Debian Bug report logs -
#730085
krb5: CVE-2013-1417
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 21 Nov 2013 06:57:01 UTC
Severity: important
Tags: fixed-upstream, patch, security, upstream
Found in version 1.11.3+dfsg-3
Fixed in version krb5/1.11.3+dfsg-3+nmu1
Done: Michael Gilbert <mgilbert@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Sam Hartman <hartmans@debian.org>:
Bug#730085; Package krb5.
(Thu, 21 Nov 2013 06:57:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Sam Hartman <hartmans@debian.org>.
(Thu, 21 Nov 2013 06:57:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: krb5
Version: 1.11.3+dfsg-3
Severity: important
Tags: security patch upstream fixed-upstream
Hi,
the following vulnerability was published for krb5.
CVE-2013-1417[0]:
KDC null deref due to referrals
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1417
http://security-tracker.debian.org/tracker/CVE-2013-1417
[1] https://github.com/krb5/krb5/commit/4c023ba43c16396f0d199e2df1cfa59b88b62acc
As per upstream commit "The vulnerable configuration is not likely to
arise in practice." (but openng a bugreport to keep track on
security-tracker/BTS).
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Sam Hartman <hartmans@debian.org>:
Bug#730085; Package krb5.
(Sun, 01 Dec 2013 17:45:16 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael Gilbert <mgilbert@debian.org>:
Extra info received and forwarded to list. Copy sent to Sam Hartman <hartmans@debian.org>.
(Sun, 01 Dec 2013 17:45:16 GMT) (full text, mbox, link).
Message #10 received at 730085@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi, I've uploaded an nmu fixing these 3 issues to delayed/3. Please
see attached patch.
Best wishes,
Mike
[krb5.patch (text/x-patch, attachment)]
Reply sent
to Michael Gilbert <mgilbert@debian.org>:
You have taken responsibility.
(Wed, 04 Dec 2013 17:51:18 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Wed, 04 Dec 2013 17:51:18 GMT) (full text, mbox, link).
Message #15 received at 730085-close@bugs.debian.org (full text, mbox, reply):
Source: krb5
Source-Version: 1.11.3+dfsg-3+nmu1
We believe that the bug you reported is fixed in the latest version of
krb5, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 730085@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michael Gilbert <mgilbert@debian.org> (supplier of updated krb5 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 16 Nov 2013 23:40:00 +0000
Source: krb5
Binary: krb5-user krb5-kdc krb5-kdc-ldap krb5-admin-server krb5-multidev libkrb5-dev libkrb5-dbg krb5-pkinit krb5-doc libkrb5-3 libgssapi-krb5-2 libgssrpc4 libkadm5srv-mit8 libkadm5clnt-mit8 libk5crypto3 libkdb5-7 libkrb5support0 krb5-gss-samples krb5-locales
Architecture: source all amd64
Version: 1.11.3+dfsg-3+nmu1
Distribution: unstable
Urgency: high
Maintainer: Sam Hartman <hartmans@debian.org>
Changed-By: Michael Gilbert <mgilbert@debian.org>
Description:
krb5-admin-server - MIT Kerberos master server (kadmind)
krb5-doc - Documentation for MIT Kerberos
krb5-gss-samples - MIT Kerberos GSS Sample applications
krb5-kdc - MIT Kerberos key server (KDC)
krb5-kdc-ldap - MIT Kerberos key server (KDC) LDAP plugin
krb5-locales - Internationalization support for MIT Kerberos
krb5-multidev - Development files for MIT Kerberos without Heimdal conflict
krb5-pkinit - PKINIT plugin for MIT Kerberos
krb5-user - Basic programs to authenticate using MIT Kerberos
libgssapi-krb5-2 - MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
libgssrpc4 - MIT Kerberos runtime libraries - GSS enabled ONCRPC
libk5crypto3 - MIT Kerberos runtime libraries - Crypto Library
libkadm5clnt-mit8 - MIT Kerberos runtime libraries - Administration Clients
libkadm5srv-mit8 - MIT Kerberos runtime libraries - KDC and Admin Server
libkdb5-7 - MIT Kerberos runtime libraries - Kerberos database
libkrb5-3 - MIT Kerberos runtime libraries
libkrb5-dbg - Debugging files for MIT Kerberos
libkrb5-dev - Headers and development libraries for MIT Kerberos
libkrb5support0 - MIT Kerberos runtime libraries - Support library
Closes: 725596 728845 730085
Changes:
krb5 (1.11.3+dfsg-3+nmu1) unstable; urgency=high
.
* Non-maintainer upload by the Security Team.
* Add python-lxml build dependency (closes: #725596).
* Fix cve-2013-1417: KDC daemon crash condition (closes: #730085).
* Fix cve-2013-1418: KDC null pointer dereference issue (closes: #728845).
Checksums-Sha1:
e7a98d906f6d0bcee9472b0e4f3b5c66bcf4951d 3733 krb5_1.11.3+dfsg-3+nmu1.dsc
61dc6e6e0c315759ee93944d1f454ad9dd2c3640 113593 krb5_1.11.3+dfsg-3+nmu1.debian.tar.gz
77a67811d8bce33d2785ae5171d0728e54854790 4523792 krb5-doc_1.11.3+dfsg-3+nmu1_all.deb
49c644e8ed3588a6e8c1c4a0fecf0550a9ddfb54 2560282 krb5-locales_1.11.3+dfsg-3+nmu1_all.deb
40377109ab0b49f0e16632b48084d23f6c1bf230 135070 krb5-user_1.11.3+dfsg-3+nmu1_amd64.deb
54ca2d7b307bd479432c10d7519c1e4f779ac417 202082 krb5-kdc_1.11.3+dfsg-3+nmu1_amd64.deb
e2a68dc9679a80356e0a834f6e976f126861a6a3 110342 krb5-kdc-ldap_1.11.3+dfsg-3+nmu1_amd64.deb
1f362f0fdfd613b84323e07b311fe0025b8ad556 110640 krb5-admin-server_1.11.3+dfsg-3+nmu1_amd64.deb
8422e6a781e84d9fca23812c982e947de03fc061 135548 krb5-multidev_1.11.3+dfsg-3+nmu1_amd64.deb
b8d74045e35fc53f6c8e0ef4f9f794f6f8e76b71 42790 libkrb5-dev_1.11.3+dfsg-3+nmu1_amd64.deb
bd64c89775611c44ae47743397d4824595432cd4 1455810 libkrb5-dbg_1.11.3+dfsg-3+nmu1_amd64.deb
50c6b6a9b47d208b89cb598ff1f5e5bfceb12c4d 77912 krb5-pkinit_1.11.3+dfsg-3+nmu1_amd64.deb
b9e7832ab8554df80f0a5f4220bc359d3002e783 292446 libkrb5-3_1.11.3+dfsg-3+nmu1_amd64.deb
5cc95fa5b25dc1f1f26e1b9d3a583ba003aed9c5 141294 libgssapi-krb5-2_1.11.3+dfsg-3+nmu1_amd64.deb
bc94abb04e7d2a3c976b4f14525a58aba3b3b41c 82122 libgssrpc4_1.11.3+dfsg-3+nmu1_amd64.deb
891401f70dc8d9a975204965842a16e0aa96dfc3 81034 libkadm5srv-mit8_1.11.3+dfsg-3+nmu1_amd64.deb
4008d75ebce0da504cdf91f8722360fe63070b76 66120 libkadm5clnt-mit8_1.11.3+dfsg-3+nmu1_amd64.deb
894e692ad3eb6834f2f47ee1c62212bd28c5d682 111622 libk5crypto3_1.11.3+dfsg-3+nmu1_amd64.deb
f94c7870c30f17181731ac0513a99fbbf4e72db0 65328 libkdb5-7_1.11.3+dfsg-3+nmu1_amd64.deb
3687e6c80b7c0814564facf2a981b9b4ae0f498d 54746 libkrb5support0_1.11.3+dfsg-3+nmu1_amd64.deb
69ac580af26b4cadb2bf89162de528a9dcb91224 53126 krb5-gss-samples_1.11.3+dfsg-3+nmu1_amd64.deb
Checksums-Sha256:
69abc2c19ae1cc8343bae67c2f3371e9e2d77332e0702189e657ee548d3d6f3b 3733 krb5_1.11.3+dfsg-3+nmu1.dsc
c65b633e90876a20a530f030f6461702b0ec5b313c9c80e4995ec6b5d189b60b 113593 krb5_1.11.3+dfsg-3+nmu1.debian.tar.gz
0325cd54fcbbf7516d57fa1abcda18882d96804b075ed52f42acb10c1f6b17ba 4523792 krb5-doc_1.11.3+dfsg-3+nmu1_all.deb
b4272dfb35769ca3f4833e69bd70f181a0e761d58f13fca31c5a5133c00f2bec 2560282 krb5-locales_1.11.3+dfsg-3+nmu1_all.deb
4348a2fb4cf5c2fe6b4a2316a9c49433f5479bde75964993425a98a63cd03766 135070 krb5-user_1.11.3+dfsg-3+nmu1_amd64.deb
c13c70804c44eda00fd4b499248b95a137e084b3d7fc2476a00066f759e71d4e 202082 krb5-kdc_1.11.3+dfsg-3+nmu1_amd64.deb
e11fe00a42181ddbbeaff6d79e97703514e89dd3c4bb0e38d0209093c65223eb 110342 krb5-kdc-ldap_1.11.3+dfsg-3+nmu1_amd64.deb
a9bc6a28fee3acd2a69ce5240106a7288312dac62b1b54ad1390d3f0343aac49 110640 krb5-admin-server_1.11.3+dfsg-3+nmu1_amd64.deb
9e761a95a350241e64f7cfee8b29e244145d6dbe2ad6866cf7a25d8b06e51d57 135548 krb5-multidev_1.11.3+dfsg-3+nmu1_amd64.deb
c57b58e44e484b2a282a061efed87ca4a58c92fd5f0843636a4844abe46dc672 42790 libkrb5-dev_1.11.3+dfsg-3+nmu1_amd64.deb
b450dc7667b3b6482ea80c9c3c2ab19fc892778031368e13f2459efd21c03f20 1455810 libkrb5-dbg_1.11.3+dfsg-3+nmu1_amd64.deb
5f4e01fb94d1c22b5781ad8fe07ba5e410bfea18accbd9eb91a112a866f99866 77912 krb5-pkinit_1.11.3+dfsg-3+nmu1_amd64.deb
40ae340d864d8e181d3729ca4be66a75a05571692cdeb2580d39eacbed5c849b 292446 libkrb5-3_1.11.3+dfsg-3+nmu1_amd64.deb
7f46bcc69b887f4504a60164471c5c40f070fefddc5f11bfda5241b4a58aded1 141294 libgssapi-krb5-2_1.11.3+dfsg-3+nmu1_amd64.deb
fff16f37e497d6260db855f9bb468d220fa0705145e17ca84d3f878745b02089 82122 libgssrpc4_1.11.3+dfsg-3+nmu1_amd64.deb
49532e85b4524ae291231a074c163e65fc579466dd80eb411b80a4430ffd17e1 81034 libkadm5srv-mit8_1.11.3+dfsg-3+nmu1_amd64.deb
02ff3c6c1a42fa49329497df49c9ae029d81f4754aa765ae5b67ddcd16d233a9 66120 libkadm5clnt-mit8_1.11.3+dfsg-3+nmu1_amd64.deb
94349460c9854e278dee1fcc158bf03c420f35a2ac978ea0265546ce00d3e0d9 111622 libk5crypto3_1.11.3+dfsg-3+nmu1_amd64.deb
85771e1212be1b1e07f94b91204e573f2786916f8a9f48cda9ef3b1ffe5807f6 65328 libkdb5-7_1.11.3+dfsg-3+nmu1_amd64.deb
67b4b0ef229e3cfecbb21e8a8d36d3cfea32367285e86a8226d3b37e59abc41f 54746 libkrb5support0_1.11.3+dfsg-3+nmu1_amd64.deb
56931737a423b708b93316356272e293f63384910b678d5ce79495aac3cbae85 53126 krb5-gss-samples_1.11.3+dfsg-3+nmu1_amd64.deb
Files:
0eb3ff989450b6d63d147cdcbf0aa943 3733 net standard krb5_1.11.3+dfsg-3+nmu1.dsc
b0b35f79c09737816564fdabc1aa9213 113593 net standard krb5_1.11.3+dfsg-3+nmu1.debian.tar.gz
56dcb68ff1d54976a2a2562bbbc74984 4523792 doc optional krb5-doc_1.11.3+dfsg-3+nmu1_all.deb
244304bc6d385c6964f7939e473efbe7 2560282 localization standard krb5-locales_1.11.3+dfsg-3+nmu1_all.deb
8436ea3a57eccfc3146083e8d0e77650 135070 net optional krb5-user_1.11.3+dfsg-3+nmu1_amd64.deb
1f2024600801831c7778585aaf848900 202082 net optional krb5-kdc_1.11.3+dfsg-3+nmu1_amd64.deb
9f53814dd5079b63f04e510be9bda0f6 110342 net extra krb5-kdc-ldap_1.11.3+dfsg-3+nmu1_amd64.deb
1d646d9c319b46a109047501c61a775d 110640 net optional krb5-admin-server_1.11.3+dfsg-3+nmu1_amd64.deb
3d951245cf7daffbaaf7c1fed6a1b928 135548 libdevel optional krb5-multidev_1.11.3+dfsg-3+nmu1_amd64.deb
6f196647b220437161e32f6499c1f22a 42790 libdevel extra libkrb5-dev_1.11.3+dfsg-3+nmu1_amd64.deb
e23da7f275f447100056b4bbfaf175f7 1455810 debug extra libkrb5-dbg_1.11.3+dfsg-3+nmu1_amd64.deb
069b61aa43360643080c9fd05c7bdf92 77912 net extra krb5-pkinit_1.11.3+dfsg-3+nmu1_amd64.deb
024a5db27536a32dd2eac1760cc903c9 292446 libs standard libkrb5-3_1.11.3+dfsg-3+nmu1_amd64.deb
30356fb6eaf475f839389507d2d6fb6f 141294 libs standard libgssapi-krb5-2_1.11.3+dfsg-3+nmu1_amd64.deb
fbbb23b7be78b0a03fdeb75c09fdcf72 82122 libs standard libgssrpc4_1.11.3+dfsg-3+nmu1_amd64.deb
553344edb09c30e21c8b7d311967fb9a 81034 libs standard libkadm5srv-mit8_1.11.3+dfsg-3+nmu1_amd64.deb
6721b22c626f5e626f54039289c05cfa 66120 libs standard libkadm5clnt-mit8_1.11.3+dfsg-3+nmu1_amd64.deb
7d201d5090e76d7b0548a2208347a75a 111622 libs standard libk5crypto3_1.11.3+dfsg-3+nmu1_amd64.deb
93fdc92eee2ab0b7bc97180375eba329 65328 libs standard libkdb5-7_1.11.3+dfsg-3+nmu1_amd64.deb
c328aa66ad741b48d6e5a60667a15260 54746 libs standard libkrb5support0_1.11.3+dfsg-3+nmu1_amd64.deb
e28cbaa5a19af8e0d85b9ccc1a69fefd 53126 net extra krb5-gss-samples_1.11.3+dfsg-3+nmu1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
iQQcBAEBCgAGBQJSm29JAAoJELjWss0C1vRzr50f/0PLgGJc/2pPlE0eFZbN7hzY
D8s8Z3D2EUbOpcjwKQsQ02eRzLLcRL6gNdzmM8w4ch9x6qETsGZYTey7NlafBfip
usZXkjmDyeCE+eDEJO9qNgfYUjcLLqyvGZ2/3NLEWn5S2JfSqpuyovrsrinSwSgk
5laf86agKwwxc1Y8g6riWuqo/t9MuooOgvTRRWNdCR05QGJEQHP0hLqb9cn5zLtj
gELFZJF2w0sdvx2GreosVvS+2a4ZGTELW5uYFzpz3yYaGVaU8mp+7XU/cA6Q04TV
Ltqh+AjhKvIaqLHBfYEfPZN+vlU6i43RkWmaAg8pK6eMf8T0Uk1g8wEjsXW88cSs
ne+TMqAFUxWuEgFqIOP1o0OR0rho5C5vuyuePdVllre9nw94Qax5x55Nc+NsKe+K
BXBvedc6X1Himh4c0MgKJm8Zg7c6drJ7rw6pwDipjkhsvXRsxpY7rcpRUelVTdvF
WRoNnw46r4E6zddAKi/lHNwCEiy3d2Squ/PsW3f/xReuh4gklUIkhDNWmbcVxfpA
x/8bNLWYhs8ATGSvDWS+avwal4d2tWPqT7CmLi1PtQqLs6UbGmG9C2bvWdW5z0Db
3f3A/+R87yL4qTzjcjkPgi9//VtGvJEt+lKHe/90Hh8kH1kiWb4pvy78o63YADUl
EajdwQwVTI0nu9sIylQMO3NXIb4SNqqC7CU9+2T3q8RV+1ohzJAQkAhA985/Tvxm
ry3q4ChiNkI85neN0zA/rp3RjQUWsXxUlnUFkUmLqOqJ2JxayvVXNoOMNVezbMa0
DRsuAsRGTUYRkT5xbabGZ7W6x7VLGlsep4/wdGs3/eAywvjuZDHIniOGa5zgEETK
wMPx0fRmWhWvMqKNHbeKv3H5VbspcT/hDOEiHtHNXmAvjQFIGEq88wthrTehLlm8
50M/UcqsWoI+alGIb1HGzFwmmDiEYa3r/98+kj44Yr89yCo+2dXVnaGpMmx8ulCc
qk+zQm4nQ8aYFAyvH13/j0udesMZdTf584p/SJxkVrX6JOMX7YqOjUvnXpUDpWyT
mecpm9UwC1qwKd1tHkxEIslhEcdnf+gcTFCHKZgR9QD+fQqCCEWItBUxV1+mezIe
h7EAed+hQyLXDeE2rup9LbRfpS+czWoAEMBeT8DIHtHn+lcJNr62nuf93WAyoF+k
6Wqufm1DOXs32XvphkYsj7TTj+cpGnkmzB1SSkyQAgV7miG9aFWdfe3a4j4bnafp
SuZwY93XBgcGWjVO1u/ChHnYFliZy+aCiQOe50GZ1x7QJLp6SsRjUnl+SK5onByF
PvKAack9c9sjFkeAcrZC3dSKY13xyG4uLUEOkG4+q3MewPYcyDVR/NGzVRUvC88=
=1+CU
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 04 Jan 2014 07:30:31 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:13:02 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon