Debian Bug report logs -
#832572
krb5: CVE-2016-3120: Fix S4U2Self KDC crash when anon is restricted
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 27 Jul 2016 05:48:01 UTC
Severity: important
Tags: patch, security, upstream
Found in version krb5/1.10.1+dfsg-5
Fixed in versions krb5/1.14.3+dfsg-1, krb5/1.12.1+dfsg-19+deb8u3
Done: Sam Hartman <hartmans@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Sam Hartman <hartmans@debian.org>:
Bug#832572; Package src:krb5.
(Wed, 27 Jul 2016 05:48:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Sam Hartman <hartmans@debian.org>.
(Wed, 27 Jul 2016 05:48:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: krb5
Version: 1.10.1+dfsg-5
Severity: important
Tags: security upstream patch
Hi,
the following vulnerability was published for krb5.
CVE-2016-3120[0]:
Fix S4U2Self KDC crash when anon is restricted
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-3120
[1] https://github.com/krb5/krb5/commit/93b4a6306a0026cf1cc31ac4bd8a49ba5d034ba7
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Reply sent
to Benjamin Kaduk <kaduk@mit.edu>:
You have taken responsibility.
(Sun, 31 Jul 2016 19:39:23 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 31 Jul 2016 19:39:23 GMT) (full text, mbox, link).
Message #10 received at 832572-close@bugs.debian.org (full text, mbox, reply):
Source: krb5
Source-Version: 1.14.3+dfsg-1
We believe that the bug you reported is fixed in the latest version of
krb5, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 832572@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Benjamin Kaduk <kaduk@mit.edu> (supplier of updated krb5 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 30 Jul 2016 22:42:39 -0400
Source: krb5
Binary: krb5-user krb5-kdc krb5-kdc-ldap krb5-admin-server krb5-kpropd krb5-multidev libkrb5-dev libkrb5-dbg krb5-pkinit krb5-otp krb5-k5tls krb5-doc libkrb5-3 libgssapi-krb5-2 libgssrpc4 libkadm5srv-mit10 libkadm5clnt-mit10 libk5crypto3 libkdb5-8 libkrb5support0 libkrad0 krb5-gss-samples krb5-locales libkrad-dev
Architecture: source
Version: 1.14.3+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Sam Hartman <hartmans@debian.org>
Changed-By: Benjamin Kaduk <kaduk@mit.edu>
Description:
krb5-admin-server - MIT Kerberos master server (kadmind)
krb5-doc - documentation for MIT Kerberos
krb5-gss-samples - MIT Kerberos GSS Sample applications
krb5-k5tls - TLS plugin for MIT Kerberos
krb5-kdc - MIT Kerberos key server (KDC)
krb5-kdc-ldap - MIT Kerberos key server (KDC) LDAP plugin
krb5-kpropd - MIT Kerberos key server (KDC)
krb5-locales - internationalization support for MIT Kerberos
krb5-multidev - development files for MIT Kerberos without Heimdal conflict
krb5-otp - OTP plugin for MIT Kerberos
krb5-pkinit - PKINIT plugin for MIT Kerberos
krb5-user - basic programs to authenticate using MIT Kerberos
libgssapi-krb5-2 - MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
libgssrpc4 - MIT Kerberos runtime libraries - GSS enabled ONCRPC
libk5crypto3 - MIT Kerberos runtime libraries - Crypto Library
libkadm5clnt-mit10 - MIT Kerberos runtime libraries - Administration Clients
libkadm5srv-mit10 - MIT Kerberos runtime libraries - KDC and Admin Server
libkdb5-8 - MIT Kerberos runtime libraries - Kerberos database
libkrad-dev - MIT Kerberos RADIUS Library Development
libkrad0 - MIT Kerberos runtime libraries - RADIUS library
libkrb5-3 - MIT Kerberos runtime libraries
libkrb5-dbg - debugging files for MIT Kerberos
libkrb5-dev - headers and development libraries for MIT Kerberos
libkrb5support0 - MIT Kerberos runtime libraries - Support library
Closes: 806928 828946 829196 832572
Changes:
krb5 (1.14.3+dfsg-1) unstable; urgency=medium
.
* New upstream version
- includes fix for CVE-2016-3120, Closes: #832572
* build-dep-indep on texlive-generic-extra to pick up iftex.sty after
a reshuffle, Closes: #828946
* Comment out supported_enctypes in kdc.conf to avoid including
single-DES enctypes, Closes: #806928
* Spell Build-Depends-Indep properly, Closes: #829196
Checksums-Sha1:
8664afddf5e5ee0de7d544be9e58c3e3b136c52f 3303 krb5_1.14.3+dfsg-1.dsc
df0eb785a7883cba1d47f88316f057b53db95489 12057621 krb5_1.14.3+dfsg.orig.tar.gz
c833f89abb32d5df246eeb587b418efb30411fd9 141500 krb5_1.14.3+dfsg-1.debian.tar.xz
Checksums-Sha256:
4fbc43c8b2648b25df20cd3cfad3f6b39dd8794dbffe15ab25b2a8c8728ad468 3303 krb5_1.14.3+dfsg-1.dsc
305cab368db7d33f6eb0c0105fbc898440c9ac7976ede2f26716b956d5680179 12057621 krb5_1.14.3+dfsg.orig.tar.gz
f1bc73ebbb473851683bf4c2804a937676b95eb0566bee344067db1e6769496d 141500 krb5_1.14.3+dfsg-1.debian.tar.xz
Files:
c5c6bfdc3ac335306ff6dcfb9cf550b9 3303 net standard krb5_1.14.3+dfsg-1.dsc
14dafbbeab6e03d5b69bb8145cb291b6 12057621 net standard krb5_1.14.3+dfsg.orig.tar.gz
054355fec46aaaed7554883dd13eac9f 141500 net standard krb5_1.14.3+dfsg-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQGgBAEBCgAGBQJXnWZ9AAoJECjZpvNk63US3KUMIKvF9qxcf5faDC4a4CKYp3fd
lZlN+LYQ+BNprl1yuGDJL21vrIEUGpiXNlkvZd+OE4bVKpQjmJ+AIOtjAHBAHUIY
SlhghR83OYkaTXjXm0gCxgYhX8g2RqpxU9KSb0Kl+uMRdPkliZEDZDv0Art+jGF7
q/zWpdED2XBMo2Pu0kYzZqkfdnyWm7m873wwjQt6/B654fSaKzPIwgVhE1heAEP4
k3E/rw/eQssrIFnLJEzhUL9EHG56NZ9xlYVq8j9qZX90BMFYrGNFCWVtuqmVofF2
3IuCKo+wsW7C6VZdyqLgfwij2FeOcEv4DB//EjKNXYDEalvzOvy94DQlYt/se1Z2
IcwrKc/FBGW1XIrQvuVB2kbv8RkU8v9LPmtAKBUmG5ieGCW+DR1lWBorWZO3+qWn
GbbK7Q5QJxy49wr0RTw1yw6Sp9fW+xNQEsk2qs+vDM1Wg1kRG3vttCmmxdFVKldZ
EMOChNiX8dG6/zcgyiRZTIEvE8glVSlyJKPhEB6hwVB1UZs=
=zRzY
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 03 Sep 2016 07:30:45 GMT) (full text, mbox, link).
Bug unarchived.
Request was from Sam Hartman <hartmans@debian.org>
to control@bugs.debian.org.
(Sun, 27 Aug 2017 21:45:21 GMT) (full text, mbox, link).
Reply sent
to Sam Hartman <hartmans@debian.org>:
You have taken responsibility.
(Mon, 28 Aug 2017 21:09:12 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Mon, 28 Aug 2017 21:09:12 GMT) (full text, mbox, link).
Message #19 received at 832572-done@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
source: krb5
source-version: 1.12.1+dfsg-19+deb8ku3
Hi.
The following issues were fixed in 1.12.1+dfsg-19+deb8u3 for jessie.
I ended up needing to build a +deb8u4 because of a build/upload issue,
and so the bugs were not automattically closed.
Here's the relevant changelog info:
krb5 (1.12.1+dfsg-19+deb8u4) jessie; urgency=medium
* New version number; same code as deb8u3 but rebuilt to build arch all
packages and because dgit doesn't deal well with reusing a version
number when a package is rejected
-- Sam Hartman <hartmans@debian.org> Mon, 28 Aug 2017 11:55:49 -0400
krb5 (1.12.1+dfsg-19+deb8u3) jessie; urgency=high
* CVE-2017-11368: Remote authenticated attackers can crash the KDC,
Closes: #869260
* fix for CVE-2016-3120 (kdc crash on restrict_anon_to_tgt), Closes:
#832572
* fix for CVE-2016-3119: remote DOS with ldap for authenticated
attackers, Closes: #819468
* Prevent requires_preauth bypass (CVE-2015-2694), Closes: #783557
-- Sam Hartman <hartmans@debian.org> Sun, 13 Aug 2017 18:02:34 -0400
[signature.asc (application/pgp-signature, inline)]
No longer marked as fixed in versions krb5/1.12.1+dfsg-19+deb8ku3.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 29 Aug 2017 05:03:05 GMT) (full text, mbox, link).
Marked as fixed in versions krb5/1.12.1+dfsg-19+deb8u3.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 29 Aug 2017 05:03:05 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 26 Sep 2017 07:30:10 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:47:48 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon