Debian Bug report logs -
#869260
CVE-2017-11368
Reported by: Moritz Muehlenhoff <jmm@debian.org>
Date: Sat, 22 Jul 2017 06:42:01 UTC
Severity: grave
Tags: fixed-upstream, security, upstream
Found in version krb5/1.10.1+dfsg-5
Fixed in versions krb5/1.12.1+dfsg-19+deb8u3, krb5/1.15-1+deb9u1, krb5/1.15.1-2
Done: Sam Hartman <hartmans@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Sam Hartman <hartmans@debian.org>:
Bug#869260; Package src:krb5.
(Sat, 22 Jul 2017 06:42:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Sam Hartman <hartmans@debian.org>.
(Sat, 22 Jul 2017 06:42:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: krb5
Severity: grave
Tags: security
Hi,
please see:
https://github.com/krb5/krb5/pull/678/commits/a860385dd8fbd239fdb31b347e07f4e6b2fbdcc2
Cheers,
Moritz
Marked as found in versions krb5/1.10.1+dfsg-5.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 22 Jul 2017 06:45:07 GMT) (full text, mbox, link).
Added tag(s) fixed-upstream and upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sat, 22 Jul 2017 06:45:09 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#869260; Package src:krb5.
(Sun, 23 Jul 2017 18:27:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Sam Hartman <hartmans@debian.org>:
Extra info received and forwarded to list.
(Sun, 23 Jul 2017 18:27:02 GMT) (full text, mbox, link).
Message #14 received at 869260@bugs.debian.org (full text, mbox, reply):
Take a look at the stretch branch of
git://git.debian.org/git/pkg-k5-afs/debian-krb5-2013.git
Shall I upload that to stable-security?
Reply sent
to Sam Hartman <hartmans@debian.org>:
You have taken responsibility.
(Sun, 23 Jul 2017 19:24:07 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Sun, 23 Jul 2017 19:24:07 GMT) (full text, mbox, link).
Message #19 received at 869260-close@bugs.debian.org (full text, mbox, reply):
Source: krb5
Source-Version: 1.15.1-2
We believe that the bug you reported is fixed in the latest version of
krb5, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 869260@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sam Hartman <hartmans@debian.org> (supplier of updated krb5 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sun, 23 Jul 2017 14:16:38 -0400
Source: krb5
Binary: krb5-user krb5-kdc krb5-kdc-ldap krb5-admin-server krb5-kpropd krb5-multidev libkrb5-dev libkrb5-dbg krb5-pkinit krb5-otp krb5-k5tls krb5-doc libkrb5-3 libgssapi-krb5-2 libgssrpc4 libkadm5srv-mit11 libkadm5clnt-mit11 libk5crypto3 libkdb5-8 libkrb5support0 libkrad0 krb5-gss-samples krb5-locales libkrad-dev
Architecture: source
Version: 1.15.1-2
Distribution: unstable
Urgency: high
Maintainer: Sam Hartman <hartmans@debian.org>
Changed-By: Sam Hartman <hartmans@debian.org>
Description:
krb5-admin-server - MIT Kerberos master server (kadmind)
krb5-doc - documentation for MIT Kerberos
krb5-gss-samples - MIT Kerberos GSS Sample applications
krb5-k5tls - TLS plugin for MIT Kerberos
krb5-kdc - MIT Kerberos key server (KDC)
krb5-kdc-ldap - MIT Kerberos key server (KDC) LDAP plugin
krb5-kpropd - MIT Kerberos key server (KDC)
krb5-locales - internationalization support for MIT Kerberos
krb5-multidev - development files for MIT Kerberos without Heimdal conflict
krb5-otp - OTP plugin for MIT Kerberos
krb5-pkinit - PKINIT plugin for MIT Kerberos
krb5-user - basic programs to authenticate using MIT Kerberos
libgssapi-krb5-2 - MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
libgssrpc4 - MIT Kerberos runtime libraries - GSS enabled ONCRPC
libk5crypto3 - MIT Kerberos runtime libraries - Crypto Library
libkadm5clnt-mit11 - MIT Kerberos runtime libraries - Administration Clients
libkadm5srv-mit11 - MIT Kerberos runtime libraries - KDC and Admin Server
libkdb5-8 - MIT Kerberos runtime libraries - Kerberos database
libkrad-dev - MIT Kerberos RADIUS Library Development
libkrad0 - MIT Kerberos runtime libraries - RADIUS library
libkrb5-3 - MIT Kerberos runtime libraries
libkrb5-dbg - debugging files for MIT Kerberos
libkrb5-dev - headers and development libraries for MIT Kerberos
libkrb5support0 - MIT Kerberos runtime libraries - Support library
Closes: 868035 868121 869260
Changes:
krb5 (1.15.1-2) unstable; urgency=high
.
* Depend on libsasl2-dev for LDAP SASL authentication, Thanks Hideki
Yamane, Closes: #868035
* Remove /etc/gss/mech.d/README on libgssapi-krb5-2 purge, Closes: #868121
* CVE-2017-11368: Remote authenticated attackers can crash the KDC,
Closes: #869260
* Set Restart=on-abnormal in krb5-kdc.service and krb5-admind.service to
minimize the impact of future DOS bugs.
Checksums-Sha1:
6c58015344fb8bee5e94c8b2efd654f0b487218f 3294 krb5_1.15.1-2.dsc
ba9535120446603872db101faaf54011d6f96b90 143404 krb5_1.15.1-2.debian.tar.xz
Checksums-Sha256:
717416ea51edbfd2555568631e700c15cce1244f730a97d317288ab0be20d43a 3294 krb5_1.15.1-2.dsc
e44c17efbf26e5d2a3de7577a039085683efe21afb0da3eacc12c17dc01e9d1a 143404 krb5_1.15.1-2.debian.tar.xz
Files:
8a93bd2565a27473ba5e864e930a8c37 3294 net standard krb5_1.15.1-2.dsc
9860ed2fa3a92f7bb6eddca0ff9a4c55 143404 net standard krb5_1.15.1-2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQGfBAEBCAAdFiEEz1cSziAwmFRQyTi4fJpR9iayVp8FAll07/MACgkQfJpR9iay
Vp+80QtguNCcZC+JsbFennH25OFDJpNgpuA1k/kYixvaEny1cC5SKFCJQltNUKDG
YTElbzHu00t/wICzwCe9BX64b4027k2MdisZLPR6F/iLQOxn3fz+UvjSo2em+rEI
WpbOHLLSrZ7ODtgojj2snd0ZrsHhKT8vZ0ePNSPu9FBe9MbNazzxTWLa2P3UAYvA
OVcxFi4pIJ5RDPQUAjpRzH0dhkdM1YimyeBaxDwFRM/f/n7B7T06CcUpg+8TGxcf
j8rsfD56WGnbhxwh6J+d5H9F49WDxrgLr/0nObSaxZeWQQvYAi2cn+8BnviNc7QV
vg0MpwH+anjY8CjRnGspD7UZdhTmk/kRon33wl3FJ95V2pMhGWNlhs1QRIlIC5ip
6H3WX+vxN/6DTUCeTuty1FEC9MH5BFFtZGNeI9bdRlFdCucGqx6WKIWhe5di3MgD
XKPpjiqViHs3TKBOhefGJRJ8qWkAb01LXJthFfCuKmkV6g==
=xyVh
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Sam Hartman <hartmans@debian.org>:
Bug#869260; Package src:krb5.
(Mon, 24 Jul 2017 15:57:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Sam Hartman <hartmans@debian.org>.
(Mon, 24 Jul 2017 15:57:03 GMT) (full text, mbox, link).
Message #24 received at 869260@bugs.debian.org (full text, mbox, reply):
Hi Sam,
On Sun, Jul 23, 2017 at 02:23:17PM -0400, Sam Hartman wrote:
> Take a look at the stretch branch of
> git://git.debian.org/git/pkg-k5-afs/debian-krb5-2013.git
>
> Shall I upload that to stable-security?
Thanks for your work. Can you sent the resulting debdiff for a short
review and ack to the security team at team@security.debian.org?
(Please target stretch-security rather stable-security, the former is
preferred).
What about jessie-security? There are as well some CVEs previously
marked no-dsa because they did not warrant a DSA on its own, can you
include fixes for those as well?
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#869260; Package src:krb5.
(Mon, 24 Jul 2017 18:12:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Sam Hartman <hartmans@debian.org>:
Extra info received and forwarded to list.
(Mon, 24 Jul 2017 18:12:08 GMT) (full text, mbox, link).
Message #29 received at 869260@bugs.debian.org (full text, mbox, reply):
Actually, on that note, why does this bug merit a DSA?
It like the other bugs is a simple KDC crash from an authenticated
attacker.
It seems like it should be handled the same.
Information forwarded
to debian-bugs-dist@lists.debian.org, Sam Hartman <hartmans@debian.org>:
Bug#869260; Package src:krb5.
(Tue, 25 Jul 2017 10:24:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Sam Hartman <hartmans@debian.org>.
(Tue, 25 Jul 2017 10:24:03 GMT) (full text, mbox, link).
Message #34 received at 869260@bugs.debian.org (full text, mbox, reply):
Hi Sam,
On Mon, Jul 24, 2017 at 02:09:06PM -0400, Sam Hartman wrote:
> Actually, on that note, why does this bug merit a DSA?
> It like the other bugs is a simple KDC crash from an authenticated
> attacker.
> It seems like it should be handled the same.
Yes indeed we can handle it the same. I just have marked it as no-dsa
for stretch and jessie.
Might any of you have time to prepare an update for an upcoming point
release and propose the update to the stable release managers?
https://www.debian.org/doc/manuals/developers-reference/ch05.en.html#upload-stable
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#869260; Package src:krb5.
(Tue, 25 Jul 2017 12:09:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Sam Hartman <hartmans@debian.org>:
Extra info received and forwarded to list.
(Tue, 25 Jul 2017 12:09:02 GMT) (full text, mbox, link).
Message #39 received at 869260@bugs.debian.org (full text, mbox, reply):
I can absolutely prepare a stable point update request for stretch.
Is there still going to be a last point release to jessie?
If so I'll look into that too; I'd definitely like to get an update in.
Information forwarded
to debian-bugs-dist@lists.debian.org, Sam Hartman <hartmans@debian.org>:
Bug#869260; Package src:krb5.
(Tue, 25 Jul 2017 12:18:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Sam Hartman <hartmans@debian.org>.
(Tue, 25 Jul 2017 12:18:06 GMT) (full text, mbox, link).
Message #44 received at 869260@bugs.debian.org (full text, mbox, reply):
On Tue, Jul 25, 2017 at 08:04:09AM -0400, Sam Hartman wrote:
>
> I can absolutely prepare a stable point update request for stretch.
> Is there still going to be a last point release to jessie?
There will be point releases for jessie at least until June 2018,
i.e. one year after the stretch release, so yes :-)
Cheers,
Moritz
Reply sent
to Sam Hartman <hartmans@debian.org>:
You have taken responsibility.
(Sat, 12 Aug 2017 16:21:41 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Sat, 12 Aug 2017 16:21:41 GMT) (full text, mbox, link).
Message #49 received at 869260-close@bugs.debian.org (full text, mbox, reply):
Source: krb5
Source-Version: 1.15-1+deb9u1
We believe that the bug you reported is fixed in the latest version of
krb5, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 869260@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sam Hartman <hartmans@debian.org> (supplier of updated krb5 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 09 Aug 2017 12:19:50 -0400
Source: krb5
Binary: krb5-user krb5-kdc krb5-kdc-ldap krb5-admin-server krb5-kpropd krb5-multidev libkrb5-dev libkrb5-dbg krb5-pkinit krb5-otp krb5-k5tls krb5-doc libkrb5-3 libgssapi-krb5-2 libgssrpc4 libkadm5srv-mit11 libkadm5clnt-mit11 libk5crypto3 libkdb5-8 libkrb5support0 libkrad0 krb5-gss-samples krb5-locales libkrad-dev
Architecture: source
Version: 1.15-1+deb9u1
Distribution: stretch
Urgency: high
Maintainer: Sam Hartman <hartmans@debian.org>
Changed-By: Sam Hartman <hartmans@debian.org>
Description:
krb5-admin-server - MIT Kerberos master server (kadmind)
krb5-doc - documentation for MIT Kerberos
krb5-gss-samples - MIT Kerberos GSS Sample applications
krb5-k5tls - TLS plugin for MIT Kerberos
krb5-kdc - MIT Kerberos key server (KDC)
krb5-kdc-ldap - MIT Kerberos key server (KDC) LDAP plugin
krb5-kpropd - MIT Kerberos key server (KDC)
krb5-locales - internationalization support for MIT Kerberos
krb5-multidev - development files for MIT Kerberos without Heimdal conflict
krb5-otp - OTP plugin for MIT Kerberos
krb5-pkinit - PKINIT plugin for MIT Kerberos
krb5-user - basic programs to authenticate using MIT Kerberos
libgssapi-krb5-2 - MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
libgssrpc4 - MIT Kerberos runtime libraries - GSS enabled ONCRPC
libk5crypto3 - MIT Kerberos runtime libraries - Crypto Library
libkadm5clnt-mit11 - MIT Kerberos runtime libraries - Administration Clients
libkadm5srv-mit11 - MIT Kerberos runtime libraries - KDC and Admin Server
libkdb5-8 - MIT Kerberos runtime libraries - Kerberos database
libkrad-dev - MIT Kerberos RADIUS Library Development
libkrad0 - MIT Kerberos runtime libraries - RADIUS library
libkrb5-3 - MIT Kerberos runtime libraries
libkrb5-dbg - debugging files for MIT Kerberos
libkrb5-dev - headers and development libraries for MIT Kerberos
libkrb5support0 - MIT Kerberos runtime libraries - Support library
Closes: 856307 860767 869260
Changes:
krb5 (1.15-1+deb9u1) stretch; urgency=high
.
* CVE-2017-11368: Remote authenticated attackers can crash the KDC,
Closes: #869260
* Upstream patches to fix startup if getaddrinfo() returns a wildcard v6
address, and to fix handling of explicitly specified v4 wildcard
address; regression over previous versions, Closes: #860767
* Fix SRV lookups to respect udp_preference_limit, regression over
previous versions with OTP, Closes: #856307
Checksums-Sha1:
3865bd0c4b019aef44e8fbb08cd0a875f4ab2e50 3373 krb5_1.15-1+deb9u1.dsc
35368ab78bb847d0b23cc957bfb931e6fb45dd61 144944 krb5_1.15-1+deb9u1.debian.tar.xz
Checksums-Sha256:
cb69444c826f380c9d3ea7c5e6bf04105ca2fceb26ecc14b293f458f337f34c2 3373 krb5_1.15-1+deb9u1.dsc
f04183b2ecfd0fe488975338eb4f900d5f605c81a9ae279451ceda948d99a21c 144944 krb5_1.15-1+deb9u1.debian.tar.xz
Files:
03dd0ab3bfb4c70bd8bea0437db65194 3373 net standard krb5_1.15-1+deb9u1.dsc
981da9e09bcd891263f0a05d4789e7fe 144944 net standard krb5_1.15-1+deb9u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQGfBAEBCAAdFiEEz1cSziAwmFRQyTi4fJpR9iayVp8FAlmOZ/IACgkQfJpR9iay
Vp+xggtdHdvSRs7m6ZmvcvY2exjBKZjNuu4fE1yOoG0NxrtolEJ1Wmr10jKbDOV/
GAmjCKYCn/OLH7owt4Lk+G8TBMdfqXx4Vszbp4p3/mrlHaUyqgkL/bLLjfgjg49t
i+RnEIOQR9oLBNTeHyebPSXIbcj57waI4/GlbNu9uLVJ/widI5+wfIWQfecJvmLP
33FmwBJtniHn4+Zh7bnusyZ3XtRDOcBlQA4ywmYv5XX0ldEWLg4NjBJNAHLNeBvD
x2Dq/EbDoO7sAH+/GAW3nsT1/ck/Q8pmKyn1qF19S2HFVHDOAZEUJeAMs9yqGHGT
+Bd6J8021HDc+jRJ6bolbb3mFL7qhGc9dZCSjIruM3IjFP99/W6/z4/YjJRmlG5F
3eei0CLPjPvuVTXq0uQ5XGw7FDUejklbP6ZogC9b+ESYjPlUoLsyaXG+rwuqqfFD
i8QoVmpPopwuDpPILvtfericz9rOr9cN4UfUtatCmf85FQ==
=rgzE
-----END PGP SIGNATURE-----
Reply sent
to Sam Hartman <hartmans@debian.org>:
You have taken responsibility.
(Mon, 28 Aug 2017 21:09:16 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Mon, 28 Aug 2017 21:09:17 GMT) (full text, mbox, link).
Message #54 received at 869260-done@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
source: krb5
source-version: 1.12.1+dfsg-19+deb8ku3
Hi.
The following issues were fixed in 1.12.1+dfsg-19+deb8u3 for jessie.
I ended up needing to build a +deb8u4 because of a build/upload issue,
and so the bugs were not automattically closed.
Here's the relevant changelog info:
krb5 (1.12.1+dfsg-19+deb8u4) jessie; urgency=medium
* New version number; same code as deb8u3 but rebuilt to build arch all
packages and because dgit doesn't deal well with reusing a version
number when a package is rejected
-- Sam Hartman <hartmans@debian.org> Mon, 28 Aug 2017 11:55:49 -0400
krb5 (1.12.1+dfsg-19+deb8u3) jessie; urgency=high
* CVE-2017-11368: Remote authenticated attackers can crash the KDC,
Closes: #869260
* fix for CVE-2016-3120 (kdc crash on restrict_anon_to_tgt), Closes:
#832572
* fix for CVE-2016-3119: remote DOS with ldap for authenticated
attackers, Closes: #819468
* Prevent requires_preauth bypass (CVE-2015-2694), Closes: #783557
-- Sam Hartman <hartmans@debian.org> Sun, 13 Aug 2017 18:02:34 -0400
[signature.asc (application/pgp-signature, inline)]
No longer marked as fixed in versions krb5/1.12.1+dfsg-19+deb8ku3.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 29 Aug 2017 05:03:03 GMT) (full text, mbox, link).
Marked as fixed in versions krb5/1.12.1+dfsg-19+deb8u3.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 29 Aug 2017 05:03:04 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 08 Oct 2017 07:30:09 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:35:59 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon