Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

krb5: CVE-2015-8630: krb5 doesn't check for null policy when KADM5_POLICY is set in the mask

Related Vulnerabilities: CVE-2015-8630   CVE-2015-8629   CVE-2015-8631  

Source

Debian Bug report logs - #813127
krb5: CVE-2015-8630: krb5 doesn't check for null policy when KADM5_POLICY is set in the mask

version graph

Package: src:krb5; Maintainer for src:krb5 is Sam Hartman <hartmans@debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Fri, 29 Jan 2016 16:42:38 UTC

Severity: important

Tags: patch, security, upstream

Found in version krb5/1.12.1+dfsg-1

Fixed in versions krb5/1.12.1+dfsg-19+deb8u2, krb5/1.13.2+dfsg-5, krb5/1.14+dfsg-1

Done: Sam Hartman <hartmans@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Sam Hartman <hartmans@debian.org>:
Bug#813127; Package src:krb5. (Fri, 29 Jan 2016 16:42:41 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Sam Hartman <hartmans@debian.org>. (Fri, 29 Jan 2016 16:42:42 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: krb5: CVE-2015-8630: krb5 doesn't check for null policy when KADM5_POLICY is set in the mask
Date: Fri, 29 Jan 2016 17:41:41 +0100
Source: krb5
Version: 1.12.1+dfsg-1
Severity: important
Tags: security upstream patch

Hi,

the following vulnerability was published for krb5.

CVE-2015-8630[0]:
krb5 doesn't check for null policy when KADM5_POLICY is set in the mask

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2015-8630

Please adjust the affected versions in the BTS as needed. Source seems
similar in older versions, so please double check if only 1.12 onwards
are affected.

Regards,
Salvatore

Reply sent to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility. (Fri, 05 Feb 2016 10:51:08 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Fri, 05 Feb 2016 10:51:09 GMT) (full text, mbox, link).

Message #10 received at 813127-close@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 813127-close@bugs.debian.org
Subject: Bug#813127: fixed in krb5 1.12.1+dfsg-19+deb8u2
Date: Fri, 05 Feb 2016 10:47:08 +0000
Source: krb5
Source-Version: 1.12.1+dfsg-19+deb8u2

We believe that the bug you reported is fixed in the latest version of
krb5, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 813127@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated krb5 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 31 Jan 2016 11:48:01 +0100
Source: krb5
Binary: krb5-user krb5-kdc krb5-kdc-ldap krb5-admin-server krb5-multidev libkrb5-dev libkrb5-dbg krb5-pkinit krb5-otp krb5-doc libkrb5-3 libgssapi-krb5-2 libgssrpc4 libkadm5srv-mit9 libkadm5clnt-mit9 libk5crypto3 libkdb5-7 libkrb5support0 libkrad0 krb5-gss-samples krb5-locales libkrad-dev
Architecture: all source
Version: 1.12.1+dfsg-19+deb8u2
Distribution: jessie-security
Urgency: high
Maintainer: Sam Hartman <hartmans@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 813126 813127 813296
Description: 
 krb5-admin-server - MIT Kerberos master server (kadmind)
 krb5-doc   - Documentation for MIT Kerberos
 krb5-gss-samples - MIT Kerberos GSS Sample applications
 krb5-kdc   - MIT Kerberos key server (KDC)
 krb5-kdc-ldap - MIT Kerberos key server (KDC) LDAP plugin
 krb5-locales - Internationalization support for MIT Kerberos
 krb5-multidev - Development files for MIT Kerberos without Heimdal conflict
 krb5-otp   - OTP plugin for MIT Kerberos
 krb5-pkinit - PKINIT plugin for MIT Kerberos
 krb5-user  - Basic programs to authenticate using MIT Kerberos
 libgssapi-krb5-2 - MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
 libgssrpc4 - MIT Kerberos runtime libraries - GSS enabled ONCRPC
 libk5crypto3 - MIT Kerberos runtime libraries - Crypto Library
 libkadm5clnt-mit9 - MIT Kerberos runtime libraries - Administration Clients
 libkadm5srv-mit9 - MIT Kerberos runtime libraries - KDC and Admin Server
 libkdb5-7  - MIT Kerberos runtime libraries - Kerberos database
 libkrad-dev - MIT Kerberos RADIUS Library Development
 libkrad0   - MIT Kerberos runtime libraries - RADIUS library
 libkrb5-3  - MIT Kerberos runtime libraries
 libkrb5-dbg - Debugging files for MIT Kerberos
 libkrb5-dev - Headers and development libraries for MIT Kerberos
 libkrb5support0 - MIT Kerberos runtime libraries - Support library
Changes:
 krb5 (1.12.1+dfsg-19+deb8u2) jessie-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Verify decoded kadmin C strings [CVE-2015-8629]
     CVE-2015-8629: An authenticated attacker can cause kadmind to read
     beyond the end of allocated memory by sending a string without a
     terminating zero byte. Information leakage may be possible for an
     attacker with permission to modify the database. (Closes: #813296)
   * Check for null kadm5 policy name [CVE-2015-8630]
     CVE-2015-8630: An authenticated attacker with permission to modify a
     principal entry can cause kadmind to dereference a null pointer by
     supplying a null policy value but including KADM5_POLICY in the mask.
     (Closes: #813127)
   * Fix leaks in kadmin server stubs [CVE-2015-8631]
     CVE-2015-8631: An authenticated attacker can cause kadmind to leak
     memory by supplying a null principal name in a request which uses one.
     Repeating these requests will eventually cause kadmind to exhaust all
     available memory. (Closes: #813126)
Checksums-Sha1: 
 fbb19d924d555673d5f55e0179577b45ef39e072 3368 krb5_1.12.1+dfsg-19+deb8u2.dsc
 a0af407148a8b666551a3f40ffc6d4d64e8b8149 123456 krb5_1.12.1+dfsg-19+deb8u2.debian.tar.xz
 764d9084e0eedc68eacba4884d349a99282a1cbe 4684568 krb5-doc_1.12.1+dfsg-19+deb8u2_all.deb
 b6bc604719705db2d517a4d8eac72828dfebd41c 2648758 krb5-locales_1.12.1+dfsg-19+deb8u2_all.deb
Checksums-Sha256: 
 2b10ecb8b8c3015a12a764e4e6eb99fcca45cc1946d211a18db64b46dfa2cb81 3368 krb5_1.12.1+dfsg-19+deb8u2.dsc
 242155b4ac6add762c1bac60e6eaa73b25abd985fb41bcdd13d4eae022f592ec 123456 krb5_1.12.1+dfsg-19+deb8u2.debian.tar.xz
 bb535ed54dc9118a2fec9a198e3559c9a9fa78cb810fd2f09d551b4607b17ec2 4684568 krb5-doc_1.12.1+dfsg-19+deb8u2_all.deb
 de705f49598a62e9952b277912e8f3e2c47f273e7c94bae7d4e993069b326660 2648758 krb5-locales_1.12.1+dfsg-19+deb8u2_all.deb
Files: 
 0653bb44c0d36a36b7017036e5f155b1 3368 net standard krb5_1.12.1+dfsg-19+deb8u2.dsc
 26368c901365db516baca11046049d9e 123456 net standard krb5_1.12.1+dfsg-19+deb8u2.debian.tar.xz
 ec5b9502ba068a0361c9cf59c6c57cfb 4684568 doc optional krb5-doc_1.12.1+dfsg-19+deb8u2_all.deb
 ce703c0bb37c118c809a675bb31c6fb9 2648758 localization standard krb5-locales_1.12.1+dfsg-19+deb8u2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJWsbCgAAoJEAVMuPMTQ89EutwQAKEiRpLOnKlHVZT8tvGty4LY
6nSs9ElgbiRZsjrRkJ7oJT2KRIRuNY2gWO6cLOR1bKZaNYNZOB/Poh9C6ZeqM+vp
q97SDFVD1x2MuDFd8QN2evfQ7o4zhRpGb7F5JRt1WaEQuNrm5H0heYJAZnm1bN8c
VjuY3ybQxZHRPc5cQA3qfmc4BVd0dgAQlRu9Lx+/TokVyG47mLjofrg9Ipsjmugc
sRrasBedK6JY2bk73El6EjJuP9kq2hh43UkhjIk68E2/pn3o//F9oLhRbgpDyo3R
akQq+peplNg58pcf1mO3O9AE3P4kgkOc3eVBWkvYanyWVMNXFBS4+REBmuKkEeev
qV/uEHKHbhajyXH4fdxbndeqllIb9o8fxUwBxYWZgfBrqSBLA68OHoIUbB1bYtAj
KDN+8MjI96ptefV1ANOkdtXN4cCE/df8GIsZHLETPlyaPqXxETZJtqd1DStvCSFD
65tlrBk6d9Ol9aw4DtzJRQWZXsN5Td0Ds6bjRk8Zz859xtYNLZgdgGhmKEOTu8TQ
Vgj6H4W+vADsd4UmYGgEcyfi0qzmJoBZEXzinIgAdkKXTqPtwADDf+EwjwY1mAmP
t5kyu7OeFgsXi9erSMQJdIh/XXh9Ehs3XjkXUEGeEsGhO0SCEJQEYWbI80Q4n9uN
i6FLfLkIOBwRK8tf4RDU
=/1Tt
-----END PGP SIGNATURE-----

Information forwarded to debian-bugs-dist@lists.debian.org, Sam Hartman <hartmans@debian.org>:
Bug#813127; Package src:krb5. (Tue, 23 Feb 2016 12:12:06 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Sam Hartman <hartmans@debian.org>. (Tue, 23 Feb 2016 12:12:06 GMT) (full text, mbox, link).

Message #15 received at 813127@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: 813296@bugs.debian.org, 813127@bugs.debian.org, 813126@bugs.debian.org
Subject: Fixes for stretch?
Date: Tue, 23 Feb 2016 13:09:44 +0100
Hi Sam, hi Ben

I noticed that CVE-2015-86{29,30,31} are still unfixed for stretch. Do
you have any timeline for an update here as well?

Would be great to have that out of the radar :-)

Regards,
Salvatore

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#813127; Package src:krb5. (Tue, 23 Feb 2016 13:48:06 GMT) (full text, mbox, link).

Acknowledgement sent to Sam Hartman <hartmans@debian.org>:
Extra info received and forwarded to list. (Tue, 23 Feb 2016 13:48:06 GMT) (full text, mbox, link).

Message #20 received at 813127@bugs.debian.org (full text, mbox, reply):

From: Sam Hartman <hartmans@debian.org>
To: Salvatore Bonaccorso <carnil@debian.org>
Cc: 813126@bugs.debian.org, 813296@bugs.debian.org, 813127@bugs.debian.org
Subject: Re: Bug#813126: Fixes for stretch?
Date: Tue, 23 Feb 2016 08:45:31 -0500
I have an upgrade to 1.14 (plus these patches and a few others) sitting
on the experimental branch of the git repo.  I had be planning to push
that to experimental and then if there were no problems through to sid
and stretch.  I had not been planning to make a specific upload to sid.
I guess it wouldn't be hard at all though.

--Sam

Information forwarded to debian-bugs-dist@lists.debian.org, Sam Hartman <hartmans@debian.org>:
Bug#813127; Package src:krb5. (Tue, 23 Feb 2016 15:33:13 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Sam Hartman <hartmans@debian.org>. (Tue, 23 Feb 2016 15:33:13 GMT) (full text, mbox, link).

Message #25 received at 813127@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Sam Hartman <hartmans@debian.org>
Cc: 813126@bugs.debian.org, 813296@bugs.debian.org, 813127@bugs.debian.org
Subject: Re: Bug#813126: Fixes for stretch?
Date: Tue, 23 Feb 2016 16:31:50 +0100
Hi Sam,

On Tue, Feb 23, 2016 at 08:45:31AM -0500, Sam Hartman wrote:
> 
> I have an upgrade to 1.14 (plus these patches and a few others) sitting
> on the experimental branch of the git repo.  I had be planning to push
> that to experimental and then if there were no problems through to sid
> and stretch.  I had not been planning to make a specific upload to sid.
> I guess it wouldn't be hard at all though.

Thanks a lot. I just wanted to make sure it is not forgotten. Above
looks like a good plan.

Regards,
Salvatore

Reply sent to Sam Hartman <hartmans@debian.org>:
You have taken responsibility. (Tue, 23 Feb 2016 16:27:15 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Tue, 23 Feb 2016 16:27:15 GMT) (full text, mbox, link).

Message #30 received at 813127-close@bugs.debian.org (full text, mbox, reply):

From: Sam Hartman <hartmans@debian.org>
To: 813127-close@bugs.debian.org
Subject: Bug#813127: fixed in krb5 1.13.2+dfsg-5
Date: Tue, 23 Feb 2016 16:24:26 +0000
Source: krb5
Source-Version: 1.13.2+dfsg-5

We believe that the bug you reported is fixed in the latest version of
krb5, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 813127@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sam Hartman <hartmans@debian.org> (supplier of updated krb5 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 23 Feb 2016 08:54:09 -0500
Source: krb5
Binary: krb5-user krb5-kdc krb5-kdc-ldap krb5-admin-server krb5-multidev libkrb5-dev libkrb5-dbg krb5-pkinit krb5-otp krb5-k5tls krb5-doc libkrb5-3 libgssapi-krb5-2 libgssrpc4 libkadm5srv-mit9 libkadm5clnt-mit9 libk5crypto3 libkdb5-8 libkrb5support0 libkrad0 krb5-gss-samples krb5-locales libkrad-dev
Architecture: source
Version: 1.13.2+dfsg-5
Distribution: unstable
Urgency: high
Maintainer: Sam Hartman <hartmans@debian.org>
Changed-By: Sam Hartman <hartmans@debian.org>
Description:
 krb5-admin-server - MIT Kerberos master server (kadmind)
 krb5-doc   - Documentation for MIT Kerberos
 krb5-gss-samples - MIT Kerberos GSS Sample applications
 krb5-k5tls - TLS plugin for MIT Kerberos
 krb5-kdc   - MIT Kerberos key server (KDC)
 krb5-kdc-ldap - MIT Kerberos key server (KDC) LDAP plugin
 krb5-locales - Internationalization support for MIT Kerberos
 krb5-multidev - Development files for MIT Kerberos without Heimdal conflict
 krb5-otp   - OTP plugin for MIT Kerberos
 krb5-pkinit - PKINIT plugin for MIT Kerberos
 krb5-user  - Basic programs to authenticate using MIT Kerberos
 libgssapi-krb5-2 - MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
 libgssrpc4 - MIT Kerberos runtime libraries - GSS enabled ONCRPC
 libk5crypto3 - MIT Kerberos runtime libraries - Crypto Library
 libkadm5clnt-mit9 - MIT Kerberos runtime libraries - Administration Clients
 libkadm5srv-mit9 - MIT Kerberos runtime libraries - KDC and Admin Server
 libkdb5-8  - MIT Kerberos runtime libraries - Kerberos database
 libkrad-dev - MIT Kerberos RADIUS Library Development
 libkrad0   - MIT Kerberos runtime libraries - RADIUS library
 libkrb5-3  - MIT Kerberos runtime libraries
 libkrb5-dbg - Debugging files for MIT Kerberos
 libkrb5-dev - Headers and development libraries for MIT Kerberos
 libkrb5support0 - MIT Kerberos runtime libraries - Support library
Closes: 813126 813127 813296
Changes:
 krb5 (1.13.2+dfsg-5) unstable; urgency=high
 .
   *  Security Update
   * Verify decoded kadmin C strings [CVE-2015-8629]
     CVE-2015-8629: An authenticated attacker can cause kadmind to read
     beyond the end of allocated memory by sending a string without a
     terminating zero byte. Information leakage may be possible for an
     attacker with permission to modify the database. (Closes: #813296)
   * Check for null kadm5 policy name [CVE-2015-8630]
     CVE-2015-8630: An authenticated attacker with permission to modify a
     principal entry can cause kadmind to dereference a null pointer by
     supplying a null policy value but including KADM5_POLICY in the mask.
     (Closes: #813127)
   * Fix leaks in kadmin server stubs [CVE-2015-8631]
     CVE-2015-8631: An authenticated attacker can cause kadmind to leak
     memory by supplying a null principal name in a request which uses one.
     Repeating these requests will eventually cause kadmind to exhaust all
     available memory. (Closes: #813126)
Checksums-Sha1:
 1ba079eedfbc4e0aa7f5a6209ca18b807f255306 3192 krb5_1.13.2+dfsg-5.dsc
 ba403e658d93aa9fa1d0f06af8e1ff3578d1644d 101968 krb5_1.13.2+dfsg-5.debian.tar.xz
Checksums-Sha256:
 b52caa3fd7211250987f2f0319579992a7f2bc24c47c766fdfc0403945dbfbdb 3192 krb5_1.13.2+dfsg-5.dsc
 8f8c951a524af50b300f524cd14bd946ea802e81eddbc719f9b71719158b9c1d 101968 krb5_1.13.2+dfsg-5.debian.tar.xz
Files:
 26291c211f242483c683f33fbec4318c 3192 net standard krb5_1.13.2+dfsg-5.dsc
 e43b4ba1ea32fa6a1f00b301d643fa63 101968 net standard krb5_1.13.2+dfsg-5.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQGIBAEBCAAGBQJWzGVyAAoJEHyaUfYmslafxxULXiZCYFyE1zSoSj6jF/unDV0u
FAkLQvQmVKa84VZ9nLETGGSBBSXGuEuu/donK2RttGjZGobNaBIJeNkRDLchnqco
NKTT8OhX0kyseaLX/upp84oMq+ouoM5PkxzfqlF/QcLzDRDEttzXmI9jTFnjyM0Y
6CB9WgrW0XP03IjJ0iKWU4c+tD5j9nNYvTbBuUowlorFLbFCw0cIlBZ/ldYH1/M+
XJyXr9EX7eq8p5jtaK6OXvkkyJRx0BwTSZ+oJTSzBu/kOpMd5xIBPn+alMmeE86k
ralA/q600tnU41oBMw3DCQk2XxA3b3JMoxs1Jzc8y3rzdaunJm8MpJnB1BPE8u9+
rIqiIfUZwhURQs9pBxrfJ9TGVDnEj0hBHuPIH+2PlSBVcBlG78IWKYeWQFzjztYH
V6L0Wpo7d1JkLEoZlIe4td7gh6F7nXevFTXnM/whooa/ecTsW70EtgsFwIJBaJin
GfKwq47dsx3ulhY=
=fCK3
-----END PGP SIGNATURE-----

Reply sent to Sam Hartman <hartmans@debian.org>:
You have taken responsibility. (Sun, 28 Feb 2016 20:03:26 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Sun, 28 Feb 2016 20:03:26 GMT) (full text, mbox, link).

Message #35 received at 813127-close@bugs.debian.org (full text, mbox, reply):

From: Sam Hartman <hartmans@debian.org>
To: 813127-close@bugs.debian.org
Subject: Bug#813127: fixed in krb5 1.14+dfsg-1
Date: Sun, 28 Feb 2016 20:00:46 +0000
Source: krb5
Source-Version: 1.14+dfsg-1

We believe that the bug you reported is fixed in the latest version of
krb5, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 813127@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sam Hartman <hartmans@debian.org> (supplier of updated krb5 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 15 Feb 2016 15:49:06 -0500
Source: krb5
Binary: krb5-user krb5-kdc krb5-kdc-ldap krb5-admin-server krb5-kpropd krb5-multidev libkrb5-dev libkrb5-dbg krb5-pkinit krb5-otp krb5-k5tls krb5-doc libkrb5-3 libgssapi-krb5-2 libgssrpc4 libkadm5srv-mit10 libkadm5clnt-mit10 libk5crypto3 libkdb5-8 libkrb5support0 libkrad0 krb5-gss-samples krb5-locales libkrad-dev
Architecture: source amd64 all
Version: 1.14+dfsg-1
Distribution: experimental
Urgency: medium
Maintainer: Sam Hartman <hartmans@debian.org>
Changed-By: Sam Hartman <hartmans@debian.org>
Description:
 krb5-admin-server - MIT Kerberos master server (kadmind)
 krb5-doc   - Documentation for MIT Kerberos
 krb5-gss-samples - MIT Kerberos GSS Sample applications
 krb5-k5tls - TLS plugin for MIT Kerberos
 krb5-kdc   - MIT Kerberos key server (KDC)
 krb5-kdc-ldap - MIT Kerberos key server (KDC) LDAP plugin
 krb5-kpropd - MIT Kerberos key server (KDC)
 krb5-locales - Internationalization support for MIT Kerberos
 krb5-multidev - Development files for MIT Kerberos without Heimdal conflict
 krb5-otp   - OTP plugin for MIT Kerberos
 krb5-pkinit - PKINIT plugin for MIT Kerberos
 krb5-user  - Basic programs to authenticate using MIT Kerberos
 libgssapi-krb5-2 - MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
 libgssrpc4 - MIT Kerberos runtime libraries - GSS enabled ONCRPC
 libk5crypto3 - MIT Kerberos runtime libraries - Crypto Library
 libkadm5clnt-mit10 - MIT Kerberos runtime libraries - Administration Clients
 libkadm5srv-mit10 - MIT Kerberos runtime libraries - KDC and Admin Server
 libkdb5-8  - MIT Kerberos runtime libraries - Kerberos database
 libkrad-dev - MIT Kerberos RADIUS Library Development
 libkrad0   - MIT Kerberos runtime libraries - RADIUS library
 libkrb5-3  - MIT Kerberos runtime libraries
 libkrb5-dbg - Debugging files for MIT Kerberos
 libkrb5-dev - Headers and development libraries for MIT Kerberos
 libkrb5support0 - MIT Kerberos runtime libraries - Support library
Closes: 708175 775277 812131 813126 813127 813296 815677
Changes:
 krb5 (1.14+dfsg-1) experimental; urgency=medium
 .
   * New upstream version, Closes: #812131
   * Apply upstream patches:
     - upstream/0010-Fix-mechglue-gss_acquire_cred_impersonate_name.patch
     - 0011-Correctly-use-k5_wrapmsg-in-ldap_principal2.c.patch
     - upstream/0012-Set-TL_DATA-mask-flag-for-master-key-operations.patch
     - upstream/0013-Check-context-handle-in-gss_export_sec_context.patch
     - upstream/0014-Check-internal-context-on-init-context-errors.patch
     - upstream/0015-Fix-interposed-gss_accept_sec_context.patch
     - upstream/0016-Work-around-uninitialized-warning-in-cc_kcm.c.patch
     - upstream/0017-Increase-hostname-length-in-ipropd_svc.c.patch
     - upstream/0018-Make-ksu-work-with-prompting-clpreauth-modules.patch
     - upstream/0019-Fix-memory-leak-in-SPNEGO-gss_init_sec_context.patch
     - upstream/0020-Fix-EOF-check-in-kadm5.acl-line-processing.patch
     - upstream/0021-Fix-iprop-server-stub-error-management.patch
   - upstream/0022-Verify-decoded-kadmin-C-strings-CVE-2015-8629.patch
     - upstream/0023-Check-for-null-kadm5-policy-name-CVE-2015-8630.patch
     -upstream/0024-Fix-leaks-in-kadmin-server-stubs-CVE-2015-8631.patch
         - Use blocking lock for db promote, Closes: #815677
   * Verify decoded kadmin C strings [CVE-2015-8629]
     CVE-2015-8629: An authenticated attacker can cause kadmind to read
     beyond the end of allocated memory by sending a string without a
     terminating zero byte. Information leakage may be possible for an
     attacker with permission to modify the database. (Closes: #813296)
   * Check for null kadm5 policy name [CVE-2015-8630]
     CVE-2015-8630: An authenticated attacker with permission to modify a
     principal entry can cause kadmind to dereference a null pointer by
     supplying a null policy value but including KADM5_POLICY in the mask.
     (Closes: #813127)
   * Fix leaks in kadmin server stubs [CVE-2015-8631]
     CVE-2015-8631: An authenticated attacker can cause kadmind to leak
     memory by supplying a null principal name in a request which uses one.
     Repeating these requests will eventually cause kadmind to exhaust all
     available memory. (Closes: #813126)
 .
   * Remove all references to libkrb53, Closes: #708175
   * Merge patch for kpropd service, introducing a new stub package for now
     that will contain the binaries in stretch+1.  We don't want to move
     the binaries now because we'd either break existing installations or
     we'd need krb5-kdc to depend on the new package, which would cause
     kpropd to start in cases where we don't want it, thanks  Mark Proehl
     and Michael Weiser, Closes: #775277
Checksums-Sha1:
 73e1fa2d640a523002f69066575f4fb20c763526 3228 krb5_1.14+dfsg-1.dsc
 384fda7fe0da2f8f5da1674896012c39580773f2 8733352 krb5_1.14+dfsg.orig.tar.xz
 69f93684cfac9e26d1a1b84b8de58184910fb9be 99088 krb5_1.14+dfsg-1.debian.tar.xz
 625eb45b111a3d53f27f84015f52f8cae6a2191c 162686 krb5-admin-server-dbgsym_1.14+dfsg-1_amd64.deb
 e2b084f3e934581cf6a5b8e398a9e1212e8ffb00 113764 krb5-admin-server_1.14+dfsg-1_amd64.deb
 ba2a90d0984a54f0bc7b6ca9b8184f30e98e3456 4859608 krb5-doc_1.14+dfsg-1_all.deb
 da60abfeafcc5503ab57a2c37bc9559e2d5944a6 35348 krb5-gss-samples-dbgsym_1.14+dfsg-1_amd64.deb
 3d3dadf777dbc64ab742d2e71afc8db0cd01eddb 57986 krb5-gss-samples_1.14+dfsg-1_amd64.deb
 7a618e6995aa0aa29e58156216d6abad8a08855a 31888 krb5-k5tls-dbgsym_1.14+dfsg-1_amd64.deb
 b1a7b246fe90a7363eeaff45886607c38dc2b2ee 48730 krb5-k5tls_1.14+dfsg-1_amd64.deb
 9ac65de47a63bda4fe465e4ff4fb43546449f721 469292 krb5-kdc-dbgsym_1.14+dfsg-1_amd64.deb
 97f5189dfdbfcaf3b140517c0a369ccc4a1e0da2 215124 krb5-kdc-ldap-dbgsym_1.14+dfsg-1_amd64.deb
 8b59a40effd94746e52b4ca1e316a41afe8e3b60 113112 krb5-kdc-ldap_1.14+dfsg-1_amd64.deb
 8a39e423be108eeeb86bea8792c15465f91905d6 215908 krb5-kdc_1.14+dfsg-1_amd64.deb
 06c115f96774faa14dcf6199f2266e4a0c234c51 45336 krb5-kpropd_1.14+dfsg-1_amd64.deb
 aa2bc57b648c25ac7ac05d4aca0aed2319a47cd4 2792708 krb5-locales_1.14+dfsg-1_all.deb
 39000273a198d4f4d87a8994a359c267a05cdf3d 147712 krb5-multidev_1.14+dfsg-1_amd64.deb
 1d6181e72a8041fd7b4a7b82713b691b65f549b8 25770 krb5-otp-dbgsym_1.14+dfsg-1_amd64.deb
 bf678f8b0c2d9c6f7fea3ec879473427357685a0 49704 krb5-otp_1.14+dfsg-1_amd64.deb
 f589f49241efe868a739f47948188c585ac81245 137606 krb5-pkinit-dbgsym_1.14+dfsg-1_amd64.deb
 19fa7c9fa6ea08f28b1cfce79cc2d902f8596e3a 86052 krb5-pkinit_1.14+dfsg-1_amd64.deb
 f34a6ae6589afee026ebe12fd72e0f92792ff45c 178372 krb5-user-dbgsym_1.14+dfsg-1_amd64.deb
 ef6b9510aa89c6fd635fe42bab19420430067523 141170 krb5-user_1.14+dfsg-1_amd64.deb
 375f50eecbfbdd425a850857c00afab8b1f4e16a 153646 libgssapi-krb5-2_1.14+dfsg-1_amd64.deb
 8254527b8145499fd9ddc123e00db191451996c3 87958 libgssrpc4_1.14+dfsg-1_amd64.deb
 55f574df10c05af39ed0565378694fec0e6204e2 114724 libk5crypto3_1.14+dfsg-1_amd64.deb
 81fd98c975d4de602c0e62c5cfe434fa0c30faf8 70068 libkadm5clnt-mit10_1.14+dfsg-1_amd64.deb
 fe1d8e4cf30d41ed88df6d9f7ca165a140471c93 84704 libkadm5srv-mit10_1.14+dfsg-1_amd64.deb
 98339ed7cb3a224da3bdf0dd51f052cfec6f6063 69452 libkdb5-8_1.14+dfsg-1_amd64.deb
 e0831ac0dca1039a9a06edf203071ab438be0821 44922 libkrad-dev_1.14+dfsg-1_amd64.deb
 855e254d4431d581749a8d54aec0ec609b9d34e9 54318 libkrad0_1.14+dfsg-1_amd64.deb
 f4c34e7933e52b5671f5ec58e8858a96c029482f 308678 libkrb5-3_1.14+dfsg-1_amd64.deb
 683b0d9793ecf75c8ed5cd53d602f0a65942d605 1525248 libkrb5-dbg_1.14+dfsg-1_amd64.deb
 af923ee5123e9446069c9341d35164aca0bfa508 44416 libkrb5-dev_1.14+dfsg-1_amd64.deb
 3ea8579a1c6ce7c384d454936c228ba12ea50421 60678 libkrb5support0_1.14+dfsg-1_amd64.deb
Checksums-Sha256:
 574867a237cfdb82eb305070590b15cf79a1b7f68461d78a06c200e973373dc2 3228 krb5_1.14+dfsg-1.dsc
 94e3bd24c99ee708bacaa830435abfb96989bc4d85930082c71941a4888271b1 8733352 krb5_1.14+dfsg.orig.tar.xz
 59c94f6253feb316c04294b6bea918ccbcd05b239d7dcce730f753191bdf0bc2 99088 krb5_1.14+dfsg-1.debian.tar.xz
 64e6301191ae224bc2d382941639e9ab304f4952bb6187e92e19e8f08980c7d9 162686 krb5-admin-server-dbgsym_1.14+dfsg-1_amd64.deb
 e4701d4399370045b9a0d0fb241f4939a22a2880f636529b1278f416632b485b 113764 krb5-admin-server_1.14+dfsg-1_amd64.deb
 1d80d34084bc8bd5de1196bb8ef5fc9e2e0b5fb1ad058b2878616d7cf1953ca6 4859608 krb5-doc_1.14+dfsg-1_all.deb
 7d6a8667d11799e584d6e278974c6f5f11beebd462604f68a16e459b8b1e4d72 35348 krb5-gss-samples-dbgsym_1.14+dfsg-1_amd64.deb
 78dc6e2ec14c5253531630d8888ac5e9e1fb37abc1b39f33715205de4b1dff82 57986 krb5-gss-samples_1.14+dfsg-1_amd64.deb
 f25fc557af013d59e62dcba5aacbd941f6707b556b8fb49ea6b78004074b4d8d 31888 krb5-k5tls-dbgsym_1.14+dfsg-1_amd64.deb
 cd519a04dd80885104cd940645e3d7d25a028a61c84d0f2784edc4bf17469000 48730 krb5-k5tls_1.14+dfsg-1_amd64.deb
 9174f97d2269ddf6a857b1749b0a381950a1044abd1732741c24791c12eef916 469292 krb5-kdc-dbgsym_1.14+dfsg-1_amd64.deb
 70a4b44b4c4da053a3186a1f9fee163bec65cdfb201a9833a784ddc47e888ec9 215124 krb5-kdc-ldap-dbgsym_1.14+dfsg-1_amd64.deb
 b38a8abe09b27c9f6a5ff14b8674888ae1692c3508a78790ee24acbbb75a3b9d 113112 krb5-kdc-ldap_1.14+dfsg-1_amd64.deb
 85e40704f7db92522ef326d8011233cf34ee14b020340b8575abbadcab125f8f 215908 krb5-kdc_1.14+dfsg-1_amd64.deb
 3318524a37aa1a486c8783bfc85337edd425fbbcf66e499dab335c7c51649d5a 45336 krb5-kpropd_1.14+dfsg-1_amd64.deb
 9133d42920a05b7df50379e256957c5aaaeae631222ac77e5bfece3df2370e80 2792708 krb5-locales_1.14+dfsg-1_all.deb
 f1374ab7560547d5d75d826b45b3bbfc686f8ca58f03dbf59f4ad78b0ebda28c 147712 krb5-multidev_1.14+dfsg-1_amd64.deb
 60d145d42266977cf4a0e4c2a5b92c7846a8ed4c57cc2c16956e0a89a79d1f57 25770 krb5-otp-dbgsym_1.14+dfsg-1_amd64.deb
 20c875055959f44b8b09127dd6c4edf7f9d7558cc4544ca3cd98f63b42035e1c 49704 krb5-otp_1.14+dfsg-1_amd64.deb
 02a726c514778feb6cd62797c66aca769efb1535bbf7e0e018aac4e6b9e4119c 137606 krb5-pkinit-dbgsym_1.14+dfsg-1_amd64.deb
 ace0c8d71c625367d080b9b92cbfc5a0209247d404eb9541e9afed055ea6d38b 86052 krb5-pkinit_1.14+dfsg-1_amd64.deb
 e55a48b17db538c3c8a3bcab2cc200b2b827046c17688d4a1b47c98d56b35f29 178372 krb5-user-dbgsym_1.14+dfsg-1_amd64.deb
 fbf50b3676815d263ab7e32959dc2b800e4425abb41f44e036f1c32df216a861 141170 krb5-user_1.14+dfsg-1_amd64.deb
 026a2dfc5d68e04d281c2f1a31937d0bea00943e25b67623c7783c0d6f77ae42 153646 libgssapi-krb5-2_1.14+dfsg-1_amd64.deb
 f7e10f90edf2e73f3b60c199e6dac5031b1db5748ba8d33f05c7b5bf82d48903 87958 libgssrpc4_1.14+dfsg-1_amd64.deb
 cfa08639267a2fe579ec75b14c05e306543b115b666cb307f50da9ef1830896b 114724 libk5crypto3_1.14+dfsg-1_amd64.deb
 c518b9480b891f02777f08c8ed2ba1082e908b16ae57c3309c32edb659fa21c9 70068 libkadm5clnt-mit10_1.14+dfsg-1_amd64.deb
 204b9d28fefc61d74195eaec091574c3e58f1762f36c6ef99d5fbfbb11115185 84704 libkadm5srv-mit10_1.14+dfsg-1_amd64.deb
 8a9bf038ac084eec57834a4e6f05a0992e0da287762faa366c8f94d8a632d0f1 69452 libkdb5-8_1.14+dfsg-1_amd64.deb
 6c75801c9497ea67cd155c18fc42af1a3218b3386669e17a560284a152cfc650 44922 libkrad-dev_1.14+dfsg-1_amd64.deb
 b978b5084116ab899c88c334a4baf3516328988395da7679da695e7d848b3d36 54318 libkrad0_1.14+dfsg-1_amd64.deb
 167ce7195c3e058eec7ac839fd111e6338a11f75b7146ebe212979441cc0e48b 308678 libkrb5-3_1.14+dfsg-1_amd64.deb
 80cc80f13301e34a141b91949ecfc33fd60b50ee82b09a66ed01c2539e42e1e8 1525248 libkrb5-dbg_1.14+dfsg-1_amd64.deb
 13a908f4137a8e9ba711bfbfb6e5ca3a4acfdcd462f5ee6c7fecd967f24b2bdf 44416 libkrb5-dev_1.14+dfsg-1_amd64.deb
 0da632b16f43611cf8fe7c58f1336745df6ef3657cedeaae9fd912bc13e7ed45 60678 libkrb5support0_1.14+dfsg-1_amd64.deb
Files:
 51efd04feaef7e79164068c9d6b20ec6 3228 net standard krb5_1.14+dfsg-1.dsc
 cb9a565161c95535b1c161d3a0ecf599 8733352 net standard krb5_1.14+dfsg.orig.tar.xz
 f93e30390ec959638377a9411ef1ea8e 99088 net standard krb5_1.14+dfsg-1.debian.tar.xz
 6950ba7ecf3e5ac60a5f2d23569db221 162686 debug extra krb5-admin-server-dbgsym_1.14+dfsg-1_amd64.deb
 75539d2f105f69217ab4567b2787a6df 113764 net optional krb5-admin-server_1.14+dfsg-1_amd64.deb
 dcbf3385fe4f3ddd24aee7afd2b8790a 4859608 doc optional krb5-doc_1.14+dfsg-1_all.deb
 775c056543a70e5a101d0cc28df9afd4 35348 debug extra krb5-gss-samples-dbgsym_1.14+dfsg-1_amd64.deb
 c5ebe7c9191e834085700a12d795c15d 57986 net extra krb5-gss-samples_1.14+dfsg-1_amd64.deb
 341193b09b8f0f1ca18c06fdb13f2277 31888 debug extra krb5-k5tls-dbgsym_1.14+dfsg-1_amd64.deb
 1f61451645019775c53228f8ed509979 48730 net extra krb5-k5tls_1.14+dfsg-1_amd64.deb
 264b52f0425d4200c3cc1698da191158 469292 debug extra krb5-kdc-dbgsym_1.14+dfsg-1_amd64.deb
 62bc0fcc485c037b4e46285773308109 215124 debug extra krb5-kdc-ldap-dbgsym_1.14+dfsg-1_amd64.deb
 6986924f77ec539285a9dcef74dfdeba 113112 net extra krb5-kdc-ldap_1.14+dfsg-1_amd64.deb
 32d4101fd91125cce373eb0e0f0d2c2a 215908 net optional krb5-kdc_1.14+dfsg-1_amd64.deb
 72b96216e6e872575d42796d553fe00a 45336 net optional krb5-kpropd_1.14+dfsg-1_amd64.deb
 52104c61b5ac79198236d692c73578ed 2792708 localization standard krb5-locales_1.14+dfsg-1_all.deb
 574a045625cf4594e4d6f8ba8ad69a56 147712 libdevel optional krb5-multidev_1.14+dfsg-1_amd64.deb
 830c3735cb28b17e82e29da8ec6b5aaa 25770 debug extra krb5-otp-dbgsym_1.14+dfsg-1_amd64.deb
 0f02d698e924a4a721f25c2d34b85cb4 49704 net extra krb5-otp_1.14+dfsg-1_amd64.deb
 c54cfa17da0f3710631c656dbacdf297 137606 debug extra krb5-pkinit-dbgsym_1.14+dfsg-1_amd64.deb
 054d533c40fdb7155b49ca92c2b353e3 86052 net extra krb5-pkinit_1.14+dfsg-1_amd64.deb
 a7b67f3f523a71a6bad7fbc7c7940742 178372 debug extra krb5-user-dbgsym_1.14+dfsg-1_amd64.deb
 55baddeb2297a51c8ca12a24e224be90 141170 net optional krb5-user_1.14+dfsg-1_amd64.deb
 e8683104af2110dd5972cff34a22f573 153646 libs standard libgssapi-krb5-2_1.14+dfsg-1_amd64.deb
 604dae70306736aa2cda4c7702f36f30 87958 libs standard libgssrpc4_1.14+dfsg-1_amd64.deb
 cd6d06fda2d83b4a11e2dbe3571d45e2 114724 libs standard libk5crypto3_1.14+dfsg-1_amd64.deb
 bc83d2ac14f14ab00e131a3690e9fb6f 70068 libs standard libkadm5clnt-mit10_1.14+dfsg-1_amd64.deb
 a80cf1eb76806b959e6ba58d7f08932f 84704 libs standard libkadm5srv-mit10_1.14+dfsg-1_amd64.deb
 47d57dd81c67f1cde2b31cada3dfeed5 69452 libs standard libkdb5-8_1.14+dfsg-1_amd64.deb
 d992bc7c14931362879d6c022468e6df 44922 libdevel extra libkrad-dev_1.14+dfsg-1_amd64.deb
 7d1ce27225e65bf72b4790bf7ca765e3 54318 libs standard libkrad0_1.14+dfsg-1_amd64.deb
 ce20afad57c6a65aa8f9b7a0d4876fdc 308678 libs standard libkrb5-3_1.14+dfsg-1_amd64.deb
 ba8a2c340e6f5101fbcdca5f7cc3e141 1525248 debug extra libkrb5-dbg_1.14+dfsg-1_amd64.deb
 73fa78c278c8207eed35ad6e3b65081f 44416 libdevel extra libkrb5-dev_1.14+dfsg-1_amd64.deb
 7619326af0de46f388ef8288200577f6 60678 libs standard libkrb5support0_1.14+dfsg-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQGIBAEBCAAGBQJWzwfKAAoJEHyaUfYmslafbOkLXRGS+vxLWhbJW96Y72VJ26N+
K+x9zPyPgJLCUvlB5shP3AO+I7C8+WLWt/zwSezN6q0lwlnRxz0ZiSlspKKNkzEv
+o3aPGIHKiHu7SJ1YygsWOGdn+A334CxpUcPZxxvIl4WH7DdKUctZToygxR0r3sf
DmFDXiuQr2U0PoQlLPEIEtq0unL8SeUl+a3zxVBaNZ9mLqm8xTZ1IvmWFY6NTSp5
8C/IfkvmoOqSt6fgzOequxs5Y+CPdkg5c5ntoILs7gXyH4FDP7Q1QdbbrGY5vuRC
SfrHsICsaxVXGpCO8HUTDrhYYZXmwLuPrl/W46r2OHPutSMbxz+sXUobIsNWxaPA
2G82002fzLRnP8RhV9llg3ShMpXN7vBKpHSk6CWejFXJGFJMoM83relxx7oigZ4T
ABboV6sgYKfHGZixlK/bwdi/cTjKlvw2ZIo02By1dVfYBmvZB4hgARMxy5ii6UVA
Mgo2+qmQEcn2QnE=
=tzsz
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 28 Mar 2016 07:29:26 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 17:45:15 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started