Debian Bug report logs -
#917387
krb5: CVE-2018-20217: Ignore password attributes for S4U2Self requests
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Sam Hartman <hartmans@debian.org>:
Bug#917387; Package src:krb5.
(Thu, 27 Dec 2018 07:42:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Sam Hartman <hartmans@debian.org>.
(Thu, 27 Dec 2018 07:42:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: krb5
Version: 1.16.1-1
Severity: normal
Tags: patch security upstream
Forwarded: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8763
Hi,
The following vulnerability was published for krb5.
CVE-2018-20217[0]:
| A Reachable Assertion issue was discovered in the KDC in MIT Kerberos
| 5 (aka krb5) before 1.17. If an attacker can obtain a krbtgt ticket
| using an older encryption type (single-DES, triple-DES, or RC4), the
| attacker can crash the KDC by making an S4U2Self request.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-20217
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20217
[1] http://krbdev.mit.edu/rt/Ticket/Display.html?id=8763
[2] https://github.com/krb5/krb5/commit/5e6d1796106df8ba6bc1973ee0917c170d929086
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Reply sent
to Sam Hartman <hartmans@debian.org>:
You have taken responsibility.
(Mon, 31 Dec 2018 22:51:05 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 31 Dec 2018 22:51:05 GMT) (full text, mbox, link).
Message #10 received at 917387-close@bugs.debian.org (full text, mbox, reply):
Source: krb5
Source-Version: 1.16.2-1
We believe that the bug you reported is fixed in the latest version of
krb5, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 917387@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sam Hartman <hartmans@debian.org> (supplier of updated krb5 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 31 Dec 2018 15:25:16 -0500
Source: krb5
Binary: krb5-user krb5-kdc krb5-kdc-ldap krb5-admin-server krb5-kpropd krb5-multidev libkrb5-dev libkrb5-dbg krb5-pkinit krb5-otp krb5-k5tls krb5-doc libkrb5-3 libgssapi-krb5-2 libgssrpc4 libkadm5srv-mit11 libkadm5clnt-mit11 libk5crypto3 libkdb5-9 libkrb5support0 libkrad0 krb5-gss-samples krb5-locales libkrad-dev
Architecture: source
Version: 1.16.2-1
Distribution: unstable
Urgency: medium
Maintainer: Sam Hartman <hartmans@debian.org>
Changed-By: Sam Hartman <hartmans@debian.org>
Description:
krb5-admin-server - MIT Kerberos master server (kadmind)
krb5-doc - documentation for MIT Kerberos
krb5-gss-samples - MIT Kerberos GSS Sample applications
krb5-k5tls - TLS plugin for MIT Kerberos
krb5-kdc - MIT Kerberos key server (KDC)
krb5-kdc-ldap - MIT Kerberos key server (KDC) LDAP plugin
krb5-kpropd - MIT Kerberos key server (Slave KDC Support)
krb5-locales - internationalization support for MIT Kerberos
krb5-multidev - development files for MIT Kerberos without Heimdal conflict
krb5-otp - OTP plugin for MIT Kerberos
krb5-pkinit - PKINIT plugin for MIT Kerberos
krb5-user - basic programs to authenticate using MIT Kerberos
libgssapi-krb5-2 - MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
libgssrpc4 - MIT Kerberos runtime libraries - GSS enabled ONCRPC
libk5crypto3 - MIT Kerberos runtime libraries - Crypto Library
libkadm5clnt-mit11 - MIT Kerberos runtime libraries - Administration Clients
libkadm5srv-mit11 - MIT Kerberos runtime libraries - KDC and Admin Server
libkdb5-9 - MIT Kerberos runtime libraries - Kerberos database
libkrad-dev - MIT Kerberos RADIUS Library Development
libkrad0 - MIT Kerberos runtime libraries - RADIUS library
libkrb5-3 - MIT Kerberos runtime libraries
libkrb5-dbg - debugging files for MIT Kerberos
libkrb5-dev - headers and development libraries for MIT Kerberos
libkrb5support0 - MIT Kerberos runtime libraries - Support library
Closes: 915780 917387
Changes:
krb5 (1.16.2-1) unstable; urgency=medium
.
[ Ondřej Nový ]
* d/changelog: Remove trailing whitespaces
* d/control: Remove trailing whitespaces
* d/rules: Remove trailing whitespaces
.
.
[ Sam Hartman ]
* New Upstream version, Closes: #915780
* CVE-2018-20217: Incorrect KDC assertion leading to denial of service,
Closes: #917387
* Fix typo in tests
Checksums-Sha1:
8fbc8424251e03f2ee36d1221431350b702c317e 3318 krb5_1.16.2-1.dsc
6d6ef205194be386fb5f4e6bef32cb9fc79e853b 9652415 krb5_1.16.2.orig.tar.gz
39b80bb3dcabee3f83b1c6a7ebd742b7cdec31a2 98292 krb5_1.16.2-1.debian.tar.xz
Checksums-Sha256:
6ca811aed6ab413828b5f14cf08d32ab7707e84ef32c542a73634c17bfbe07c2 3318 krb5_1.16.2-1.dsc
9f721e1fe593c219174740c71de514c7228a97d23eb7be7597b2ae14e487f027 9652415 krb5_1.16.2.orig.tar.gz
11b44f46f965c3b76258da67ffb110af20c3b718a62e27a8df28e1a2f7971774 98292 krb5_1.16.2-1.debian.tar.xz
Files:
d44b068e3b6118950facf9070f805237 3318 net optional krb5_1.16.2-1.dsc
ffd52595e969fb700d37313606e4dc3d 9652415 net optional krb5_1.16.2.orig.tar.gz
67ca84e219c487f0ac19d514eb44ad0f 98292 net optional krb5_1.16.2-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEE9Li3nMNy++OFgPTCQe7SUh/WssoFAlwqizwACgkQQe7SUh/W
sspDVwf9El5DaHRnyHkQSC3MTRdJQ357PjSTGcZEV6pySBf2zhnl64I9fNtApHaK
rt5zrGRWvtD9iTnlxlR9fWq4MdxP8vERUV+1rkB13F3EIPCKKnOAUGv40W1qyEVh
iCkYGSy0U9xDcEHcd60xC9oUPx8SkpXr2wBY3YQ5ldin+EZTzSAhI3QuL7B1K3xm
vtJfnyiKN13s0ZnrkvQhZY6AHDg+ukDRam4Vixu5ZRd5t31H2JliqAlB4jOgGaw4
kH6VqSSI1EpfcIzdzorxTiOkRJg0ShuBBYLj0g0hgBaWTeLO4sX3zNNARDDSdWig
FD30nx4q4VG2A3ug0k7c+PiQwXBFmA==
=k95n
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 29 Jan 2019 07:31:04 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:58:56 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon