8+dfsg-1.1_i386.deb
  to main/k/krb5/krb5-kdc_1.8+dfsg-1.1_i386.deb
krb5-multidev_1.8+dfsg-1.1_i386.deb
  to main/k/krb5/krb5-multidev_1.8+dfsg-1.1_i386.deb
krb5-pkinit_1.8+dfsg-1.1_i386.deb
  to main/k/krb5/krb5-pkinit_1.8+dfsg-1.1_i386.deb
krb5-user_1.8+dfsg-1.1_i386.deb
  to main/k/krb5/krb5-user_1.8+dfsg-1.1_i386.deb
krb5_1.8+dfsg-1.1.diff.gz
  to main/k/krb5/krb5_1.8+dfsg-1.1.diff.gz
krb5_1.8+dfsg-1.1.dsc
  to main/k/krb5/krb5_1.8+dfsg-1.1.dsc
libgssapi-krb5-2_1.8+dfsg-1.1_i386.deb
  to main/k/krb5/libgssapi-krb5-2_1.8+dfsg-1.1_i386.deb
libgssrpc4_1.8+dfsg-1.1_i386.deb
  to main/k/krb5/libgssrpc4_1.8+dfsg-1.1_i386.deb
libk5crypto3_1.8+dfsg-1.1_i386.deb
  to main/k/krb5/libk5crypto3_1.8+dfsg-1.1_i386.deb
libkadm5clnt-mit7_1.8+dfsg-1.1_i386.deb
  to main/k/krb5/libkadm5clnt-mit7_1.8+dfsg-1.1_i386.deb
libkadm5srv-mit7_1.8+dfsg-1.1_i386.deb
  to main/k/krb5/libkadm5srv-mit7_1.8+dfsg-1.1_i386.deb
libkdb5-4_1.8+dfsg-1.1_i386.deb
  to main/k/krb5/libkdb5-4_1.8+dfsg-1.1_i386.deb
libkrb5-3_1.8+dfsg-1.1_i386.deb
  to main/k/krb5/libkrb5-3_1.8+dfsg-1.1_i386.deb
libkrb5-dbg_1.8+dfsg-1.1_i386.deb
  to main/k/krb5/libkrb5-dbg_1.8+dfsg-1.1_i386.deb
libkrb5-dev_1.8+dfsg-1.1_i386.deb
  to main/k/krb5/libkrb5-dev_1.8+dfsg-1.1_i386.deb
libkrb5support0_1.8+dfsg-1.1_i386.deb
  to main/k/krb5/libkrb5support0_1.8+dfsg-1.1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 575740@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Giuseppe Iuculano <iuculano@debian.org> (supplier of updated krb5 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 09 Apr 2010 19:11:50 +0200
Source: krb5
Binary: krb5-user krb5-kdc krb5-kdc-ldap krb5-admin-server krb5-multidev libkrb5-dev libkrb5-dbg krb5-pkinit krb5-doc libkrb5-3 libgssapi-krb5-2 libgssrpc4 libkadm5srv-mit7 libkadm5clnt-mit7 libk5crypto3 libkdb5-4 libkrb5support0
Architecture: source all i386
Version: 1.8+dfsg-1.1
Distribution: unstable
Urgency: high
Maintainer: Sam Hartman <hartmans@debian.org>
Changed-By: Giuseppe Iuculano <iuculano@debian.org>
Description: 
 krb5-admin-server - MIT Kerberos master server (kadmind)
 krb5-doc   - Documentation for MIT Kerberos
 krb5-kdc   - MIT Kerberos key server (KDC)
 krb5-kdc-ldap - MIT Kerberos key server (KDC) LDAP plugin
 krb5-multidev - Development files for MIT Kerberos without Heimdal conflict
 krb5-pkinit - PKINIT plugin for MIT Kerberos
 krb5-user  - Basic programs to authenticate using MIT Kerberos
 libgssapi-krb5-2 - MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
 libgssrpc4 - MIT Kerberos runtime libraries - GSS enabled ONCRPC
 libk5crypto3 - MIT Kerberos runtime libraries - Crypto Library
 libkadm5clnt-mit7 - MIT Kerberos runtime libraries - Administration Clients
 libkadm5srv-mit7 - MIT Kerberos runtime libraries - KDC and Admin Server
 libkdb5-4  - MIT Kerberos runtime libraries - Kerberos database
 libkrb5-3  - MIT Kerberos runtime libraries
 libkrb5-dbg - Debugging files for MIT Kerberos
 libkrb5-dev - Headers and development libraries for MIT Kerberos
 libkrb5support0 - MIT Kerberos runtime libraries - Support library
Closes: 574703 575740
Changes: 
 krb5 (1.8+dfsg-1.1) unstable; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fixed CVE-2010-0628: denial of service (assertion failure and daemon crash)
     via an invalid packet that triggers incorrect preparation of an error
     token. (Closes: 575740)
   * Makes src/slave/kpropd.c ISO C90 compliant (Closes: #574703)
Checksums-Sha1: 
 52b7dceae5e05a9fe2828f55f15a18ecbe870201 1562 krb5_1.8+dfsg-1.1.dsc
 21fd11420f3437b39f8238abc36c1f4a22346e98 123080 krb5_1.8+dfsg-1.1.diff.gz
 bfe9a596bb77f75cc27fcf5152d821f9bd03448d 2248686 krb5-doc_1.8+dfsg-1.1_all.deb
 5e66b4046ebfd0cd6523495d5892a0e07c31fcc1 126660 krb5-user_1.8+dfsg-1.1_i386.deb
 80ee5b625826748d43e9ac420dd95a443c9a4b10 199590 krb5-kdc_1.8+dfsg-1.1_i386.deb
 a3642c095a8b025305ccb36466a0d87dcd9e12e4 110180 krb5-kdc-ldap_1.8+dfsg-1.1_i386.deb
 900f001b605217b0238ce132d3fb694e62f49f0f 104106 krb5-admin-server_1.8+dfsg-1.1_i386.deb
 f94bb230fe4ebd67d743e8bada1c0c1b02d6ed91 101448 krb5-multidev_1.8+dfsg-1.1_i386.deb
 d1e73dbf041ea06822886067c0fc3b9a9cbe6e48 34208 libkrb5-dev_1.8+dfsg-1.1_i386.deb
 5ad64b564c2ad80b1712ba14a4acf9cc52df9810 1606740 libkrb5-dbg_1.8+dfsg-1.1_i386.deb
 aae103ca09b0b3072d5f98dad30104c9a1290972 72848 krb5-pkinit_1.8+dfsg-1.1_i386.deb
 27b882b18d282aeb61a1b44507b03f937d1244df 351928 libkrb5-3_1.8+dfsg-1.1_i386.deb
 6fb139c03fd1a16da36377a234a76823ab7c6f87 120822 libgssapi-krb5-2_1.8+dfsg-1.1_i386.deb
 36c5b030d9dac3f07ab0144e956bab1a744b5e91 75216 libgssrpc4_1.8+dfsg-1.1_i386.deb
 a60c548a092ce7805263e813e20015507b75a561 72220 libkadm5srv-mit7_1.8+dfsg-1.1_i386.deb
 6352f4f04f22b3cdd84cef2e0329b4faba0dfd0b 58910 libkadm5clnt-mit7_1.8+dfsg-1.1_i386.deb
 b2f38e83c7c50448b4ef0152e10dd45b0e02086c 96026 libk5crypto3_1.8+dfsg-1.1_i386.deb
 7e96515f1e0ffa274b1b7eaa657a70b6cf655dec 58996 libkdb5-4_1.8+dfsg-1.1_i386.deb
 fb3914fa6ff564119825a4cd4d4a9b1907e950b2 42528 libkrb5support0_1.8+dfsg-1.1_i386.deb
Checksums-Sha256: 
 b1dec210d1a74348ab8b4243313743991b61d6935dd07f2c177b1b0c8cee1a5b 1562 krb5_1.8+dfsg-1.1.dsc
 ba5c4b28690603f9f7de16f1c3c6087bd7a0554855f92b8bf021afc895d5e83d 123080 krb5_1.8+dfsg-1.1.diff.gz
 c8de0323f2337b340dc57a7e2d0e5c28a48a2f4ccb71e5228d3e46023d0f4e76 2248686 krb5-doc_1.8+dfsg-1.1_all.deb
 5e8f3fe6d8efa5f0fe1ada90478b25fb692db2c81aa5faaeac681a555d207e26 126660 krb5-user_1.8+dfsg-1.1_i386.deb
 8f3a05010455616dcaf61d532d260211521d0351aa7bf6c2075c62eced60aa68 199590 krb5-kdc_1.8+dfsg-1.1_i386.deb
 f14809c1747d60fc2ae62a50cfebbd4979e1346e3952eecd742d444ffa25acb8 110180 krb5-kdc-ldap_1.8+dfsg-1.1_i386.deb
 53104326345110939f86edb7e2a5e7acb358bc016ac9780e959bdeb8c51b742a 104106 krb5-admin-server_1.8+dfsg-1.1_i386.deb
 56b5a715c5a72da2b1f7fae31566ee01bcd8037a7653a54fec68b99a0c4816d1 101448 krb5-multidev_1.8+dfsg-1.1_i386.deb
 072d85f4281f88c1f6f904baf6548f3701f88d84cb002c305bae6810b5c9d35f 34208 libkrb5-dev_1.8+dfsg-1.1_i386.deb
 706655caffab22587ef39eec695b3eda851b1c8a5f80703f33afd09052f199f9 1606740 libkrb5-dbg_1.8+dfsg-1.1_i386.deb
 993f80072f9dcd227b80d335064789d53e9701cfaec670b0e970e4e2a19cbf15 72848 krb5-pkinit_1.8+dfsg-1.1_i386.deb
 0a9a99a6f9f8c82144e65a4f19f2a5666e6de85c6c012ddf6b25ad618afe9b7b 351928 libkrb5-3_1.8+dfsg-1.1_i386.deb
 41c1ef3412228a7bbf41c155dc4e65a7b2748d0b286b70d47734d3b31d8fe2e9 120822 libgssapi-krb5-2_1.8+dfsg-1.1_i386.deb
 f8be4fed5f153cb5b1f3160876eae0baf0815e7476bd940c0580ac3538be89d4 75216 libgssrpc4_1.8+dfsg-1.1_i386.deb
 fb2ca198f64b86a5aa4c73a05ff36aeba102d87b59a351c41d6f6d6ec801f3a7 72220 libkadm5srv-mit7_1.8+dfsg-1.1_i386.deb
 56fc9604d240a8ec8147a048e7369faf12030a06e704adfa39307c5bcf0dcd41 58910 libkadm5clnt-mit7_1.8+dfsg-1.1_i386.deb
 ed8b6b52878774b8ac77a5a1d7f19e5e8ca64058406ba63070713c61610fb7c5 96026 libk5crypto3_1.8+dfsg-1.1_i386.deb
 b9d17903b25da085e7c213f00bf74f2810a4ab5ca1d89c157dabc6b2eb09a8e0 58996 libkdb5-4_1.8+dfsg-1.1_i386.deb
 a729c366ea2fbf882debd7ff62dacea4a249f4a02011ad4cf3498567acd599d8 42528 libkrb5support0_1.8+dfsg-1.1_i386.deb
Files: 
 55fe0b27f19cdf600ae09cf683b78ac0 1562 net standard krb5_1.8+dfsg-1.1.dsc
 f3b19696f65b5fd0e98175ede2c23e72 123080 net standard krb5_1.8+dfsg-1.1.diff.gz
 d7d01f7e37039881910726817d819682 2248686 doc optional krb5-doc_1.8+dfsg-1.1_all.deb
 0489d49809bafd56c30bc056a83b4a99 126660 net optional krb5-user_1.8+dfsg-1.1_i386.deb
 4ea5a2b2d8a6cb9736f0d970b716dc5a 199590 net optional krb5-kdc_1.8+dfsg-1.1_i386.deb
 35a54bf95e63391dff57caa7c87a33f8 110180 net extra krb5-kdc-ldap_1.8+dfsg-1.1_i386.deb
 c29460253267b43b47640f74af13eaea 104106 net optional krb5-admin-server_1.8+dfsg-1.1_i386.deb
 74b8d05e159cca333550735049063f16 101448 libdevel optional krb5-multidev_1.8+dfsg-1.1_i386.deb
 c60a469d06e3b784b1eec0e349878c85 34208 libdevel extra libkrb5-dev_1.8+dfsg-1.1_i386.deb
 0c736342d51ee9c813aafbd86a23698d 1606740 debug extra libkrb5-dbg_1.8+dfsg-1.1_i386.deb
 5943533e0c185bbda9187fa5df01fc52 72848 net extra krb5-pkinit_1.8+dfsg-1.1_i386.deb
 010f87c6041e4e9a7c44750a72ee7b26 351928 libs standard libkrb5-3_1.8+dfsg-1.1_i386.deb
 576a5457f0187cd031e3c58bcf407d7a 120822 libs standard libgssapi-krb5-2_1.8+dfsg-1.1_i386.deb
 333774addd4c09f7a4d9f93ddb28f3e5 75216 libs standard libgssrpc4_1.8+dfsg-1.1_i386.deb
 63e72794c05b277fa02e070ec8af341b 72220 libs standard libkadm5srv-mit7_1.8+dfsg-1.1_i386.deb
 f747633392463919071cc1f85d23854d 58910 libs standard libkadm5clnt-mit7_1.8+dfsg-1.1_i386.deb
 7b80dc0e6d77f45ddbc32dbcdead472d 96026 libs standard libk5crypto3_1.8+dfsg-1.1_i386.deb
 cae6b858ca35c7992a0b010cc0600a92 58996 libs standard libkdb5-4_1.8+dfsg-1.1_i386.deb
 55028619fcac9bcd67f6ccfab88e40f6 42528 libs standard libkrb5support0_1.8+dfsg-1.1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAku/ZckACgkQNxpp46476arMPQCcCwKAAQ5hZJwMLa/53XkKs0r4
dscAmgJi5lcdqaSdf0/i9F0CVoDNjmhK
=yZMY
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 08 May 2010 07:34:09 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 16:10:51 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started