CVE-2015-2694 in krb5-otp, krb5-pkinit

Debian Bug report logs - #783557
CVE-2015-2694 in krb5-otp, krb5-pkinit

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Benjamin Kaduk <kaduk@MIT.EDU>

To: submit@bugs.debian.org

Subject: CVE-2015-2694 in krb5-otp, krb5-pkinit

Date: Mon, 27 Apr 2015 18:37:41 -0400 (EDT)

Source: krb5
Version: 1.12.1+dfsg-19
Tags: security

Two errors in krb5-otp and krb5-pkinit can interact to allow an attacker
to get a ciphertext in a long-term (potentially password-derived) key
without properly pre-authenticating, allowing for an offline brute-force
attack.

It is believed that both components must be present to trigger the bug;
upstream's commit message for the fix (included below) is written on the
assumption that the OTP functionality is part of the base KDC, but in
Debian we provide it in a separate package, krb5-otp.

-Ben

Prevent requires_preauth bypass [CVE-2015-2694]

In the OTP kdcpreauth module, don't set the TKT_FLG_PRE_AUTH bit until
the request is successfully verified.  In the PKINIT kdcpreauth
module, don't respond with code 0 on empty input or an unconfigured
realm.  Together these bugs could cause the KDC preauth framework to
erroneously treat a request as pre-authenticated.

CVE-2015-2694:

In MIT krb5 1.12 and later, when the KDC is configured with PKINIT
support, an unauthenticated remote attacker can bypass the
requires_preauth flag on a client principal and obtain a ciphertext
encrypted in the principal's long-term key.  This ciphertext could be
used to conduct an off-line dictionary attack against the user's
password.

    CVSSv2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N/E:POC/RL:OF/RC:C

Message #12 received at 783557-close@bugs.debian.org (full text, mbox, reply):

From: Benjamin Kaduk <kaduk@mit.edu>

To: 783557-close@bugs.debian.org

Subject: Bug#783557: fixed in krb5 1.12.1+dfsg-20

Date: Wed, 13 May 2015 19:22:48 +0000

Source: krb5
Source-Version: 1.12.1+dfsg-20

We believe that the bug you reported is fixed in the latest version of
krb5, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 783557@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Benjamin Kaduk <kaduk@mit.edu> (supplier of updated krb5 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 13 May 2015 14:40:36 -0400
Source: krb5
Binary: krb5-user krb5-kdc krb5-kdc-ldap krb5-admin-server krb5-multidev libkrb5-dev libkrb5-dbg krb5-pkinit krb5-otp krb5-doc libkrb5-3 libgssapi-krb5-2 libgssrpc4 libkadm5srv-mit9 libkadm5clnt-mit9 libk5crypto3 libkdb5-7 libkrb5support0 libkrad0 krb5-gss-samples krb5-locales libkrad-dev
Architecture: source all amd64
Version: 1.12.1+dfsg-20
Distribution: unstable
Urgency: high
Maintainer: Sam Hartman <hartmans@debian.org>
Changed-By: Benjamin Kaduk <kaduk@mit.edu>
Description:
 krb5-admin-server - MIT Kerberos master server (kadmind)
 krb5-doc   - Documentation for MIT Kerberos
 krb5-gss-samples - MIT Kerberos GSS Sample applications
 krb5-kdc   - MIT Kerberos key server (KDC)
 krb5-kdc-ldap - MIT Kerberos key server (KDC) LDAP plugin
 krb5-locales - Internationalization support for MIT Kerberos
 krb5-multidev - Development files for MIT Kerberos without Heimdal conflict
 krb5-otp   - OTP plugin for MIT Kerberos
 krb5-pkinit - PKINIT plugin for MIT Kerberos
 krb5-user  - Basic programs to authenticate using MIT Kerberos
 libgssapi-krb5-2 - MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
 libgssrpc4 - MIT Kerberos runtime libraries - GSS enabled ONCRPC
 libk5crypto3 - MIT Kerberos runtime libraries - Crypto Library
 libkadm5clnt-mit9 - MIT Kerberos runtime libraries - Administration Clients
 libkadm5srv-mit9 - MIT Kerberos runtime libraries - KDC and Admin Server
 libkdb5-7  - MIT Kerberos runtime libraries - Kerberos database
 libkrad-dev - MIT Kerberos RADIUS Library Development
 libkrad0   - MIT Kerberos runtime libraries - RADIUS library
 libkrb5-3  - MIT Kerberos runtime libraries
 libkrb5-dbg - Debugging files for MIT Kerberos
 libkrb5-dev - Headers and development libraries for MIT Kerberos
 libkrb5support0 - MIT Kerberos runtime libraries - Support library
Closes: 783557
Changes:
 krb5 (1.12.1+dfsg-20) unstable; urgency=high
 .
   * Import upstream patch for CVE-2015-2694, Closes: #783557
   * Bump Standards-Version to 3.9.6 (no changes needed)
Checksums-Sha1:
 dfd5de0a66cf0ecfa919ad365e78dcb4eac6c302 3173 krb5_1.12.1+dfsg-20.dsc
 41d5fde83622d7e331c1c45fc9a7546d2edc7e6c 113708 krb5_1.12.1+dfsg-20.debian.tar.xz
 135d61383468e8008f0b5b069aa4ba2230af364c 4687166 krb5-doc_1.12.1+dfsg-20_all.deb
 fe86221199ee7b2e99c3a0d8ab9edf71ad1057e0 2648242 krb5-locales_1.12.1+dfsg-20_all.deb
 e8bdaa8dde1912c0106d24eab318cf488abc41cc 136914 krb5-user_1.12.1+dfsg-20_amd64.deb
 999dfa2f3ee5c9704bf19f4a288a1a198b0a9084 209066 krb5-kdc_1.12.1+dfsg-20_amd64.deb
 7d777ad5b74393b86701377d80f8fe7f674aeb15 110708 krb5-kdc-ldap_1.12.1+dfsg-20_amd64.deb
 848a4117f4d62e72acf7f163d44bf549a1b94999 113144 krb5-admin-server_1.12.1+dfsg-20_amd64.deb
 df9c2f6781756d25fcd876733200cebd3f2b7782 144588 krb5-multidev_1.12.1+dfsg-20_amd64.deb
 88cf93d3d9abd86a7a98ea03bd3a4c0c930c4737 42184 libkrb5-dev_1.12.1+dfsg-20_amd64.deb
 34fc89b53c67974dac9f34abce07912526c5b6c8 1422948 libkrb5-dbg_1.12.1+dfsg-20_amd64.deb
 209153e01768b39ca3eb50dae7e9b6cb0c59f688 83398 krb5-pkinit_1.12.1+dfsg-20_amd64.deb
 5e2e764788b4d253561ca94e73b101832bcd963c 47810 krb5-otp_1.12.1+dfsg-20_amd64.deb
 c619bca5c9064ff28877b6cf7cd48390526ff23b 302960 libkrb5-3_1.12.1+dfsg-20_amd64.deb
 d358afae4358ddd973169c0f2baa16debe3e9c1d 150380 libgssapi-krb5-2_1.12.1+dfsg-20_amd64.deb
 043a27fe3a649339516f2e09f66ca3da0891fe02 85836 libgssrpc4_1.12.1+dfsg-20_amd64.deb
 bc634bdf2ee7779bac892fd4449c39593d15726a 82574 libkadm5srv-mit9_1.12.1+dfsg-20_amd64.deb
 fa0e754e5217f0ed84004aa76420355cfbf06e49 67898 libkadm5clnt-mit9_1.12.1+dfsg-20_amd64.deb
 0d389a3d407e9d7ecd45fe03d927aaf6eaa0cbf0 114566 libk5crypto3_1.12.1+dfsg-20_amd64.deb
 3b40bdea0e67ba891bdcd7790bd0bbbe2fe49f0f 68090 libkdb5-7_1.12.1+dfsg-20_amd64.deb
 8f2ea37df2b1657c8e902f7b8f0fc33914d717c5 58604 libkrb5support0_1.12.1+dfsg-20_amd64.deb
 7a7fa68991b9896f22c7be953e7221181e413679 52226 libkrad0_1.12.1+dfsg-20_amd64.deb
 1c0ba774c55fbd716d7744f85d118f10357dcd99 55474 krb5-gss-samples_1.12.1+dfsg-20_amd64.deb
 0a2973fe8c034dc1e5df6b3999159598939cc3c8 42658 libkrad-dev_1.12.1+dfsg-20_amd64.deb
Checksums-Sha256:
 c5a9e7069dda3c6696f7d651d82842b12af60c50948be2ce3c4b889761114e65 3173 krb5_1.12.1+dfsg-20.dsc
 7b050ce7d9039fc6cb86e7dd2f321549d5de64b75afef0c712bbf9e7c957795d 113708 krb5_1.12.1+dfsg-20.debian.tar.xz
 61774c1d40b8fb2f92821fb09745773468630c30a8cb414a3676136f758f0eef 4687166 krb5-doc_1.12.1+dfsg-20_all.deb
 72e961a0a804452106b0df58661481237d6a73b4b090b0504103d993afc56111 2648242 krb5-locales_1.12.1+dfsg-20_all.deb
 2a96e3336b5a134742893ea65a06d45ffaeae802aa521c0b5404ebeaba5327a5 136914 krb5-user_1.12.1+dfsg-20_amd64.deb
 fe41884dedaefad7c3d612d17b1cdb7a1bd58b160eb8701571e6016149d9f02b 209066 krb5-kdc_1.12.1+dfsg-20_amd64.deb
 72884420705d5d6fe3c3e80e60a201e13c2a144b7386e6d3d5c0dc31a64666ae 110708 krb5-kdc-ldap_1.12.1+dfsg-20_amd64.deb
 37f6a78f1481f9baa1f54176e8b7c56f0a369c3e0b8d9d1fda3635f06a83ebd7 113144 krb5-admin-server_1.12.1+dfsg-20_amd64.deb
 641a47d6065c88320ab309ddb91940fdea958da3a2cc4fcac9a66ecf92c953cc 144588 krb5-multidev_1.12.1+dfsg-20_amd64.deb
 840b18ae80a73a840c5be6fbb55a21cc476ef9204a6d044f1a0f751a50fbb9ad 42184 libkrb5-dev_1.12.1+dfsg-20_amd64.deb
 0134c7adffe00e96d5d70c2d0cf9ee9cedb4488f87bbdb007b82d42ccda935be 1422948 libkrb5-dbg_1.12.1+dfsg-20_amd64.deb
 f55b37b2a93f8616cc756805b7ad1c6d5352ab895a9f7978a4943cf8c89fd3ad 83398 krb5-pkinit_1.12.1+dfsg-20_amd64.deb
 54f4aad4756be6597dd065570b1bbfeba20adc1d0de2b2d49a46736c38bb70df 47810 krb5-otp_1.12.1+dfsg-20_amd64.deb
 88b140966b57629a483120133d401482fd1ec6fa5ed7783a9f273d6464eb853d 302960 libkrb5-3_1.12.1+dfsg-20_amd64.deb
 4f999e69a4a50b767f0f5fd86b3fe59f216faf8b3bcb941d905cae2ff0d252a0 150380 libgssapi-krb5-2_1.12.1+dfsg-20_amd64.deb
 4d8e352968b4e41186ed786d1b9fc9438565df4093dc5d5b235692b13b534944 85836 libgssrpc4_1.12.1+dfsg-20_amd64.deb
 7c66e96475826500b0031d494e366e7e9c70f9c91578d7da46dc7da442eb2514 82574 libkadm5srv-mit9_1.12.1+dfsg-20_amd64.deb
 c5d7759d5fe381df67a27dab74d85dc2c415a90836fb1bb0ef477d836ea9f62b 67898 libkadm5clnt-mit9_1.12.1+dfsg-20_amd64.deb
 4d3c2a9e85ed793a882b1525d3ed0c52a76609023c0da74ffaa3c4bf2a6addee 114566 libk5crypto3_1.12.1+dfsg-20_amd64.deb
 148a5762d25de39f3ceae0ccc5eb0d2502386450ea6fd1ccf8210555f6742076 68090 libkdb5-7_1.12.1+dfsg-20_amd64.deb
 811a4cbf507f4d0f5e2b377dec751824380e854b91c469e94d124c22a62d1639 58604 libkrb5support0_1.12.1+dfsg-20_amd64.deb
 43d9f7ec715bc39c5572752492c0af5b0ac43946260f2d7cd846645b6731b333 52226 libkrad0_1.12.1+dfsg-20_amd64.deb
 6fa3d9fb4cae34ee068639b927223482e9ffc8f0e587ff2b361e24d067957dcd 55474 krb5-gss-samples_1.12.1+dfsg-20_amd64.deb
 5a89841743aa242ae5d7bc8700fc04a410420400d8b787c659228c8326a52e49 42658 libkrad-dev_1.12.1+dfsg-20_amd64.deb
Files:
 ab22aca977bd13a984575e754e7ae92e 3173 net standard krb5_1.12.1+dfsg-20.dsc
 88388ee3191061ae14d07ba9e8fda0cb 113708 net standard krb5_1.12.1+dfsg-20.debian.tar.xz
 2b4b7a5377676ee82e7655b40b4714f3 4687166 doc optional krb5-doc_1.12.1+dfsg-20_all.deb
 0c232c18c334bd562189f8103afbc5b2 2648242 localization standard krb5-locales_1.12.1+dfsg-20_all.deb
 62e457b361c5f066457cb729349647c5 136914 net optional krb5-user_1.12.1+dfsg-20_amd64.deb
 c1daa08c66d6d7bc3b5e93134d73d902 209066 net optional krb5-kdc_1.12.1+dfsg-20_amd64.deb
 b9fad7c569ab36fd3c45a47cd997d089 110708 net extra krb5-kdc-ldap_1.12.1+dfsg-20_amd64.deb
 14bae60722032764a924833606cf09fb 113144 net optional krb5-admin-server_1.12.1+dfsg-20_amd64.deb
 8297e6b4ce516939fe1a366aebcb71d2 144588 libdevel optional krb5-multidev_1.12.1+dfsg-20_amd64.deb
 11d28e902e52447b8acb9cd841343332 42184 libdevel extra libkrb5-dev_1.12.1+dfsg-20_amd64.deb
 048f93397b79f4643d78b0a27cd46d5a 1422948 debug extra libkrb5-dbg_1.12.1+dfsg-20_amd64.deb
 5571db329a4a3e755546c5b75c8afbdb 83398 net extra krb5-pkinit_1.12.1+dfsg-20_amd64.deb
 48f118497f05c84262c1d9e19dfde3bf 47810 net extra krb5-otp_1.12.1+dfsg-20_amd64.deb
 1b24daa151a4cdf1cb661834021aba79 302960 libs standard libkrb5-3_1.12.1+dfsg-20_amd64.deb
 4722d41f4248c0813e521532a585fe48 150380 libs standard libgssapi-krb5-2_1.12.1+dfsg-20_amd64.deb
 397a894943092147d55336cac60d37d7 85836 libs standard libgssrpc4_1.12.1+dfsg-20_amd64.deb
 aa5abf0ff5c673c9da1279d772f4787d 82574 libs standard libkadm5srv-mit9_1.12.1+dfsg-20_amd64.deb
 6481be35df98693459dd5ade5dbe5f7a 67898 libs standard libkadm5clnt-mit9_1.12.1+dfsg-20_amd64.deb
 00f8239369a7fe18e34162814a237425 114566 libs standard libk5crypto3_1.12.1+dfsg-20_amd64.deb
 e26dcd0288b6f458534ee8aeb9b827de 68090 libs standard libkdb5-7_1.12.1+dfsg-20_amd64.deb
 af39ed1b15ab43e6166f2a07dc1550cb 58604 libs standard libkrb5support0_1.12.1+dfsg-20_amd64.deb
 1bf21a0290e11367092b0928c21ce1e2 52226 libs standard libkrad0_1.12.1+dfsg-20_amd64.deb
 7624eccedbc43f7007acbabd7dc80eb4 55474 net extra krb5-gss-samples_1.12.1+dfsg-20_amd64.deb
 bf10f53e4dc891f2e9a4190c4fce1fc2 42658 libdevel extra libkrad-dev_1.12.1+dfsg-20_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQGgBAEBCgAGBQJVU50zAAoJECjZpvNk63USYR0MH37S1QhczPUx9BKmvTaDBknV
FMW1wljA6HpfMi6/QDINEp7oVI1glEY073bzd0AeXajoUkdUUSZlCdoE+DtES/1T
PMKmFB2qHcWIxUxJBHjeMMKViYl/DcUICnljDFszD40b1G2o/Ogu8BaFGEHH1BJQ
0ieGeJ0uNZ8Wg+nvu2FYpB/6b8T0SBjbc29kt33lu0mTTKv0jv17+pka+bkl18LI
kab0VFd4oWzAM5Epfirbzg89/NrD40Oz8ITgsLcSMTgoGGpZyKY1wQ35cb5dSfkj
kpbJ68rK5zMyE2hiDori0o6vF3Dd+NpeItqd7oE4vEc+VD14Ufq4QuYtrGRq+Oyt
zB8DDn5qpDSJLHdX1CgYF7Fk8348xmruSktibnXvaCv9xR1AHC7Yh5QlpY+x4N3A
cyDMk12x3uCfOK6coattkNmFsA53zbo4XQviGTl2ATAfuVtqLQBXxkJp8c0N4257
tC0HDojaJYG7X+SIqTo5hcVLQJvyoddGU5ORQ5dI8ait5N0=
=iu4F
-----END PGP SIGNATURE-----

Message #17 received at 783557-close@bugs.debian.org (full text, mbox, reply):

From: Benjamin Kaduk <kaduk@mit.edu>

To: 783557-close@bugs.debian.org

Subject: Bug#783557: fixed in krb5 1.13.2+dfsg-1

Date: Thu, 14 May 2015 18:05:53 +0000

Source: krb5
Source-Version: 1.13.2+dfsg-1

We believe that the bug you reported is fixed in the latest version of
krb5, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 783557@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Benjamin Kaduk <kaduk@mit.edu> (supplier of updated krb5 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 14 May 2015 13:38:58 -0400
Source: krb5
Binary: krb5-user krb5-kdc krb5-kdc-ldap krb5-admin-server krb5-multidev libkrb5-dev libkrb5-dbg krb5-pkinit krb5-otp krb5-k5tls krb5-doc libkrb5-3 libgssapi-krb5-2 libgssrpc4 libkadm5srv-mit9 libkadm5clnt-mit9 libk5crypto3 libkdb5-8 libkrb5support0 libkrad0 krb5-gss-samples krb5-locales libkrad-dev
Architecture: source all amd64
Version: 1.13.2+dfsg-1
Distribution: experimental
Urgency: medium
Maintainer: Sam Hartman <hartmans@debian.org>
Changed-By: Benjamin Kaduk <kaduk@mit.edu>
Description:
 krb5-admin-server - MIT Kerberos master server (kadmind)
 krb5-doc   - Documentation for MIT Kerberos
 krb5-gss-samples - MIT Kerberos GSS Sample applications
 krb5-k5tls - TLS plugin for MIT Kerberos
 krb5-kdc   - MIT Kerberos key server (KDC)
 krb5-kdc-ldap - MIT Kerberos key server (KDC) LDAP plugin
 krb5-locales - Internationalization support for MIT Kerberos
 krb5-multidev - Development files for MIT Kerberos without Heimdal conflict
 krb5-otp   - OTP plugin for MIT Kerberos
 krb5-pkinit - PKINIT plugin for MIT Kerberos
 krb5-user  - Basic programs to authenticate using MIT Kerberos
 libgssapi-krb5-2 - MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
 libgssrpc4 - MIT Kerberos runtime libraries - GSS enabled ONCRPC
 libk5crypto3 - MIT Kerberos runtime libraries - Crypto Library
 libkadm5clnt-mit9 - MIT Kerberos runtime libraries - Administration Clients
 libkadm5srv-mit9 - MIT Kerberos runtime libraries - KDC and Admin Server
 libkdb5-8  - MIT Kerberos runtime libraries - Kerberos database
 libkrad-dev - MIT Kerberos RADIUS Library Development
 libkrad0   - MIT Kerberos runtime libraries - RADIUS library
 libkrb5-3  - MIT Kerberos runtime libraries
 libkrb5-dbg - Debugging files for MIT Kerberos
 libkrb5-dev - Headers and development libraries for MIT Kerberos
 libkrb5support0 - MIT Kerberos runtime libraries - Support library
Closes: 746395 783557
Changes:
 krb5 (1.13.2+dfsg-1) experimental; urgency=medium
 .
   * New upstream release:
     - Fix importing GSS composite export names
     - Fix kadm5.acl wildcard matching when early lines have partial matches
     - Disable principal renames for LDAP; they do not work properly and are
       hard to fix
     - Fix LDAP ticket policies on big-endian LP64 systems
     - Fix memory leak in DB2 iteration
     - Prevent requires_preauth bypass (CVE-2015-2694), Closes: #783557
   * Add python to build-depends-indep, since we call it manually during
     the documentation build, Closes: #746395
Checksums-Sha1:
 ecc57f4f48d5af3fa142e551d70585315a0dc512 3221 krb5_1.13.2+dfsg-1.dsc
 2de0f519bb7c51612e2816a9dc64d966ac6e97b2 11884064 krb5_1.13.2+dfsg.orig.tar.gz
 be0f2b0b8f0edf823612b87d5a278f29cdb4ba86 90360 krb5_1.13.2+dfsg-1.debian.tar.xz
 cd12ca58b2ed6db3fa5a0391060159de5a4f61ca 4808530 krb5-doc_1.13.2+dfsg-1_all.deb
 a5f58efcfcb4580b64a4f70df4df54775db71846 2739874 krb5-locales_1.13.2+dfsg-1_all.deb
 7a4664b445da8f0d867f5f699b8bbf9c00649ac5 139280 krb5-user_1.13.2+dfsg-1_amd64.deb
 83bab20d927ff9541b97741268d86db58154764c 208732 krb5-kdc_1.13.2+dfsg-1_amd64.deb
 d05488617530130eac12c2354c4bbebcf8170b9b 111834 krb5-kdc-ldap_1.13.2+dfsg-1_amd64.deb
 f277357d6b70532f378920de8ac53011e3a24299 113126 krb5-admin-server_1.13.2+dfsg-1_amd64.deb
 f6353df40f05f419fbfd0562325af2285580cd28 145412 krb5-multidev_1.13.2+dfsg-1_amd64.deb
 3033eeb763a44af860a9a6dc865b7df2810afc06 43380 libkrb5-dev_1.13.2+dfsg-1_amd64.deb
 96b72ce61bac0ac7d6cbfc7d687fffd55b9a02ba 1440212 libkrb5-dbg_1.13.2+dfsg-1_amd64.deb
 1718a42570b67310dbc58ac70b383d3dfcbeb1f1 84166 krb5-pkinit_1.13.2+dfsg-1_amd64.deb
 ff39c3d7f2f40604c42090f4191a734226f0c645 48098 krb5-otp_1.13.2+dfsg-1_amd64.deb
 f2402657b0c8ecb2a1851c1155e152c2bf52d381 47570 krb5-k5tls_1.13.2+dfsg-1_amd64.deb
 8eca42e2fe9269d912e42949dfe02e66e73f6a9b 308786 libkrb5-3_1.13.2+dfsg-1_amd64.deb
 15a725d51ec665f6e65751f26dba82840efc0488 152006 libgssapi-krb5-2_1.13.2+dfsg-1_amd64.deb
 7e64d403969f1ff36734fd9241efcb44b0c752b5 87178 libgssrpc4_1.13.2+dfsg-1_amd64.deb
 a07d3d34b18acc92c84e32f5dcd2c69d6e695fd5 83488 libkadm5srv-mit9_1.13.2+dfsg-1_amd64.deb
 949d2e2cd2d88a4b4abdf35d05e2534c5a137bee 68982 libkadm5clnt-mit9_1.13.2+dfsg-1_amd64.deb
 7f73fb9ecbc94d2d75851bbb8c8edbb7b9127801 116210 libk5crypto3_1.13.2+dfsg-1_amd64.deb
 47e95fd1cb428e7e7823dd567ac41c61ee050d6a 69512 libkdb5-8_1.13.2+dfsg-1_amd64.deb
 aeac1d1bfeac75b7be7487a0b5f809f10aa04a15 59882 libkrb5support0_1.13.2+dfsg-1_amd64.deb
 e9b9c11fbccdd6a5340dc52cb272231527ce0891 53524 libkrad0_1.13.2+dfsg-1_amd64.deb
 56bf3d5f7befe24eceda51b1f6aba604612bbc2c 56674 krb5-gss-samples_1.13.2+dfsg-1_amd64.deb
 a3c829738adbd517a75711e69fb839c1c61c9d24 43826 libkrad-dev_1.13.2+dfsg-1_amd64.deb
Checksums-Sha256:
 4bf83f25a53a83e00441c2f9b7378a412d6863f482ab1d95dc74221c6a3b9ffa 3221 krb5_1.13.2+dfsg-1.dsc
 a7af3953e4ab52b17f80bdfc2fc7471b66b512b128520796e2b993554543873a 11884064 krb5_1.13.2+dfsg.orig.tar.gz
 543e6382acc6490f80a5b67e078112cc5a40f4babb8e16125db955d65aa55d65 90360 krb5_1.13.2+dfsg-1.debian.tar.xz
 ff47313ca6154e1edbc2cb91c69e8b8c59e5384c9461a7cec7fea5978293459b 4808530 krb5-doc_1.13.2+dfsg-1_all.deb
 2bcc0963f1ff4468721bbe058d7d51efad6cad45fe32a8e75f37012544634f51 2739874 krb5-locales_1.13.2+dfsg-1_all.deb
 e63121742283ee1d7ed744e5b624e2476427d1dc926f69f00a83a52fd8fccab6 139280 krb5-user_1.13.2+dfsg-1_amd64.deb
 1ed7574aeafb9485296f8ece12c2ac3000e1a50bbe824da8bff38c413c7a52fd 208732 krb5-kdc_1.13.2+dfsg-1_amd64.deb
 14ebcf93da5cfb8e1d264d5dd3bcb75e990e16980379ca7e69a30dd640a1585f 111834 krb5-kdc-ldap_1.13.2+dfsg-1_amd64.deb
 b0db918eb894a022a72fc23fabd9fcc454aa23fb65c6388e6e5fb6d5a23ab038 113126 krb5-admin-server_1.13.2+dfsg-1_amd64.deb
 76a3ee737245be6665e1fa8094de8080d40cd6c5666e419ae743b370c22eaacc 145412 krb5-multidev_1.13.2+dfsg-1_amd64.deb
 d7d006e429e29682a02069d40a7c55403b9a0dc32d4e37ab9fd575b7405d3f88 43380 libkrb5-dev_1.13.2+dfsg-1_amd64.deb
 5e120c2df945556bf6b488eda5957386125d16b03f09606a72aada0ca86f7484 1440212 libkrb5-dbg_1.13.2+dfsg-1_amd64.deb
 31861653eb45de9fb8a3cdbc21ea72e083ca75d10113f96a3e2dd871d18e8db8 84166 krb5-pkinit_1.13.2+dfsg-1_amd64.deb
 3ab6a865fcea50775516263a9c3c5d3b022543b6083b861130ab0c6c11b234d5 48098 krb5-otp_1.13.2+dfsg-1_amd64.deb
 406b6bd1ec66c7570b96ad5ade5e3545c8629907d95151cc75fef56529149dee 47570 krb5-k5tls_1.13.2+dfsg-1_amd64.deb
 8dd91e822a971cf9bb152f6c4168abf050e6e0b6bad8bc12064e5b1abc5e257d 308786 libkrb5-3_1.13.2+dfsg-1_amd64.deb
 88dc9b347ba9254a2366e9c54db50b3eb2f7cadf2592967192c3a652a8f6bb0f 152006 libgssapi-krb5-2_1.13.2+dfsg-1_amd64.deb
 280fab6823ad48a0975ae16404c4868f80aef88c57beec82012f9c29c52825c9 87178 libgssrpc4_1.13.2+dfsg-1_amd64.deb
 b5f299c8815fe59dce4e6a4bd0610db1a8ecf83476736ae7962b7746842849c7 83488 libkadm5srv-mit9_1.13.2+dfsg-1_amd64.deb
 bb9ea15ef8e093cd129491a2644f5ba9f50bb3c01dab2b1d7d5565ca7be1368f 68982 libkadm5clnt-mit9_1.13.2+dfsg-1_amd64.deb
 81322410fa87ac47be89f74895d77091559b7666ce84782689d7e6b119b4d039 116210 libk5crypto3_1.13.2+dfsg-1_amd64.deb
 988cbf29fcf27c34b18059b56bc85f8d17cfd40930a81620f255e95f0fe73715 69512 libkdb5-8_1.13.2+dfsg-1_amd64.deb
 694817d629dc2622a2c706d3d9d36e0f85fcb6a90f7a3cde80ae47c5ada8ab8c 59882 libkrb5support0_1.13.2+dfsg-1_amd64.deb
 6907394d8f0afc5d9f997063dc0015a14c8dc3d4f43f68ce860a166518fb8ab4 53524 libkrad0_1.13.2+dfsg-1_amd64.deb
 c0110bbd59448a98c669d2983bb9af700ae69768f913fe4d9950951b46aaeb8d 56674 krb5-gss-samples_1.13.2+dfsg-1_amd64.deb
 81d9caa4941c63f6bd8a7e87c10d9db1e16791b693c9877febd28a0cfd08acab 43826 libkrad-dev_1.13.2+dfsg-1_amd64.deb
Files:
 35332fb4abbe7a06d51e252480c7033e 3221 net standard krb5_1.13.2+dfsg-1.dsc
 b9b16449b2e584a7360cdeed12687484 11884064 net standard krb5_1.13.2+dfsg.orig.tar.gz
 9f564bae82985e81862daaef368642c2 90360 net standard krb5_1.13.2+dfsg-1.debian.tar.xz
 264d80e8ad197482731851d2b2a2dc5c 4808530 doc optional krb5-doc_1.13.2+dfsg-1_all.deb
 d8a9ddd7f6044161e5ba6d2a38c75ab5 2739874 localization standard krb5-locales_1.13.2+dfsg-1_all.deb
 a6704d686c8a138832ac95fdd2e209ce 139280 net optional krb5-user_1.13.2+dfsg-1_amd64.deb
 819c83f358e2d6cacfdaedfac9acfbdf 208732 net optional krb5-kdc_1.13.2+dfsg-1_amd64.deb
 f44cac594cb675a025c91919df907f3d 111834 net extra krb5-kdc-ldap_1.13.2+dfsg-1_amd64.deb
 f7b0956c314ea3dac6416cdf437577e9 113126 net optional krb5-admin-server_1.13.2+dfsg-1_amd64.deb
 73146373f82a3159774b756139a0402d 145412 libdevel optional krb5-multidev_1.13.2+dfsg-1_amd64.deb
 bbcce593e6b28e833904182bd904c0df 43380 libdevel extra libkrb5-dev_1.13.2+dfsg-1_amd64.deb
 ccdb7f8042743b2306b51c7d1d8582e8 1440212 debug extra libkrb5-dbg_1.13.2+dfsg-1_amd64.deb
 f0c145a725a82b9c3de278b70b4e7c8f 84166 net extra krb5-pkinit_1.13.2+dfsg-1_amd64.deb
 1dca8f96deafb61de04f041fc9bb8e49 48098 net extra krb5-otp_1.13.2+dfsg-1_amd64.deb
 e7bba1b5a7a68dad8d2ab1fe10bb0296 47570 net extra krb5-k5tls_1.13.2+dfsg-1_amd64.deb
 036b4044ebafbbad537ae50fb2b95907 308786 libs standard libkrb5-3_1.13.2+dfsg-1_amd64.deb
 e9cb8828f0a6bca3b4f110a2e20da425 152006 libs standard libgssapi-krb5-2_1.13.2+dfsg-1_amd64.deb
 aa36afe0ec1136854e84a081c8017947 87178 libs standard libgssrpc4_1.13.2+dfsg-1_amd64.deb
 5ab122b2143e342056b92a7690c500fe 83488 libs standard libkadm5srv-mit9_1.13.2+dfsg-1_amd64.deb
 93d66e6333b09c35097cf3d5052014c9 68982 libs standard libkadm5clnt-mit9_1.13.2+dfsg-1_amd64.deb
 10982f209c44fb14aefde057ab6e9a1d 116210 libs standard libk5crypto3_1.13.2+dfsg-1_amd64.deb
 80ef7fd598c8cba2d3aaae22bafc334d 69512 libs standard libkdb5-8_1.13.2+dfsg-1_amd64.deb
 5e7672af855a171c5308e30579cb9595 59882 libs standard libkrb5support0_1.13.2+dfsg-1_amd64.deb
 d7d5c6ddbef6f8862971e1cca9eeeca5 53524 libs standard libkrad0_1.13.2+dfsg-1_amd64.deb
 909ff8ac98240d03b49e0c2e64b1348d 56674 net extra krb5-gss-samples_1.13.2+dfsg-1_amd64.deb
 cd9e45afbe1e8a9d87c94911007f7e10 43826 libdevel extra libkrad-dev_1.13.2+dfsg-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQGgBAEBCgAGBQJVVN/qAAoJECjZpvNk63USiRsMH0Fr3tqybW7hrkQnJ3zdvftx
MprDnLfqirK1xqopp5q9abUjexQ07jcCYx97BM/AINBKNBXBqR75jQV3KeUDZY51
Y9zpqRMwDo9uXdgFfS9+EwP6RZDk5HLXtSjwYGrbTDZdVvW98gyUlhEw81Eo2+/T
lahm8VILpNJxbCTO8oAXUXPi4+bqBWKmKUtusqMlrk4iBZNIr4IL41u6OsfNxP/B
cFA+rIYTKmbycisMKeyxwMc/IIxmugiEvpf1P1O4LQHdRXHm4v1KAVOKxY2nm/D8
qr2w1v1aGrcm1WzWM/yJfXaDR1RTZEBAByEIwks7Y40XFpKo2jybpgF8EahdUCsV
3m6NfMwSZymNKHi9fldc6MyEvwraO5ij7Gb7Gn5ekBe4ehZqZbL7A+jnjTHXhAO1
HXc4wHbjFKhxz5rvAr8EcrLQRB2ncZvbKhgnT5sh9WQU6BMsQuwxJHP0JNyQKnUA
MfJ8caxDn4Nvdl5rzYz3RTRltF3BpG90i0vsPKz9GvQOWFQ=
=8S0L
-----END PGP SIGNATURE-----

Message #26 received at 783557-done@bugs.debian.org (full text, mbox, reply):

From: Sam Hartman <hartmans@debian.org>

To: 869260-done@bugs.debian.org, 832572-done@bugs.debian.org, 819468-done@bugs.debian.org, 783557-done@bugs.debian.org

Subject: Fixed in krb5 1.12.1+dfsg-19+deb8u3

Date: Mon, 28 Aug 2017 16:57:41 -0400

[Message part 1 (text/plain, inline)]

source: krb5
source-version: 1.12.1+dfsg-19+deb8ku3

Hi.
The following issues were fixed in 1.12.1+dfsg-19+deb8u3 for jessie.
I ended up needing to build a +deb8u4 because of a build/upload issue,
and so the bugs were not automattically closed.
Here's the relevant changelog info:

krb5 (1.12.1+dfsg-19+deb8u4) jessie; urgency=medium

  * New version number; same code as deb8u3 but rebuilt to build arch all
    packages and because dgit doesn't deal well with reusing a version
    number when a package is rejected

 -- Sam Hartman <hartmans@debian.org>  Mon, 28 Aug 2017 11:55:49 -0400

krb5 (1.12.1+dfsg-19+deb8u3) jessie; urgency=high

  * CVE-2017-11368: Remote authenticated attackers can crash the KDC,
    Closes: #869260
  *  fix for CVE-2016-3120 (kdc crash on restrict_anon_to_tgt), Closes:
    #832572
  * fix for CVE-2016-3119: remote DOS with ldap for authenticated
    attackers, Closes: #819468
  * Prevent requires_preauth bypass (CVE-2015-2694), Closes: #783557
  
 -- Sam Hartman <hartmans@debian.org>  Sun, 13 Aug 2017 18:02:34 -0400

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.