Debian Bug report logs -
#687647
CVE-2012-1013
Reported by: Moritz Muehlenhoff <jmm@debian.org>
Date: Fri, 14 Sep 2012 15:27:01 UTC
Severity: serious
Tags: security
Fixed in version krb5/1.10.1+dfsg-3
Done: Sam Hartman <hartmans@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Sam Hartman <hartmans@debian.org>:
Bug#687647; Package krb5.
(Fri, 14 Sep 2012 15:27:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Sam Hartman <hartmans@debian.org>.
(Fri, 14 Sep 2012 15:27:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: krb5
Severity: important
Tags: security
This issue is still unfixed in Wheezy. Although not grave, it would be nice to
have it fixed in Wheezy:
https://github.com/krb5/krb5/commit/c5be6209311d4a8f10fda37d0d3f876c1b33b77b
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#687647; Package krb5.
(Mon, 19 Nov 2012 21:57:15 GMT) (full text, mbox, link).
Acknowledgement sent
to Sam Hartman <hartmans@debian.org>:
Extra info received and forwarded to list.
(Mon, 19 Nov 2012 21:57:15 GMT) (full text, mbox, link).
Message #10 received at 687647@bugs.debian.org (full text, mbox, reply):
severity 687647 serious
thanks
justification: In my opinion as maintainer it would be strongly
desirable to release with this security fix in place
Severity set to 'serious' from 'important'
Request was from Sam Hartman <hartmans@debian.org>
to control@bugs.debian.org.
(Mon, 19 Nov 2012 21:57:24 GMT) (full text, mbox, link).
Reply sent
to Sam Hartman <hartmans@debian.org>:
You have taken responsibility.
(Mon, 19 Nov 2012 23:21:06 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Mon, 19 Nov 2012 23:21:06 GMT) (full text, mbox, link).
Message #17 received at 687647-close@bugs.debian.org (full text, mbox, reply):
Source: krb5
Source-Version: 1.10.1+dfsg-3
We believe that the bug you reported is fixed in the latest version of
krb5, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 687647@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sam Hartman <hartmans@debian.org> (supplier of updated krb5 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 19 Nov 2012 17:35:04 -0500
Source: krb5
Binary: krb5-user krb5-kdc krb5-kdc-ldap krb5-admin-server krb5-multidev libkrb5-dev libkrb5-dbg krb5-pkinit krb5-doc libkrb5-3 libgssapi-krb5-2 libgssrpc4 libkadm5srv-mit8 libkadm5clnt-mit8 libk5crypto3 libkdb5-6 libkrb5support0 krb5-gss-samples krb5-locales
Architecture: source all amd64
Version: 1.10.1+dfsg-3
Distribution: unstable
Urgency: low
Maintainer: Sam Hartman <hartmans@debian.org>
Changed-By: Sam Hartman <hartmans@debian.org>
Description:
krb5-admin-server - MIT Kerberos master server (kadmind)
krb5-doc - Documentation for MIT Kerberos
krb5-gss-samples - MIT Kerberos GSS Sample applications
krb5-kdc - MIT Kerberos key server (KDC)
krb5-kdc-ldap - MIT Kerberos key server (KDC) LDAP plugin
krb5-locales - Internationalization support for MIT Kerberos
krb5-multidev - Development files for MIT Kerberos without Heimdal conflict
krb5-pkinit - PKINIT plugin for MIT Kerberos
krb5-user - Basic programs to authenticate using MIT Kerberos
libgssapi-krb5-2 - MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
libgssrpc4 - MIT Kerberos runtime libraries - GSS enabled ONCRPC
libk5crypto3 - MIT Kerberos runtime libraries - Crypto Library
libkadm5clnt-mit8 - MIT Kerberos runtime libraries - Administration Clients
libkadm5srv-mit8 - MIT Kerberos runtime libraries - KDC and Admin Server
libkdb5-6 - MIT Kerberos runtime libraries - Kerberos database
libkrb5-3 - MIT Kerberos runtime libraries
libkrb5-dbg - Debugging files for MIT Kerberos
libkrb5-dev - Headers and development libraries for MIT Kerberos
libkrb5support0 - MIT Kerberos runtime libraries - Support library
Closes: 687647 693741
Changes:
krb5 (1.10.1+dfsg-3) unstable; urgency=low
.
* Kadmind crash only triggered by admin users, cve-2012-1013, Closes:
#687647
* Don't unload GSS-API plugins to avoid crashing applications that use
GSS-API on systems with plugins installed, Closes: #693741
Checksums-Sha1:
2d02f082f2525ace504cd71a3d973ffd34405ddf 2287 krb5_1.10.1+dfsg-3.dsc
9e81b823b10529783f8ddf1564d870ab8cbab1ab 133046 krb5_1.10.1+dfsg-3.debian.tar.gz
eed85fd423899146303698cfb2b4e3436e619cae 2668474 krb5-doc_1.10.1+dfsg-3_all.deb
f8030b5cb43b11fdf0da3bf1355d1a26bedd872c 1501994 krb5-locales_1.10.1+dfsg-3_all.deb
8c44a05b6d9e628e680ac58bec4675336233d914 153352 krb5-user_1.10.1+dfsg-3_amd64.deb
8c4c8f746197988b74127c8c79c092c992285fca 224264 krb5-kdc_1.10.1+dfsg-3_amd64.deb
bd66d878325ae8026bf840b63f324efc5b1642ea 119736 krb5-kdc-ldap_1.10.1+dfsg-3_amd64.deb
a607b229019093ca7b7dd6a13d522c0256d5e6c5 121510 krb5-admin-server_1.10.1+dfsg-3_amd64.deb
0908a176aef0a4fd32a85727e9d05c7edd0b781a 153206 krb5-multidev_1.10.1+dfsg-3_amd64.deb
e0a30f8a19c40366f20d5287c1e34481a874fb1b 39560 libkrb5-dev_1.10.1+dfsg-3_amd64.deb
ed880277bf9a503169835f421b02ad4b65ebac8c 2203322 libkrb5-dbg_1.10.1+dfsg-3_amd64.deb
cda016b00ea49618a8f8e956a394b62b03e55dc3 81780 krb5-pkinit_1.10.1+dfsg-3_amd64.deb
1e3ca7e5a753fe32b142c89b8d5e6849ef7e3873 393570 libkrb5-3_1.10.1+dfsg-3_amd64.deb
3b635da2652c8ce9773eb693c1c4b5e11f3328b2 147652 libgssapi-krb5-2_1.10.1+dfsg-3_amd64.deb
2ef487294027fe3f73594ea62cb4c3ec691296a3 87494 libgssrpc4_1.10.1+dfsg-3_amd64.deb
5d282d1d4195a006abee40950a862259cca4964c 84618 libkadm5srv-mit8_1.10.1+dfsg-3_amd64.deb
a5e109515a57768ecc3fc0382c1158277069b620 67570 libkadm5clnt-mit8_1.10.1+dfsg-3_amd64.deb
91c0da97e3df4378d2a08326ef889ce01e76d3db 112080 libk5crypto3_1.10.1+dfsg-3_amd64.deb
a69cc07f4e1ec4e1d5b8d3d59141fedeb19cf0a8 66468 libkdb5-6_1.10.1+dfsg-3_amd64.deb
89c3d4b41499ae071b256005ccb44813f0db2a89 49214 libkrb5support0_1.10.1+dfsg-3_amd64.deb
d55ad727d5283256aab290f0c7dd23f4d8664e11 51522 krb5-gss-samples_1.10.1+dfsg-3_amd64.deb
Checksums-Sha256:
5a90ec1773aed0688bd01af40cd85ad4efe6c88f5af8aab856488446cd3f989f 2287 krb5_1.10.1+dfsg-3.dsc
5167c73ce4286b0f436955cfa416b303e2217a3d9fb46873dd5c832f3af0ccfe 133046 krb5_1.10.1+dfsg-3.debian.tar.gz
e0a74e3d8e487c77693c7eec55302ef0cd0a68cbfd21ee05bca8b583266be3ff 2668474 krb5-doc_1.10.1+dfsg-3_all.deb
9895aeefa0bab6134a55987e79feb91aa0be1c822b66f8d486d8883788f60aa1 1501994 krb5-locales_1.10.1+dfsg-3_all.deb
63f799cfd110af8ce4907ba36ff533c1621611a92546df173ff4f05dd5b280dd 153352 krb5-user_1.10.1+dfsg-3_amd64.deb
16c0496a501e82c1dec6bd014c1af92a08cc33030c1ecc1ab86f47f5c92fa7af 224264 krb5-kdc_1.10.1+dfsg-3_amd64.deb
5f6efaccf37ab7baebd18aa522ec2d707dfae1994803a64e0585ce3c93c3a6b6 119736 krb5-kdc-ldap_1.10.1+dfsg-3_amd64.deb
bc3b750eac77218fa10bc5defe1bb743156fd571bede17056b9d1dace0d22dcb 121510 krb5-admin-server_1.10.1+dfsg-3_amd64.deb
072e1d50ad5f672601151040f58e9e01dbf619c68e805a76a765b34e4886b55c 153206 krb5-multidev_1.10.1+dfsg-3_amd64.deb
0fa04f57b8f13635bb5e721b4070f2026322b1c3a3541cf42cfa2965fb45d3a5 39560 libkrb5-dev_1.10.1+dfsg-3_amd64.deb
cda4a57a7706e395ad2faff4bdd9bef80f9d5057cdc3e736b53b443705090b5d 2203322 libkrb5-dbg_1.10.1+dfsg-3_amd64.deb
e5242e54e1ca2258ff684867667babcc8273504075d247bdae1b766faaa85176 81780 krb5-pkinit_1.10.1+dfsg-3_amd64.deb
87bc8e4a40bf3ce584aec1ccb1c97c81a0179956fbcc66f1cf5c0bc9a305aee4 393570 libkrb5-3_1.10.1+dfsg-3_amd64.deb
a89cf32da5f782e243eed7d7f9ada4002bf727ffe92b092cb3aa7abb1d3fab2c 147652 libgssapi-krb5-2_1.10.1+dfsg-3_amd64.deb
0ad0e051dcf1b54dc8ac39cf7ce32a5e315c9b693ff874b3ff5446cc71d58a6d 87494 libgssrpc4_1.10.1+dfsg-3_amd64.deb
4c937c98cb796cec1b7392bb16c7cc04a68e8501359b833cc23f14fde316ecdf 84618 libkadm5srv-mit8_1.10.1+dfsg-3_amd64.deb
db05da844fe18bf0ad939980590e5d5c4443098791d9f6fe531f9426ebc6c426 67570 libkadm5clnt-mit8_1.10.1+dfsg-3_amd64.deb
7f6f6b039f649b08f14957bd634f9908c43a707ea1ad6eed6ffce6e8c54af19d 112080 libk5crypto3_1.10.1+dfsg-3_amd64.deb
cbd9f45564a4768ffa4d010c8676f7edb1bc05bf41622ba48f9d3a87e6fcfe74 66468 libkdb5-6_1.10.1+dfsg-3_amd64.deb
6b82ec214cbe5425db621feaaffb04dc895ddcb65544e6e6f2dae10999751835 49214 libkrb5support0_1.10.1+dfsg-3_amd64.deb
60d33cc4f9eb5c136b7531fcacfc20e1b0c06aa26b31398219712734a5b9876f 51522 krb5-gss-samples_1.10.1+dfsg-3_amd64.deb
Files:
f1b2833800b5980b6596e685b6e192da 2287 net standard krb5_1.10.1+dfsg-3.dsc
8abd8909e634d7aa13ced6faef6f1b59 133046 net standard krb5_1.10.1+dfsg-3.debian.tar.gz
2b88d480ad4315d0fd40a68e9c0e3dcd 2668474 doc optional krb5-doc_1.10.1+dfsg-3_all.deb
7d69222320209f53e95ba9e5ad48a5cc 1501994 localization standard krb5-locales_1.10.1+dfsg-3_all.deb
661d284d95d7df06aec06dc2e10e2d26 153352 net optional krb5-user_1.10.1+dfsg-3_amd64.deb
a2e53d83724d262f4e6cef5b2801fa61 224264 net optional krb5-kdc_1.10.1+dfsg-3_amd64.deb
bdc1f0b0a396f16ca99c94fb457ccf72 119736 net extra krb5-kdc-ldap_1.10.1+dfsg-3_amd64.deb
ac0626e87627f3644dc21affcdb1c2ee 121510 net optional krb5-admin-server_1.10.1+dfsg-3_amd64.deb
d0063ec9c9f94f0417df5d1b9f6fac68 153206 libdevel optional krb5-multidev_1.10.1+dfsg-3_amd64.deb
d553a3d3906f8588fce53a022e004acb 39560 libdevel extra libkrb5-dev_1.10.1+dfsg-3_amd64.deb
35d001eae8197f3219fd4fc0cfc38f5f 2203322 debug extra libkrb5-dbg_1.10.1+dfsg-3_amd64.deb
43db0a821520fd3fe537aaa997c46159 81780 net extra krb5-pkinit_1.10.1+dfsg-3_amd64.deb
41b2d607a0ea47b521799e0c5353863e 393570 libs standard libkrb5-3_1.10.1+dfsg-3_amd64.deb
03914900d73d3baeda8b36197d10d97d 147652 libs standard libgssapi-krb5-2_1.10.1+dfsg-3_amd64.deb
d5d550adbcc780af0b4eff750a214bf8 87494 libs standard libgssrpc4_1.10.1+dfsg-3_amd64.deb
f826c77f7ea185338a100f25cd55257b 84618 libs standard libkadm5srv-mit8_1.10.1+dfsg-3_amd64.deb
5dc9cdfb208a3af08be590969fb6970a 67570 libs standard libkadm5clnt-mit8_1.10.1+dfsg-3_amd64.deb
ecf6403d1c582cd2ed4c50f109d4e2fa 112080 libs standard libk5crypto3_1.10.1+dfsg-3_amd64.deb
c9bbf7cd2318b29fa932756d328c28de 66468 libs standard libkdb5-6_1.10.1+dfsg-3_amd64.deb
fb2d3c5d092a6375820f89517537307b 49214 libs standard libkrb5support0_1.10.1+dfsg-3_amd64.deb
8c89a62b9730d422f7263a7453ede824 51522 net extra krb5-gss-samples_1.10.1+dfsg-3_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAlCquf4ACgkQ/I12czyGJg+nNACfVZ8+lqjCqPfZ6voA9PMxx7yv
d4UAn0IDjr71Jfjb+IjHZyqTXgn2P+c4
=0oQM
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Sam Hartman <hartmans@debian.org>:
Bug#687647; Package krb5.
(Tue, 20 Nov 2012 12:36:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Jonathan Wiltshire <jmw@debian.org>:
Extra info received and forwarded to list. Copy sent to Sam Hartman <hartmans@debian.org>.
(Tue, 20 Nov 2012 12:36:07 GMT) (full text, mbox, link).
Message #22 received at 687647@bugs.debian.org (full text, mbox, reply):
Package: krb5
Dear maintainer,
Recently you fixed one or more security problems and as a result you closed
this bug. These problems were not serious enough for a Debian Security
Advisory, so they are now on my radar for fixing in the following suites
through point releases:
squeeze (6.0.7) - use target "stable"
Please prepare a minimal-changes upload targetting each of these suites,
and submit a debdiff to the Release Team [0] for consideration. They will
offer additional guidance or instruct you to upload your package.
I will happily assist you at any stage if the patch is straightforward and
you need help. Please keep me in CC at all times so I can
track [1] the progress of this request.
For details of this process and the rationale, please see the original
announcement [2] and my blog post [3].
0: debian-release@lists.debian.org
1: http://prsc.debian.net/tracker/687647/
2: <201101232332.11736.thijs@debian.org>
3: http://deb.li/prsc
Thanks,
with his security hat on:
--
Jonathan Wiltshire jmw@debian.org
Debian Developer http://people.debian.org/~jmw
4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 19 Dec 2012 07:26:18 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:03:41 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon