Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

CVE-2011-4862

Related Vulnerabilities: CVE-2011-4862   CVE-2011-1526  

Source

Debian Bug report logs - #654231
CVE-2011-4862

version graph

Package: krb5-telnetd; Maintainer for krb5-telnetd is (unknown);

Reported by: Moritz Muehlenhoff <muehlenhoff@univention.de>

Date: Mon, 2 Jan 2012 13:48:15 UTC

Severity: critical

Tags: security

Found in version krb5-appl/1:1.0~alpha1-1

Fixed in versions krb5-appl/1:1.0.1-1.2, krb5-appl/1:1.0.1-2

Done: Russ Allbery <rra@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, Sam Hartman <hartmans@debian.org>:
Bug#654231; Package krb5-telnetd. (Mon, 02 Jan 2012 13:48:19 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Muehlenhoff <muehlenhoff@univention.de>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Sam Hartman <hartmans@debian.org>. (Mon, 02 Jan 2012 13:48:20 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <muehlenhoff@univention.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2011-4862
Date: Mon, 02 Jan 2012 14:46:15 +0100
[Message part 1 (text/plain, inline)]
Package: krb5-telnetd
Severity: critical
Tags: security

http://www.debian.org/security/2011/dsa-2375 is still unfixed in sid.

Patch from the DSA attached.

Cheers,
        Moritz

[CVE-2011-4862 (text/x-diff, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Sam Hartman <hartmans@debian.org>:
Bug#654231; Package krb5-telnetd. (Mon, 19 Mar 2012 19:54:09 GMT) (full text, mbox, link).

Acknowledgement sent to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Sam Hartman <hartmans@debian.org>. (Mon, 19 Mar 2012 19:54:09 GMT) (full text, mbox, link).

Message #10 received at 654231@bugs.debian.org (full text, mbox, reply):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
To: Moritz Muehlenhoff <muehlenhoff@univention.de>, 654231@bugs.debian.org
Subject: Re: Bug#654231: CVE-2011-4862
Date: Mon, 19 Mar 2012 19:48:23 +0000
found 654231 1:1.0~alpha1-1
fixed 654231 1:1.0.1-1.2
thanks

On Mon, 2012-01-02 at 14:46 +0100, Moritz Muehlenhoff wrote:
> Package: krb5-telnetd
> Severity: critical
> Tags: security
> 
> http://www.debian.org/security/2011/dsa-2375 is still unfixed in sid.

fwiw, this is now fixed in sid, but only because we propagated the
package up to testing and unstable during the 6.0.4 point release, so as
not to make dak cry.  This is also the reason that CVE-2011-1526 (from
DSA-2283) is fixed in sid.

Regards,

Adam

Marked as found in versions krb5-appl/1:1.0~alpha1-1. Request was from "Adam D. Barratt" <adam@adam-barratt.org.uk> to control@bugs.debian.org. (Mon, 19 Mar 2012 19:54:31 GMT) (full text, mbox, link).

Marked as fixed in versions krb5-appl/1:1.0.1-1.2. Request was from "Adam D. Barratt" <adam@adam-barratt.org.uk> to control@bugs.debian.org. (Mon, 19 Mar 2012 19:54:32 GMT) (full text, mbox, link).

Reply sent to Russ Allbery <rra@debian.org>:
You have taken responsibility. (Tue, 20 Mar 2012 05:51:03 GMT) (full text, mbox, link).

Notification sent to Moritz Muehlenhoff <muehlenhoff@univention.de>:
Bug acknowledged by developer. (Tue, 20 Mar 2012 05:51:04 GMT) (full text, mbox, link).

Message #19 received at 654231-close@bugs.debian.org (full text, mbox, reply):

From: Russ Allbery <rra@debian.org>
To: 654231-close@bugs.debian.org
Subject: Bug#654231: fixed in krb5-appl 1:1.0.1-2
Date: Tue, 20 Mar 2012 05:48:12 +0000
Source: krb5-appl
Source-Version: 1:1.0.1-2

We believe that the bug you reported is fixed in the latest version of
krb5-appl, which is due to be installed in the Debian FTP archive:

krb5-appl_1.0.1-2.debian.tar.gz
  to main/k/krb5-appl/krb5-appl_1.0.1-2.debian.tar.gz
krb5-appl_1.0.1-2.dsc
  to main/k/krb5-appl/krb5-appl_1.0.1-2.dsc
krb5-clients_1.0.1-2_i386.deb
  to main/k/krb5-appl/krb5-clients_1.0.1-2_i386.deb
krb5-ftpd_1.0.1-2_i386.deb
  to main/k/krb5-appl/krb5-ftpd_1.0.1-2_i386.deb
krb5-rsh-server_1.0.1-2_i386.deb
  to main/k/krb5-appl/krb5-rsh-server_1.0.1-2_i386.deb
krb5-telnetd_1.0.1-2_i386.deb
  to main/k/krb5-appl/krb5-telnetd_1.0.1-2_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 654231@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Russ Allbery <rra@debian.org> (supplier of updated krb5-appl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 19 Mar 2012 22:20:08 -0700
Source: krb5-appl
Binary: krb5-clients krb5-rsh-server krb5-ftpd krb5-telnetd
Architecture: source i386
Version: 1:1.0.1-2
Distribution: unstable
Urgency: low
Maintainer: Sam Hartman <hartmans@debian.org>
Changed-By: Russ Allbery <rra@debian.org>
Description: 
 krb5-clients - Secure replacements for ftp, telnet and rsh using MIT Kerberos
 krb5-ftpd  - Secure FTP server supporting MIT Kerberos
 krb5-rsh-server - Secure replacements for rshd and rlogind using MIT Kerberos
 krb5-telnetd - Secure telnet server supporting MIT Kerberos
Closes: 654231 657842
Changes: 
 krb5-appl (1:1.0.1-2) unstable; urgency=low
 .
   * Hopefully temporary interim release until I learn the proper procedure
     for package updates to new upstream releases.
   * Acknowledge security NMUs, thanks Florian Weimer.
     - Apply patch from FreeBSD to fix CVE-2011-4862 (Closes: #654231)
     - CVE-2011-1526, MIT-SA-2011-005: Kerberos ftpd fails to set correct
       group permissions.  The ftp daemon always runs with the group
       permissions of the user it is started as, probably the root group.
   * Apply upstream commits r3299 and r3326 to not use variable data
     as format strings, which allows the source to compile safely with
     -Wformat -Werror=format-security.
   * Fix spelling errors in man pages (thanks, Lintian).
   * Update debhelper compatibility level to V9.
     - Use hardening build flags.  (Closes: #657842)
   * Use dh-autoreconf to regenerate the build system during build and use
     its support for --as-needed.  Use the new dpkg-buildflags method of
     passing -Wl,--as-needed.
   * Remove duplicate Priority fields from binary packages.
   * Update standards version to 3.9.3 (no changes required).
Checksums-Sha1: 
 ae474e4f1edc769eb36159f69ce3b62b752d1060 1755 krb5-appl_1.0.1-2.dsc
 8a5c7395f56046bf969226f5a2bfc9d62276b887 11260 krb5-appl_1.0.1-2.debian.tar.gz
 dc2c6f25c96b91fe3361a29fcce4d9dc9b49256a 168420 krb5-clients_1.0.1-2_i386.deb
 34781ca0594c5a48cc0fae948284015a16c6e10e 61234 krb5-rsh-server_1.0.1-2_i386.deb
 a7f5f65ae820b0b0b68a97bb1eba439d46f36f39 45784 krb5-ftpd_1.0.1-2_i386.deb
 0eb76017b16c41f514dfc4ad1800a1d9bffd3893 52468 krb5-telnetd_1.0.1-2_i386.deb
Checksums-Sha256: 
 a5decafd9818ae5c079c205e8fb84968ecd9337a884f66aec75560b5c7c3d03c 1755 krb5-appl_1.0.1-2.dsc
 d3a3cc715a5cf8210704e525e33ea2af537e488b8cf2d839b29cb661c702c38d 11260 krb5-appl_1.0.1-2.debian.tar.gz
 3da11c440c9dd64791fa4cc4c3c8fca4a1f834e7c945b87ab68d1497367ae88c 168420 krb5-clients_1.0.1-2_i386.deb
 77556e68dd5c88115a74b4b589bd12ba12de1f434b64df1cc6db76b2ffb406a6 61234 krb5-rsh-server_1.0.1-2_i386.deb
 99b4cdd503d2af11c7588fd2f8770eeb6a3a9d666085bb6f6fde17afaad7edc8 45784 krb5-ftpd_1.0.1-2_i386.deb
 3065f377e185a0ec64cefcf4aa76e919eb1fba20217b686c4e0a1d9487153abd 52468 krb5-telnetd_1.0.1-2_i386.deb
Files: 
 b1815d97f9abe9571700776509090483 1755 net extra krb5-appl_1.0.1-2.dsc
 91c56674563c8b44cfde58cf2a4f2c26 11260 net extra krb5-appl_1.0.1-2.debian.tar.gz
 222e59809485a38c6ad171005ffcf140 168420 net optional krb5-clients_1.0.1-2_i386.deb
 89ecc9e4972c8f5aa8e9e6189e39dd5b 61234 net extra krb5-rsh-server_1.0.1-2_i386.deb
 fe9bdaa5e073c8c196e0815cf15f1eb7 45784 net extra krb5-ftpd_1.0.1-2_i386.deb
 f4b74f932647a0c8adde8ea902ffaa8e 52468 net extra krb5-telnetd_1.0.1-2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBCAAGBQJPaBabAAoJEH2AMVxXNt51VmwIAI8+BudedysAwuVDV8Nyrwhz
9U3Uwu9P9BzVa42v2Si0CAD8y6JsEl07+9B2XSPJOKeWxO6RB30Unb2cnbshsXrk
8xtpquYDEnbYNrUDJV6D87MFyo4xVd3YQh4Ea6AVng/tooyOURvQ/Dq1JfzShKi7
2ivX3NbAlga8zZLeCR04z1iTSS2VMUFbHFKrR+dXpe3uUxDXkjlRBRdfJxq/dvI4
0RgbUnOL7xmjWJd+u5fv5/y/3crr/d39a6SCRRyHAeIkjGuYXKSf000Y1HGhOflU
WcJVQdTZwJivEyEN9XfEosdjmjuFeLCKd6fzSfYweMlLUXyguRm0LKp0lUMoebY=
=bW8C
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 17 Apr 2012 07:32:43 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 19:08:38 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started