heimdal: CVE-2018-16860

Debian Bug report logs - #928966
heimdal: CVE-2018-16860

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: heimdal: CVE-2018-16860

Date: Tue, 14 May 2019 09:37:17 +0200

Source: heimdal
Version: 7.5.0+dfsg-2.1
Severity: important
Tags: security upstream
Control: found -1 7.1.0+dfsg-13+deb9u2
Control: found -1 7.1.0+dfsg-13

Hi,

The following vulnerability was published for heimdal, actually just
what is affecting samba embedded copy of heimdal.

CVE-2018-16860[0]:
Samba AD DC S4U2Self/S4U2Proxy unkeyed checksum

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-16860
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16860

Please adjust the affected versions in the BTS as needed, all versions
starting from 0.8 upwards including 7.5.0 are affected.

What is your take on this? Does this need a DSA or is an update via an
upcoming point release enough?

Regards,
Salvatore

Message #14 received at 928966@bugs.debian.org (full text, mbox, reply):

From: Brian May <bam@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 928966@bugs.debian.org

Subject: Re: Bug#928966: heimdal: CVE-2018-16860

Date: Tue, 14 May 2019 18:11:05 +1000

Salvatore Bonaccorso <carnil@debian.org> writes:

> Source: heimdal
> Version: 7.5.0+dfsg-2.1
> Severity: important
> Tags: security upstream
> Control: found -1 7.1.0+dfsg-13+deb9u2
> Control: found -1 7.1.0+dfsg-13
>
> Hi,
>
> The following vulnerability was published for heimdal, actually just
> what is affecting samba embedded copy of heimdal.
>
> CVE-2018-16860[0]:
> Samba AD DC S4U2Self/S4U2Proxy unkeyed checksum
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2018-16860
>     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16860
>
> Please adjust the affected versions in the BTS as needed, all versions
> starting from 0.8 upwards including 7.5.0 are affected.
>
> What is your take on this? Does this need a DSA or is an update via an
> upcoming point release enough?

I am hardly authoritative on this, however my rough take right now is:

* There is a vulerability.
* The fix is simple. Looking at the Samba patches, I suspect we only
  need the bit that alters krb5tgs.c - below.
* Not convinced this can actually be exploited without AD. It is
  unlikely you would be using the stock Heimdal with AD. So possible
  we don't need to worry.


diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c
index a888788bb6f..ff7d93138c0 100644
--- a/source4/heimdal/kdc/krb5tgs.c
+++ b/source4/heimdal/kdc/krb5tgs.c
@@ -1925,6 +1925,13 @@ server_lookup:
 		goto out;
 	    }
 
+	    if (!krb5_checksum_is_keyed(context, self.cksum.cksumtype)) {
+		free_PA_S4U2Self(&self);
+		kdc_log(context, config, 0, "Reject PA-S4U2Self with unkeyed checksum");
+		ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
+		goto out;
+	    }
+
 	    ret = _krb5_s4u2self_to_checksumdata(context, &self, &datack);
 	    if (ret)
 		goto out;


-- 
Brian May <bam@debian.org>

Message #19 received at 928966@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Brian May <bam@debian.org>

Cc: 928966@bugs.debian.org, Debian Security Team <team@security.debian.org>

Subject: Re: Bug#928966: heimdal: CVE-2018-16860

Date: Tue, 14 May 2019 11:55:42 +0200

Hi Brian,

On Tue, May 14, 2019 at 06:11:05PM +1000, Brian May wrote:
> Salvatore Bonaccorso <carnil@debian.org> writes:
> 
> > Source: heimdal
> > Version: 7.5.0+dfsg-2.1
> > Severity: important
> > Tags: security upstream
> > Control: found -1 7.1.0+dfsg-13+deb9u2
> > Control: found -1 7.1.0+dfsg-13
> >
> > Hi,
> >
> > The following vulnerability was published for heimdal, actually just
> > what is affecting samba embedded copy of heimdal.
> >
> > CVE-2018-16860[0]:
> > Samba AD DC S4U2Self/S4U2Proxy unkeyed checksum
> >
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> >
> > For further information see:
> >
> > [0] https://security-tracker.debian.org/tracker/CVE-2018-16860
> >     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16860
> >
> > Please adjust the affected versions in the BTS as needed, all versions
> > starting from 0.8 upwards including 7.5.0 are affected.
> >
> > What is your take on this? Does this need a DSA or is an update via an
> > upcoming point release enough?
> 
> I am hardly authoritative on this, however my rough take right now is:
> 
> * There is a vulerability.
> * The fix is simple. Looking at the Samba patches, I suspect we only
>   need the bit that alters krb5tgs.c - below.
> * Not convinced this can actually be exploited without AD. It is
>   unlikely you would be using the stock Heimdal with AD. So possible
>   we don't need to worry.

Alright, I will mark it no-dsa for stretch then at least. For buster,
might be still good to have the fix go in?

Regards,
Salvatore

Message #24 received at 928966@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 928966@bugs.debian.org

Cc: Brian May <bam@debian.org>, Debian Security Team <team@security.debian.org>

Subject: Re: Bug#928966: heimdal: CVE-2018-16860

Date: Wed, 15 May 2019 22:45:28 +0200

Hi,

On Tue, May 14, 2019 at 11:55:42AM +0200, Salvatore Bonaccorso wrote:
> Hi Brian,
> 
> On Tue, May 14, 2019 at 06:11:05PM +1000, Brian May wrote:
> > Salvatore Bonaccorso <carnil@debian.org> writes:
> > 
> > > Source: heimdal
> > > Version: 7.5.0+dfsg-2.1
> > > Severity: important
> > > Tags: security upstream
> > > Control: found -1 7.1.0+dfsg-13+deb9u2
> > > Control: found -1 7.1.0+dfsg-13
> > >
> > > Hi,
> > >
> > > The following vulnerability was published for heimdal, actually just
> > > what is affecting samba embedded copy of heimdal.
> > >
> > > CVE-2018-16860[0]:
> > > Samba AD DC S4U2Self/S4U2Proxy unkeyed checksum
> > >
> > > If you fix the vulnerability please also make sure to include the
> > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> > >
> > > For further information see:
> > >
> > > [0] https://security-tracker.debian.org/tracker/CVE-2018-16860
> > >     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16860
> > >
> > > Please adjust the affected versions in the BTS as needed, all versions
> > > starting from 0.8 upwards including 7.5.0 are affected.
> > >
> > > What is your take on this? Does this need a DSA or is an update via an
> > > upcoming point release enough?
> > 
> > I am hardly authoritative on this, however my rough take right now is:
> > 
> > * There is a vulerability.
> > * The fix is simple. Looking at the Samba patches, I suspect we only
> >   need the bit that alters krb5tgs.c - below.
> > * Not convinced this can actually be exploited without AD. It is
> >   unlikely you would be using the stock Heimdal with AD. So possible
> >   we don't need to worry.
> 
> Alright, I will mark it no-dsa for stretch then at least. For buster,
> might be still good to have the fix go in?

For reference this is the patch in heimdal git repo:

https://github.com/heimdal/heimdal/commit/c6257cc2c842c0faaeb4ef34e33890ee88c4cbba

Regards,
Salvatore

Message #29 received at 928966@bugs.debian.org (full text, mbox, reply):

From: Brian May <bam@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: 928966@bugs.debian.org, Debian Security Team <team@security.debian.org>

Subject: Re: Bug#928966: heimdal: CVE-2018-16860

Date: Tue, 21 May 2019 19:00:52 +1000

Salvatore Bonaccorso <carnil@debian.org> writes:

> Alright, I will mark it no-dsa for stretch then at least. For buster,
> might be still good to have the fix go in?

First attempt, looks like version in buster/sid doesn't build :-(

=== cut ===

=============================================
   Heimdal 7.5.0: lib/hx509/test-suite.log
=============================================

# TOTAL: 16
# PASS:  13
# SKIP:  0
# XFAIL: 0
# FAIL:  3
# XPASS: 0
# ERROR: 0

.. contents:: :depth: 2

FAIL: test_ca
=============

create certificate request
issue certificate
verify certificate
issue crl (no cert)
verify certificate (with CRL)
issue crl (with cert)
verify certificate (included in CRL)
issue crl (with cert)
verify certificate (included in CRL, and lifetime 1 month)
issue certificate (10years 1 month)
issue certificate (with https ekus)
issue certificate (pkinit KDC)
issue certificate (pkinit client)
issue certificate (hostnames)
verify certificate hostname (ok)
verify certificate hostname (fail)
verify certificate hostname (fail)
issue certificate (hostname in CN)
verify certificate hostname (ok)
verify certificate hostname (fail)
issue certificate (email)
issue certificate (email, null subject DN)
issue certificate (jabber)
issue self-signed cert
issue ca cert
issue self-signed ca cert
issue proxy certificate
verify proxy cert
FAIL test_ca (exit status: 1)

FAIL: test_chain
================

cert -> root
FAIL test_chain (exit status: 1)

FAIL: test_cms
==============

not testing ECDSA since hcrypto doesnt support ECDSA
create signed data
verify signed data
hxtool: hx509_cms_verify_signed: Failed to find certificate with id CE776EDE0BF421F878C01A7CC3B966EC4C3D4A23
FAIL test_cms (exit status: 1)

============================================================================
Testsuite summary for Heimdal 7.5.0
============================================================================
# TOTAL: 16
# PASS:  13
# SKIP:  0
# XFAIL: 0
# FAIL:  3
# XPASS: 0
# ERROR: 0
============================================================================
See lib/hx509/test-suite.log
Please report to https://github.com/heimdal/heimdal/issues
============================================================================
make[7]: *** [Makefile:1460: test-suite.log] Error 1
make[7]: Leaving directory '/<<PKGBUILDDIR>>/lib/hx509'
make[6]: *** [Makefile:1568: check-TESTS] Error 2
make[6]: Leaving directory '/<<PKGBUILDDIR>>/lib/hx509'
make[5]: *** [Makefile:1750: check-am] Error 2
make[5]: Leaving directory '/<<PKGBUILDDIR>>/lib/hx509'
make[4]: *** [Makefile:1752: check] Error 2
make[4]: Leaving directory '/<<PKGBUILDDIR>>/lib/hx509'
make[3]: *** [Makefile:565: check-recursive] Error 1
make[3]: Leaving directory '/<<PKGBUILDDIR>>/lib'
make[2]: *** [Makefile:613: check-recursive] Error 1
make[2]: Leaving directory '/<<PKGBUILDDIR>>'
dh_auto_test: make -j8 check VERBOSE=1 -j1 returned exit code 2
make[1]: *** [debian/rules:35: override_dh_auto_test] Error 2
make[1]: Leaving directory '/<<PKGBUILDDIR>>'
make: *** [debian/rules:7: build] Error 2
dpkg-buildpackage: error: debian/rules build subprocess returned exit status 2
--------------------------------------------------------------------------------
Build finished at 2019-05-21T08:56:44Z
=== cut ===

-- 
Brian May <bam@debian.org>

Message #34 received at 928966@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Brian May <bam@debian.org>, 928966@bugs.debian.org

Cc: Debian Security Team <team@security.debian.org>

Subject: Re: Bug#928966: heimdal: CVE-2018-16860

Date: Tue, 21 May 2019 23:06:07 +0200

Hi Brian,

On Tue, May 21, 2019 at 07:00:52PM +1000, Brian May wrote:
> Salvatore Bonaccorso <carnil@debian.org> writes:
> 
> > Alright, I will mark it no-dsa for stretch then at least. For buster,
> > might be still good to have the fix go in?
> 
> First attempt, looks like version in buster/sid doesn't build :-(

Ah right, this is #923930?

Regards,
Salvatore

Message #39 received at 928966@bugs.debian.org (full text, mbox, reply):

From: Brian May <bam@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 928966@bugs.debian.org

Cc: Debian Security Team <team@security.debian.org>

Subject: Re: Bug#928966: heimdal: CVE-2018-16860

Date: Wed, 22 May 2019 07:44:29 +1000

Salvatore Bonaccorso <carnil@debian.org> writes:

> Ah right, this is #923930?

Yes, looks like it. I didn't get the recent emails, thanks for the
reference. I have now followed up there.
-- 
Brian May <bam@debian.org>

Message #44 received at 928966@bugs.debian.org (full text, mbox, reply):

From: Jeffrey Altman <jaltman@secure-endpoints.com>

To: 928966@bugs.debian.org, Brian May <bam@debian.org>, 929064@bugs.debian.org

Subject: CVE-2018-16860

Date: Wed, 22 May 2019 14:37:54 -0400

[Message part 1 (text/plain, inline)]

Brian May wrote:

> I am hardly authoritative on this, however my rough take right now is:
>
> * There is a vulerability.
> * The fix is simple. Looking at the Samba patches, I suspect we only
>   need the bit that alters krb5tgs.c - below.
> * Not convinced this can actually be exploited without AD. It is
>   unlikely you would be using the stock Heimdal with AD. So possible
>   we don't need to worry.

When authoring https://www.samba.org/samba/security/CVE-2018-16860.html
we tried to make it very clear that although this vulnerability exists
within the Heimdal KDC (as well as Microsoft Active Directory) the
exploit grants privilege escalation to any service that authenticates
users via a non-Kerberos mechanism and the obtains a Kerberos ticket for
the authenticated user issued with the service principal being the
requesting service's identity.

To make it clear that non-Windows services could be impacted we provided
an example of a web authentication service using OAuth or Shibboleth to
obtain AFS tokens on behalf of an authenticating user.

This vulnerability is very serious and should be patched immediately.
The minimal set of changes to address CVE-2018-16860 and CVE-2019-12098
can be found in this pull request:

  https://github.com/heimdal/heimdal/pull/555

Jeffrey Altman
Heimdal Project Manager

[smime.p7s (application/pkcs7-signature, attachment)]

Message #49 received at 928966-close@bugs.debian.org (full text, mbox, reply):

From: Brian May <bam@debian.org>

To: 928966-close@bugs.debian.org

Subject: Bug#928966: fixed in heimdal 7.5.0+dfsg-3

Date: Mon, 27 May 2019 07:33:40 +0000

Source: heimdal
Source-Version: 7.5.0+dfsg-3

We believe that the bug you reported is fixed in the latest version of
heimdal, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 928966@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Brian May <bam@debian.org> (supplier of updated heimdal package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 21 May 2019 18:04:35 +1000
Source: heimdal
Architecture: source
Version: 7.5.0+dfsg-3
Distribution: unstable
Urgency: high
Maintainer: Brian May <bam@debian.org>
Changed-By: Brian May <bam@debian.org>
Closes: 923930 928966 929064
Changes:
 heimdal (7.5.0+dfsg-3) unstable; urgency=high
 .
   * CVE-2018-16860: Samba AD DC S4U2Self/S4U2Proxy unkeyed checksum.
     Closes: #928966.
   * CVE-2019-12098: Always confirm PA-PKINIT-KX for anon PKINIT.
     Closes: #929064.
   * Update test certificates to pre 2038 expiry. Closes: #923930.
Checksums-Sha1:
 a7dfb3243e2cf59d0334967a3db53c94b4bea41e 3579 heimdal_7.5.0+dfsg-3.dsc
 1ba39f71a5627a23afbc8b987362831bed764f7d 8955005 heimdal_7.5.0+dfsg.orig.tar.gz
 b3bd61ebd0bddce418bbf8330a2fd30690820244 461448 heimdal_7.5.0+dfsg-3.debian.tar.xz
 7d7b658952dc64e9aebb09aa58c581a692473528 7458 heimdal_7.5.0+dfsg-3_source.buildinfo
Checksums-Sha256:
 f1ecfa0cbd70cb43c5ab59eb6661d4364212df69d76824a9f27861bbfa6e750c 3579 heimdal_7.5.0+dfsg-3.dsc
 489119b7a1a900b88163765654dc59cba9a321b078fafc76629e2b85ef140867 8955005 heimdal_7.5.0+dfsg.orig.tar.gz
 35f14816be232a043326eea977ebb1edff5a8f9223919ee18a88148565ab3e5c 461448 heimdal_7.5.0+dfsg-3.debian.tar.xz
 3b13ca5b0389856531546f5d66d97bbf8e7b174829c14c6fd5f5031e52677430 7458 heimdal_7.5.0+dfsg-3_source.buildinfo
Files:
 2e2a528050fddb368c8b1fc04dbeb8ed 3579 net optional heimdal_7.5.0+dfsg-3.dsc
 b45b9d03cdd4f3288e79feba99e13a51 8955005 net optional heimdal_7.5.0+dfsg.orig.tar.gz
 04177cfa68af6bffa74dcf3299d4bcab 461448 net optional heimdal_7.5.0+dfsg-3.debian.tar.xz
 4c721ac8bc3107252e3d2879104e8dac 7458 net optional heimdal_7.5.0+dfsg-3_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEKpwfR8DOwu5vyB4TKpJZkldkSvoFAlzriloACgkQKpJZkldk
SvrbUw//SDm061NBlyH6zENfV7e7P7H5CXSj++38wH0aN1NFl4QWFXhVMaCETeMd
B9sRUoa5QQb5zwi7R9BXXT16JDt9X1g8la1G7hhKXVrpuSdG/MdYjjxPL4r2gaLh
iQP43zCjK2g279jV7nBnuA2TIv5FGVlWQnWCrJ/SJ3uqsTCeCnDIbWmWI1buO2wb
MZPBlvGKono4SMVSfwJNUMc1TEEh4X5e0VPNCUnFcwJg/j9BB+YUcVKty3rcJulp
qSSlmkAQLlIXQPxxmZ6SZtx692EiflZzLexFGklJV9cx28cnV/tYY5xdi9N+r9u3
MQnWkl29zjuzlJ6eWiBzzrdiomWGstFskCwHpkPnz/R1M3Jo71fQXnSTR/fuvlB4
4jnCBFbTfnknKUL/LQNwFAHlxu4b9DqMUpnvkNaq9T/0kbkcgjzZcdK/lxXVG5zg
Danx6JUUo5tOIWQyNwLQKOKhV1oUd4Iuebtqw+QOjRUqsFBtdBPpHchdRI9FI9eo
j+HRPeUfuMERTfD6yMhKagjh4bmjCRyly2PdFOrVM9wWFm+T7RgbOTmbH9Yb9U7q
zpEKEfiAZwZBIdQ+3fh//lYEj5xg72PI+8wERd3j+P9daQ10jkY13lUaeS3HLdpq
W3QFiTYVuUszttEBby5uYl3Q2y4TZPnCxf4SCrlV8Z4ozYDgN+0=
=Ahvh
-----END PGP SIGNATURE-----

Message #54 received at 928966-close@bugs.debian.org (full text, mbox, reply):

From: Brian May <bam@debian.org>

To: 928966-close@bugs.debian.org

Subject: Bug#928966: fixed in heimdal 7.1.0+dfsg-13+deb9u3

Date: Fri, 07 Jun 2019 10:02:30 +0000

Source: heimdal
Source-Version: 7.1.0+dfsg-13+deb9u3

We believe that the bug you reported is fixed in the latest version of
heimdal, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 928966@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Brian May <bam@debian.org> (supplier of updated heimdal package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 28 May 2019 17:16:51 +1000
Source: heimdal
Binary: heimdal-docs heimdal-kdc heimdal-multidev heimdal-dev heimdal-clients heimdal-kcm heimdal-servers heimdal-dbg libheimbase1-heimdal libasn1-8-heimdal libkrb5-26-heimdal libhdb9-heimdal libkadm5srv8-heimdal libkadm5clnt7-heimdal libgssapi3-heimdal libkafs0-heimdal libroken18-heimdal libotp0-heimdal libsl0-heimdal libkdc2-heimdal libhx509-5-heimdal libheimntlm0-heimdal libwind0-heimdal libhcrypto4-heimdal
Architecture: source i386 all
Version: 7.1.0+dfsg-13+deb9u3
Distribution: stretch-security
Urgency: medium
Maintainer: Brian May <bam@debian.org>
Changed-By: Brian May <bam@debian.org>
Description:
 heimdal-clients - Heimdal Kerberos - clients
 heimdal-dbg - Heimdal Kerberos - debugging symbols
 heimdal-dev - Heimdal Kerberos - development files
 heimdal-docs - Heimdal Kerberos - documentation
 heimdal-kcm - Heimdal Kerberos - KCM daemon
 heimdal-kdc - Heimdal Kerberos - key distribution center (KDC)
 heimdal-multidev - Heimdal Kerberos - Multi-implementation Development
 heimdal-servers - Heimdal Kerberos - server programs
 libasn1-8-heimdal - Heimdal Kerberos - ASN.1 library
 libgssapi3-heimdal - Heimdal Kerberos - GSSAPI support library
 libhcrypto4-heimdal - Heimdal Kerberos - crypto library
 libhdb9-heimdal - Heimdal Kerberos - kadmin server library
 libheimbase1-heimdal - Heimdal Kerberos - Base library
 libheimntlm0-heimdal - Heimdal Kerberos - NTLM support library
 libhx509-5-heimdal - Heimdal Kerberos - X509 support library
 libkadm5clnt7-heimdal - Heimdal Kerberos - kadmin client library
 libkadm5srv8-heimdal - Libraries for Heimdal Kerberos
 libkafs0-heimdal - Heimdal Kerberos - KAFS support library
 libkdc2-heimdal - Heimdal Kerberos - KDC support library
 libkrb5-26-heimdal - Heimdal Kerberos - libraries
 libotp0-heimdal - Heimdal Kerberos - OTP support library
 libroken18-heimdal - Heimdal Kerberos - roken support library
 libsl0-heimdal - Heimdal Kerberos - SL support library
 libwind0-heimdal - Heimdal Kerberos - stringprep implementation
Closes: 928966 929064
Changes:
 heimdal (7.1.0+dfsg-13+deb9u3) stretch-security; urgency=medium
 .
   * CVE-2018-16860: Samba AD DC S4U2Self/S4U2Proxy unkeyed checksum.
     Closes: #928966.
   * CVE-2019-12098: Always confirm PA-PKINIT-KX for anon PKINIT.
     Closes: #929064.
   * Update test certificates to pre 2038 expiry.
Checksums-Sha1:
 fbb747c51827d7e1ca51c1d516d88eff428d96aa 3706 heimdal_7.1.0+dfsg-13+deb9u3.dsc
 8d808fa1eeb26c6263cc3b0b4c13bcf4c84ed268 8959650 heimdal_7.1.0+dfsg.orig.tar.gz
 9f016941fb5d19fc7c18d2ddae9a9eb234f6eab9 266352 heimdal_7.1.0+dfsg-13+deb9u3.debian.tar.xz
 f46ae72adacf698c0b3d41d691869c65b4b96a53 183636 heimdal-clients_7.1.0+dfsg-13+deb9u3_i386.deb
 468da8cc943eaf33bca20c3ba9e06e18ddcffcce 4750958 heimdal-dbg_7.1.0+dfsg-13+deb9u3_i386.deb
 5fb7c84ce6a7eba3629cfd1fabf343bd4614af66 141050 heimdal-dev_7.1.0+dfsg-13+deb9u3_i386.deb
 414a9cce992adca24189ca1babbb78c52a7d6feb 104642 heimdal-docs_7.1.0+dfsg-13+deb9u3_all.deb
 ada3939e04ba7f2f67586bbabb3c1d005037ce04 57802 heimdal-kcm_7.1.0+dfsg-13+deb9u3_i386.deb
 e4cde10f01c43782c7df0c5b8f8997963a61da14 132736 heimdal-kdc_7.1.0+dfsg-13+deb9u3_i386.deb
 b030da3c8f3b99f8765c5498fd555c3f6ef0fb82 1275234 heimdal-multidev_7.1.0+dfsg-13+deb9u3_i386.deb
 4dcc94c382fc4e2f1547d3c793812a69866522af 35662 heimdal-servers_7.1.0+dfsg-13+deb9u3_i386.deb
 de027a9bc15e3a0699dabc0ce53d21cf9810822d 15522 heimdal_7.1.0+dfsg-13+deb9u3_i386.buildinfo
 a96ac1401dd5ee5842763afab75dfca5dabe39aa 217290 libasn1-8-heimdal_7.1.0+dfsg-13+deb9u3_i386.deb
 481b89287dfb4f32641e88dd06f1a2d56797d615 133602 libgssapi3-heimdal_7.1.0+dfsg-13+deb9u3_i386.deb
 12569b4f108396a0c271cdd95e76daa59447c0c5 120224 libhcrypto4-heimdal_7.1.0+dfsg-13+deb9u3_i386.deb
 d22d8d824fe4646e0b30b03f4c645a2faff3ff98 95724 libhdb9-heimdal_7.1.0+dfsg-13+deb9u3_i386.deb
 f6c5403b994b1d26aadb6028d3472c331a8aadba 56816 libheimbase1-heimdal_7.1.0+dfsg-13+deb9u3_i386.deb
 9e66893cf30c20edce07e8c55c417b2b5947ae58 42190 libheimntlm0-heimdal_7.1.0+dfsg-13+deb9u3_i386.deb
 1ab6d79366034fd46688ae65390fb1b2c06179ac 143982 libhx509-5-heimdal_7.1.0+dfsg-13+deb9u3_i386.deb
 a37b0fb1f5cc4e00303255efe15f8c4ec6a757c0 45980 libkadm5clnt7-heimdal_7.1.0+dfsg-13+deb9u3_i386.deb
 f1e89c35fe93e92a570c8a99e381fde79a84d9ee 64772 libkadm5srv8-heimdal_7.1.0+dfsg-13+deb9u3_i386.deb
 adbe1c98965c7e9a30f3504c8a645dd4345c7313 42584 libkafs0-heimdal_7.1.0+dfsg-13+deb9u3_i386.deb
 582181ce9578c0536a1cdce2888ad9e77150cb4f 85358 libkdc2-heimdal_7.1.0+dfsg-13+deb9u3_i386.deb
 6ee7f5abc2b6884cc0c070b38c473a36d862acb1 259940 libkrb5-26-heimdal_7.1.0+dfsg-13+deb9u3_i386.deb
 343b2022c7d9b21fe15ad18f2ec7c5e408fe34b6 51150 libotp0-heimdal_7.1.0+dfsg-13+deb9u3_i386.deb
 016d4fefdd36c2d43ef37cc6b949a984134beb7d 69286 libroken18-heimdal_7.1.0+dfsg-13+deb9u3_i386.deb
 36570846c147ea09a701034ee1d6e280a783c999 38200 libsl0-heimdal_7.1.0+dfsg-13+deb9u3_i386.deb
 fa79022efb03068fd1c5ebe3152494ed225ad909 74168 libwind0-heimdal_7.1.0+dfsg-13+deb9u3_i386.deb
Checksums-Sha256:
 b759c2ab9c6672ca2af37d025c7df2a3cf6d2347ccd272f85b7d28d0c83e60f3 3706 heimdal_7.1.0+dfsg-13+deb9u3.dsc
 47a1439910d05ea884ad254646e7c48a9400a2c30f087ed8e8e0854697a480f9 8959650 heimdal_7.1.0+dfsg.orig.tar.gz
 72d53ed4cba2d482609dfb49749d80c463dfaf3401236b2e448ab2dbefa0a82a 266352 heimdal_7.1.0+dfsg-13+deb9u3.debian.tar.xz
 7d488a872696d405ce0c89c284ae605a9692812390cb9ce0b9c169eb4280ba43 183636 heimdal-clients_7.1.0+dfsg-13+deb9u3_i386.deb
 cc6757291ab25e627740a136e60c41de7de33c79e3d2801b7a3ae749e1c9f030 4750958 heimdal-dbg_7.1.0+dfsg-13+deb9u3_i386.deb
 b83d40ec40fb5794d2de52a9eb256d8748d0cfa1f680c4560f4cfa4eb70c8100 141050 heimdal-dev_7.1.0+dfsg-13+deb9u3_i386.deb
 933f65566ea37698b2cf46d10ef4e03ce54f1f53b3698a665ca20a61d35b2750 104642 heimdal-docs_7.1.0+dfsg-13+deb9u3_all.deb
 00703d1008c7e0336a28cce77ff69f3c4551369618537865c248031d3358d795 57802 heimdal-kcm_7.1.0+dfsg-13+deb9u3_i386.deb
 0a9c2009e442b891ca97985306faca6be049ac53353439bf0e2a6ffbae529531 132736 heimdal-kdc_7.1.0+dfsg-13+deb9u3_i386.deb
 4524a1ae83fe719e712c31b91c35105b1a2c953a968d35b758abe9d28e3a554a 1275234 heimdal-multidev_7.1.0+dfsg-13+deb9u3_i386.deb
 f832d2c376446d1215e410cd152e9312a8fd76dbb7f980625929666f521590b5 35662 heimdal-servers_7.1.0+dfsg-13+deb9u3_i386.deb
 ac73628820bb0018e47016d2f6b03ac702e4022b5e69109c47d9fc98eadb0eae 15522 heimdal_7.1.0+dfsg-13+deb9u3_i386.buildinfo
 fc72435cfebae96f55a1788eed0f298db3a9d9d219bf3018a289d21510a116de 217290 libasn1-8-heimdal_7.1.0+dfsg-13+deb9u3_i386.deb
 e5690e4b8358289dc053b4c0ff5d612e00e0268fc965cd7566585a80f3913312 133602 libgssapi3-heimdal_7.1.0+dfsg-13+deb9u3_i386.deb
 9ca1aad4d1bde776f96d7ce014ccff41610b5443a8ee76772a721bce140f0429 120224 libhcrypto4-heimdal_7.1.0+dfsg-13+deb9u3_i386.deb
 70989eb100d74480333eea84b8e1e4c63b061888663365f58ae75b4c47228737 95724 libhdb9-heimdal_7.1.0+dfsg-13+deb9u3_i386.deb
 d0aa3a2dee87204dfbd8218b0b645cf44c8c1d56e013f84454ae1435f0df0256 56816 libheimbase1-heimdal_7.1.0+dfsg-13+deb9u3_i386.deb
 f248ed63008a91fd35e4e654de46acb468b9201648b0f6c7d2431f53b16d7415 42190 libheimntlm0-heimdal_7.1.0+dfsg-13+deb9u3_i386.deb
 247dd9c187cae6767244a20df743fc6f72a6927b77af3a7d4ce7c46ae21aa889 143982 libhx509-5-heimdal_7.1.0+dfsg-13+deb9u3_i386.deb
 6dc3540fabbf81ac2f40d461b1dfeceb378443f0070e3e9af593f035b6d0d20d 45980 libkadm5clnt7-heimdal_7.1.0+dfsg-13+deb9u3_i386.deb
 257f88afe07bb49f3cdefc6943be0c6a889d6b10ff9893eb87f090e0bcce87b9 64772 libkadm5srv8-heimdal_7.1.0+dfsg-13+deb9u3_i386.deb
 2679c295ea2513a620b68e9b612f376a8613464710fa4515151f503cfa113d60 42584 libkafs0-heimdal_7.1.0+dfsg-13+deb9u3_i386.deb
 e667e68bb9fa8cf75df9cde98fef17ecba7c00e5604d4020dbf76b4e2d9e531e 85358 libkdc2-heimdal_7.1.0+dfsg-13+deb9u3_i386.deb
 d3b99d8245facfbf31f11d03f75b5e6038402c817449612ee0638445926520ef 259940 libkrb5-26-heimdal_7.1.0+dfsg-13+deb9u3_i386.deb
 b6794a8426262ae9bfe303797e11d22336530fc7695292e38c5262776efd730f 51150 libotp0-heimdal_7.1.0+dfsg-13+deb9u3_i386.deb
 0cd5048d52396ad3b88e3c2886e6dc8cf68e64644fff317b018bcf33f5c52737 69286 libroken18-heimdal_7.1.0+dfsg-13+deb9u3_i386.deb
 2f4d923a32bc937d954ed185397dbba4df3003725e211c83cbdd18b5d693bae5 38200 libsl0-heimdal_7.1.0+dfsg-13+deb9u3_i386.deb
 3a1ef2f1873a2d89e4f534e7918727c8476ead3b61e11be0df91b04565e210df 74168 libwind0-heimdal_7.1.0+dfsg-13+deb9u3_i386.deb
Files:
 d4674c8ae492869ab3be7f61cac7876b 3706 net optional heimdal_7.1.0+dfsg-13+deb9u3.dsc
 8a0ef9f85770b7a35072f0f32ec671ea 8959650 net optional heimdal_7.1.0+dfsg.orig.tar.gz
 404230f3598d0a85082e088815f80969 266352 net optional heimdal_7.1.0+dfsg-13+deb9u3.debian.tar.xz
 b0785d16a21ecfc6456c5e15c228047c 183636 net extra heimdal-clients_7.1.0+dfsg-13+deb9u3_i386.deb
 13c7f5eea844f39d6c895998981a34ae 4750958 debug extra heimdal-dbg_7.1.0+dfsg-13+deb9u3_i386.deb
 bf9f38ffa3618d38936d79bb3fde85c8 141050 devel extra heimdal-dev_7.1.0+dfsg-13+deb9u3_i386.deb
 a61fb7d34f4f0eefcb4caed8191e4c61 104642 doc extra heimdal-docs_7.1.0+dfsg-13+deb9u3_all.deb
 b428273b34569b8d6f8c6d262593fef7 57802 net extra heimdal-kcm_7.1.0+dfsg-13+deb9u3_i386.deb
 5991e254f8356f1a2def0571a27fe763 132736 net extra heimdal-kdc_7.1.0+dfsg-13+deb9u3_i386.deb
 7a8ca0c20f7faebde5c81bf2920b62bb 1275234 devel extra heimdal-multidev_7.1.0+dfsg-13+deb9u3_i386.deb
 1dfd3e0d5acd0964f40ea07b0cf1d8b4 35662 net extra heimdal-servers_7.1.0+dfsg-13+deb9u3_i386.deb
 5c32f45c866e2c467d4d1d14fdb84a78 15522 net optional heimdal_7.1.0+dfsg-13+deb9u3_i386.buildinfo
 2e72e161cf9eae71495d6c8c7b445652 217290 libs optional libasn1-8-heimdal_7.1.0+dfsg-13+deb9u3_i386.deb
 4891b0976c41fa529c6b17bd8894a0a5 133602 libs optional libgssapi3-heimdal_7.1.0+dfsg-13+deb9u3_i386.deb
 cafbd40beba2c29b145219768ffa4885 120224 libs optional libhcrypto4-heimdal_7.1.0+dfsg-13+deb9u3_i386.deb
 8ed72c10534182fb3da0f59c1a801991 95724 libs optional libhdb9-heimdal_7.1.0+dfsg-13+deb9u3_i386.deb
 d5f5982e34a8c762872b4d6f148ff940 56816 libs optional libheimbase1-heimdal_7.1.0+dfsg-13+deb9u3_i386.deb
 c16967156dfd0e1ba681330e8f67c52b 42190 libs optional libheimntlm0-heimdal_7.1.0+dfsg-13+deb9u3_i386.deb
 9e6256a5c80d01034a790bc39db4f8ca 143982 libs optional libhx509-5-heimdal_7.1.0+dfsg-13+deb9u3_i386.deb
 408853d6fb8458fba774dc06078d2ef8 45980 libs optional libkadm5clnt7-heimdal_7.1.0+dfsg-13+deb9u3_i386.deb
 5b61eafdcdb3c5d939e7c6068dcb49fa 64772 libs optional libkadm5srv8-heimdal_7.1.0+dfsg-13+deb9u3_i386.deb
 452856f06e18095ec2c859d2f287f1b4 42584 libs extra libkafs0-heimdal_7.1.0+dfsg-13+deb9u3_i386.deb
 cca2ea65a5c5b116403c47e49cfc24a8 85358 libs extra libkdc2-heimdal_7.1.0+dfsg-13+deb9u3_i386.deb
 1244a9dd070013307708252ef4e15748 259940 libs optional libkrb5-26-heimdal_7.1.0+dfsg-13+deb9u3_i386.deb
 c8b741d407fd552a3ec4be41e0f28c64 51150 libs extra libotp0-heimdal_7.1.0+dfsg-13+deb9u3_i386.deb
 91a82605ac36e5ed8d1f5fbd2cd342fa 69286 libs optional libroken18-heimdal_7.1.0+dfsg-13+deb9u3_i386.deb
 ed8144a41d00954ab0d87900c7c0e6ee 38200 libs extra libsl0-heimdal_7.1.0+dfsg-13+deb9u3_i386.deb
 763e89f911f3c8ace19ee8bffe1af819 74168 libs optional libwind0-heimdal_7.1.0+dfsg-13+deb9u3_i386.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEKpwfR8DOwu5vyB4TKpJZkldkSvoFAlzt4woACgkQKpJZkldk
SvrEHxAAiOX/CZS9Ym8HDfXvKANi9L61JrnV2W6aHRDJlRTcIsUR4saJkaCxKiJj
EMHhutpu46Q7lpbmRaFCAjxTeEZy4gJBAh5O54B2AsqijYCNYHI0FxAf6AGtVMzd
4AraXGrEY/0Aom+4WXlbz4zQWToD1HPfusDXzSO6eazvgW24YODzNg/snDe41kRh
qWTcidBXwjQPGyTzEILpZYSLxEHvMQ/FGnKkCrSxvWBffNFgHWhR/JKT3fxpAItF
RQAWVvuADgRYCGAYft4jHO9t5EfBa/ESkHar6eGKnwAtYgsdmaorrfX+F1coOhc0
CuEeuE+IZXA83aXoUCJe7XJWP2+XayLRE9CGOiwEagL18ntYEmBvwTgrkKYcEadm
IQ/AKDhXQ6kj37zIb4uv3ot8X12MGjD/ujvCHB+syhieId7ZWZWy5VV2xI7R7wK6
qftrsPrDZIjCt2MjXwo6nuyNFS9JsAT6EJh+CRwvAtNFCoDUcbwKILjOlFReibgB
oVFJBaBwQ77UZKsuVf8bhqOSCLUEKWEj+CYq20YUz4PlbWfOxSZ4e7cYo9iCn0ya
j+va38mKWmja8YBNBhzsOGERuj7tzG7tSJoLZEjakA+Jkaz+WVSxEL2ITieayXnE
KZhSi3/PFcxIvnyduisKf8Ulq8UlYXTKGIsHsbkdauyU6yazqkY=
=wCK1
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.