Debian Bug report logs -
#928966
heimdal: CVE-2018-16860
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Tue, 14 May 2019 07:39:02 UTC
Severity: important
Tags: security, upstream
Found in versions heimdal/7.1.0+dfsg-13, heimdal/7.1.0+dfsg-13+deb9u2, heimdal/7.5.0+dfsg-2.1
Fixed in versions heimdal/7.5.0+dfsg-3, heimdal/7.1.0+dfsg-13+deb9u3
Done: Brian May <bam@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Brian May <bam@debian.org>
:
Bug#928966
; Package src:heimdal
.
(Tue, 14 May 2019 07:39:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Brian May <bam@debian.org>
.
(Tue, 14 May 2019 07:39:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: heimdal
Version: 7.5.0+dfsg-2.1
Severity: important
Tags: security upstream
Control: found -1 7.1.0+dfsg-13+deb9u2
Control: found -1 7.1.0+dfsg-13
Hi,
The following vulnerability was published for heimdal, actually just
what is affecting samba embedded copy of heimdal.
CVE-2018-16860[0]:
Samba AD DC S4U2Self/S4U2Proxy unkeyed checksum
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-16860
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16860
Please adjust the affected versions in the BTS as needed, all versions
starting from 0.8 upwards including 7.5.0 are affected.
What is your take on this? Does this need a DSA or is an update via an
upcoming point release enough?
Regards,
Salvatore
Marked as found in versions heimdal/7.1.0+dfsg-13+deb9u2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org
.
(Tue, 14 May 2019 07:39:04 GMT) (full text, mbox, link).
Marked as found in versions heimdal/7.1.0+dfsg-13.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org
.
(Tue, 14 May 2019 07:39:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org
:
Bug#928966
; Package src:heimdal
.
(Tue, 14 May 2019 08:24:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Brian May <bam@debian.org>
:
Extra info received and forwarded to list.
(Tue, 14 May 2019 08:24:02 GMT) (full text, mbox, link).
Message #14 received at 928966@bugs.debian.org (full text, mbox, reply):
Salvatore Bonaccorso <carnil@debian.org> writes:
> Source: heimdal
> Version: 7.5.0+dfsg-2.1
> Severity: important
> Tags: security upstream
> Control: found -1 7.1.0+dfsg-13+deb9u2
> Control: found -1 7.1.0+dfsg-13
>
> Hi,
>
> The following vulnerability was published for heimdal, actually just
> what is affecting samba embedded copy of heimdal.
>
> CVE-2018-16860[0]:
> Samba AD DC S4U2Self/S4U2Proxy unkeyed checksum
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2018-16860
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16860
>
> Please adjust the affected versions in the BTS as needed, all versions
> starting from 0.8 upwards including 7.5.0 are affected.
>
> What is your take on this? Does this need a DSA or is an update via an
> upcoming point release enough?
I am hardly authoritative on this, however my rough take right now is:
* There is a vulerability.
* The fix is simple. Looking at the Samba patches, I suspect we only
need the bit that alters krb5tgs.c - below.
* Not convinced this can actually be exploited without AD. It is
unlikely you would be using the stock Heimdal with AD. So possible
we don't need to worry.
diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c
index a888788bb6f..ff7d93138c0 100644
--- a/source4/heimdal/kdc/krb5tgs.c
+++ b/source4/heimdal/kdc/krb5tgs.c
@@ -1925,6 +1925,13 @@ server_lookup:
goto out;
}
+ if (!krb5_checksum_is_keyed(context, self.cksum.cksumtype)) {
+ free_PA_S4U2Self(&self);
+ kdc_log(context, config, 0, "Reject PA-S4U2Self with unkeyed checksum");
+ ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
+ goto out;
+ }
+
ret = _krb5_s4u2self_to_checksumdata(context, &self, &datack);
if (ret)
goto out;
--
Brian May <bam@debian.org>
Information forwarded
to debian-bugs-dist@lists.debian.org, Brian May <bam@debian.org>
:
Bug#928966
; Package src:heimdal
.
(Tue, 14 May 2019 09:57:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Brian May <bam@debian.org>
.
(Tue, 14 May 2019 09:57:02 GMT) (full text, mbox, link).
Message #19 received at 928966@bugs.debian.org (full text, mbox, reply):
Hi Brian,
On Tue, May 14, 2019 at 06:11:05PM +1000, Brian May wrote:
> Salvatore Bonaccorso <carnil@debian.org> writes:
>
> > Source: heimdal
> > Version: 7.5.0+dfsg-2.1
> > Severity: important
> > Tags: security upstream
> > Control: found -1 7.1.0+dfsg-13+deb9u2
> > Control: found -1 7.1.0+dfsg-13
> >
> > Hi,
> >
> > The following vulnerability was published for heimdal, actually just
> > what is affecting samba embedded copy of heimdal.
> >
> > CVE-2018-16860[0]:
> > Samba AD DC S4U2Self/S4U2Proxy unkeyed checksum
> >
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> >
> > For further information see:
> >
> > [0] https://security-tracker.debian.org/tracker/CVE-2018-16860
> > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16860
> >
> > Please adjust the affected versions in the BTS as needed, all versions
> > starting from 0.8 upwards including 7.5.0 are affected.
> >
> > What is your take on this? Does this need a DSA or is an update via an
> > upcoming point release enough?
>
> I am hardly authoritative on this, however my rough take right now is:
>
> * There is a vulerability.
> * The fix is simple. Looking at the Samba patches, I suspect we only
> need the bit that alters krb5tgs.c - below.
> * Not convinced this can actually be exploited without AD. It is
> unlikely you would be using the stock Heimdal with AD. So possible
> we don't need to worry.
Alright, I will mark it no-dsa for stretch then at least. For buster,
might be still good to have the fix go in?
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org, Brian May <bam@debian.org>
:
Bug#928966
; Package src:heimdal
.
(Wed, 15 May 2019 20:48:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Brian May <bam@debian.org>
.
(Wed, 15 May 2019 20:48:05 GMT) (full text, mbox, link).
Message #24 received at 928966@bugs.debian.org (full text, mbox, reply):
Hi,
On Tue, May 14, 2019 at 11:55:42AM +0200, Salvatore Bonaccorso wrote:
> Hi Brian,
>
> On Tue, May 14, 2019 at 06:11:05PM +1000, Brian May wrote:
> > Salvatore Bonaccorso <carnil@debian.org> writes:
> >
> > > Source: heimdal
> > > Version: 7.5.0+dfsg-2.1
> > > Severity: important
> > > Tags: security upstream
> > > Control: found -1 7.1.0+dfsg-13+deb9u2
> > > Control: found -1 7.1.0+dfsg-13
> > >
> > > Hi,
> > >
> > > The following vulnerability was published for heimdal, actually just
> > > what is affecting samba embedded copy of heimdal.
> > >
> > > CVE-2018-16860[0]:
> > > Samba AD DC S4U2Self/S4U2Proxy unkeyed checksum
> > >
> > > If you fix the vulnerability please also make sure to include the
> > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> > >
> > > For further information see:
> > >
> > > [0] https://security-tracker.debian.org/tracker/CVE-2018-16860
> > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16860
> > >
> > > Please adjust the affected versions in the BTS as needed, all versions
> > > starting from 0.8 upwards including 7.5.0 are affected.
> > >
> > > What is your take on this? Does this need a DSA or is an update via an
> > > upcoming point release enough?
> >
> > I am hardly authoritative on this, however my rough take right now is:
> >
> > * There is a vulerability.
> > * The fix is simple. Looking at the Samba patches, I suspect we only
> > need the bit that alters krb5tgs.c - below.
> > * Not convinced this can actually be exploited without AD. It is
> > unlikely you would be using the stock Heimdal with AD. So possible
> > we don't need to worry.
>
> Alright, I will mark it no-dsa for stretch then at least. For buster,
> might be still good to have the fix go in?
For reference this is the patch in heimdal git repo:
https://github.com/heimdal/heimdal/commit/c6257cc2c842c0faaeb4ef34e33890ee88c4cbba
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org
:
Bug#928966
; Package src:heimdal
.
(Tue, 21 May 2019 09:03:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Brian May <bam@debian.org>
:
Extra info received and forwarded to list.
(Tue, 21 May 2019 09:03:03 GMT) (full text, mbox, link).
Message #29 received at 928966@bugs.debian.org (full text, mbox, reply):
Salvatore Bonaccorso <carnil@debian.org> writes:
> Alright, I will mark it no-dsa for stretch then at least. For buster,
> might be still good to have the fix go in?
First attempt, looks like version in buster/sid doesn't build :-(
=== cut ===
=============================================
Heimdal 7.5.0: lib/hx509/test-suite.log
=============================================
# TOTAL: 16
# PASS: 13
# SKIP: 0
# XFAIL: 0
# FAIL: 3
# XPASS: 0
# ERROR: 0
.. contents:: :depth: 2
FAIL: test_ca
=============
create certificate request
issue certificate
verify certificate
issue crl (no cert)
verify certificate (with CRL)
issue crl (with cert)
verify certificate (included in CRL)
issue crl (with cert)
verify certificate (included in CRL, and lifetime 1 month)
issue certificate (10years 1 month)
issue certificate (with https ekus)
issue certificate (pkinit KDC)
issue certificate (pkinit client)
issue certificate (hostnames)
verify certificate hostname (ok)
verify certificate hostname (fail)
verify certificate hostname (fail)
issue certificate (hostname in CN)
verify certificate hostname (ok)
verify certificate hostname (fail)
issue certificate (email)
issue certificate (email, null subject DN)
issue certificate (jabber)
issue self-signed cert
issue ca cert
issue self-signed ca cert
issue proxy certificate
verify proxy cert
FAIL test_ca (exit status: 1)
FAIL: test_chain
================
cert -> root
FAIL test_chain (exit status: 1)
FAIL: test_cms
==============
not testing ECDSA since hcrypto doesnt support ECDSA
create signed data
verify signed data
hxtool: hx509_cms_verify_signed: Failed to find certificate with id CE776EDE0BF421F878C01A7CC3B966EC4C3D4A23
FAIL test_cms (exit status: 1)
============================================================================
Testsuite summary for Heimdal 7.5.0
============================================================================
# TOTAL: 16
# PASS: 13
# SKIP: 0
# XFAIL: 0
# FAIL: 3
# XPASS: 0
# ERROR: 0
============================================================================
See lib/hx509/test-suite.log
Please report to https://github.com/heimdal/heimdal/issues
============================================================================
make[7]: *** [Makefile:1460: test-suite.log] Error 1
make[7]: Leaving directory '/<<PKGBUILDDIR>>/lib/hx509'
make[6]: *** [Makefile:1568: check-TESTS] Error 2
make[6]: Leaving directory '/<<PKGBUILDDIR>>/lib/hx509'
make[5]: *** [Makefile:1750: check-am] Error 2
make[5]: Leaving directory '/<<PKGBUILDDIR>>/lib/hx509'
make[4]: *** [Makefile:1752: check] Error 2
make[4]: Leaving directory '/<<PKGBUILDDIR>>/lib/hx509'
make[3]: *** [Makefile:565: check-recursive] Error 1
make[3]: Leaving directory '/<<PKGBUILDDIR>>/lib'
make[2]: *** [Makefile:613: check-recursive] Error 1
make[2]: Leaving directory '/<<PKGBUILDDIR>>'
dh_auto_test: make -j8 check VERBOSE=1 -j1 returned exit code 2
make[1]: *** [debian/rules:35: override_dh_auto_test] Error 2
make[1]: Leaving directory '/<<PKGBUILDDIR>>'
make: *** [debian/rules:7: build] Error 2
dpkg-buildpackage: error: debian/rules build subprocess returned exit status 2
--------------------------------------------------------------------------------
Build finished at 2019-05-21T08:56:44Z
=== cut ===
--
Brian May <bam@debian.org>
Information forwarded
to debian-bugs-dist@lists.debian.org, Brian May <bam@debian.org>
:
Bug#928966
; Package src:heimdal
.
(Tue, 21 May 2019 21:09:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Brian May <bam@debian.org>
.
(Tue, 21 May 2019 21:09:02 GMT) (full text, mbox, link).
Message #34 received at 928966@bugs.debian.org (full text, mbox, reply):
Hi Brian,
On Tue, May 21, 2019 at 07:00:52PM +1000, Brian May wrote:
> Salvatore Bonaccorso <carnil@debian.org> writes:
>
> > Alright, I will mark it no-dsa for stretch then at least. For buster,
> > might be still good to have the fix go in?
>
> First attempt, looks like version in buster/sid doesn't build :-(
Ah right, this is #923930?
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org
:
Bug#928966
; Package src:heimdal
.
(Tue, 21 May 2019 21:48:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Brian May <bam@debian.org>
:
Extra info received and forwarded to list.
(Tue, 21 May 2019 21:48:03 GMT) (full text, mbox, link).
Message #39 received at 928966@bugs.debian.org (full text, mbox, reply):
Salvatore Bonaccorso <carnil@debian.org> writes:
> Ah right, this is #923930?
Yes, looks like it. I didn't get the recent emails, thanks for the
reference. I have now followed up there.
--
Brian May <bam@debian.org>
Information forwarded
to debian-bugs-dist@lists.debian.org, Brian May <bam@debian.org>
:
Bug#928966
; Package src:heimdal
.
(Wed, 22 May 2019 18:51:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Jeffrey Altman <jaltman@secure-endpoints.com>
:
Extra info received and forwarded to list. Copy sent to Brian May <bam@debian.org>
.
(Wed, 22 May 2019 18:51:05 GMT) (full text, mbox, link).
Message #44 received at 928966@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Brian May wrote:
> I am hardly authoritative on this, however my rough take right now is:
>
> * There is a vulerability.
> * The fix is simple. Looking at the Samba patches, I suspect we only
> need the bit that alters krb5tgs.c - below.
> * Not convinced this can actually be exploited without AD. It is
> unlikely you would be using the stock Heimdal with AD. So possible
> we don't need to worry.
When authoring https://www.samba.org/samba/security/CVE-2018-16860.html
we tried to make it very clear that although this vulnerability exists
within the Heimdal KDC (as well as Microsoft Active Directory) the
exploit grants privilege escalation to any service that authenticates
users via a non-Kerberos mechanism and the obtains a Kerberos ticket for
the authenticated user issued with the service principal being the
requesting service's identity.
To make it clear that non-Windows services could be impacted we provided
an example of a web authentication service using OAuth or Shibboleth to
obtain AFS tokens on behalf of an authenticating user.
This vulnerability is very serious and should be patched immediately.
The minimal set of changes to address CVE-2018-16860 and CVE-2019-12098
can be found in this pull request:
https://github.com/heimdal/heimdal/pull/555
Jeffrey Altman
Heimdal Project Manager
[smime.p7s (application/pkcs7-signature, attachment)]
Reply sent
to Brian May <bam@debian.org>
:
You have taken responsibility.
(Mon, 27 May 2019 07:36:10 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Mon, 27 May 2019 07:36:10 GMT) (full text, mbox, link).
Message #49 received at 928966-close@bugs.debian.org (full text, mbox, reply):
Source: heimdal
Source-Version: 7.5.0+dfsg-3
We believe that the bug you reported is fixed in the latest version of
heimdal, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 928966@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Brian May <bam@debian.org> (supplier of updated heimdal package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 21 May 2019 18:04:35 +1000
Source: heimdal
Architecture: source
Version: 7.5.0+dfsg-3
Distribution: unstable
Urgency: high
Maintainer: Brian May <bam@debian.org>
Changed-By: Brian May <bam@debian.org>
Closes: 923930 928966 929064
Changes:
heimdal (7.5.0+dfsg-3) unstable; urgency=high
.
* CVE-2018-16860: Samba AD DC S4U2Self/S4U2Proxy unkeyed checksum.
Closes: #928966.
* CVE-2019-12098: Always confirm PA-PKINIT-KX for anon PKINIT.
Closes: #929064.
* Update test certificates to pre 2038 expiry. Closes: #923930.
Checksums-Sha1:
a7dfb3243e2cf59d0334967a3db53c94b4bea41e 3579 heimdal_7.5.0+dfsg-3.dsc
1ba39f71a5627a23afbc8b987362831bed764f7d 8955005 heimdal_7.5.0+dfsg.orig.tar.gz
b3bd61ebd0bddce418bbf8330a2fd30690820244 461448 heimdal_7.5.0+dfsg-3.debian.tar.xz
7d7b658952dc64e9aebb09aa58c581a692473528 7458 heimdal_7.5.0+dfsg-3_source.buildinfo
Checksums-Sha256:
f1ecfa0cbd70cb43c5ab59eb6661d4364212df69d76824a9f27861bbfa6e750c 3579 heimdal_7.5.0+dfsg-3.dsc
489119b7a1a900b88163765654dc59cba9a321b078fafc76629e2b85ef140867 8955005 heimdal_7.5.0+dfsg.orig.tar.gz
35f14816be232a043326eea977ebb1edff5a8f9223919ee18a88148565ab3e5c 461448 heimdal_7.5.0+dfsg-3.debian.tar.xz
3b13ca5b0389856531546f5d66d97bbf8e7b174829c14c6fd5f5031e52677430 7458 heimdal_7.5.0+dfsg-3_source.buildinfo
Files:
2e2a528050fddb368c8b1fc04dbeb8ed 3579 net optional heimdal_7.5.0+dfsg-3.dsc
b45b9d03cdd4f3288e79feba99e13a51 8955005 net optional heimdal_7.5.0+dfsg.orig.tar.gz
04177cfa68af6bffa74dcf3299d4bcab 461448 net optional heimdal_7.5.0+dfsg-3.debian.tar.xz
4c721ac8bc3107252e3d2879104e8dac 7458 net optional heimdal_7.5.0+dfsg-3_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEKpwfR8DOwu5vyB4TKpJZkldkSvoFAlzriloACgkQKpJZkldk
SvrbUw//SDm061NBlyH6zENfV7e7P7H5CXSj++38wH0aN1NFl4QWFXhVMaCETeMd
B9sRUoa5QQb5zwi7R9BXXT16JDt9X1g8la1G7hhKXVrpuSdG/MdYjjxPL4r2gaLh
iQP43zCjK2g279jV7nBnuA2TIv5FGVlWQnWCrJ/SJ3uqsTCeCnDIbWmWI1buO2wb
MZPBlvGKono4SMVSfwJNUMc1TEEh4X5e0VPNCUnFcwJg/j9BB+YUcVKty3rcJulp
qSSlmkAQLlIXQPxxmZ6SZtx692EiflZzLexFGklJV9cx28cnV/tYY5xdi9N+r9u3
MQnWkl29zjuzlJ6eWiBzzrdiomWGstFskCwHpkPnz/R1M3Jo71fQXnSTR/fuvlB4
4jnCBFbTfnknKUL/LQNwFAHlxu4b9DqMUpnvkNaq9T/0kbkcgjzZcdK/lxXVG5zg
Danx6JUUo5tOIWQyNwLQKOKhV1oUd4Iuebtqw+QOjRUqsFBtdBPpHchdRI9FI9eo
j+HRPeUfuMERTfD6yMhKagjh4bmjCRyly2PdFOrVM9wWFm+T7RgbOTmbH9Yb9U7q
zpEKEfiAZwZBIdQ+3fh//lYEj5xg72PI+8wERd3j+P9daQ10jkY13lUaeS3HLdpq
W3QFiTYVuUszttEBby5uYl3Q2y4TZPnCxf4SCrlV8Z4ozYDgN+0=
=Ahvh
-----END PGP SIGNATURE-----
Reply sent
to Brian May <bam@debian.org>
:
You have taken responsibility.
(Fri, 07 Jun 2019 10:06:07 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Fri, 07 Jun 2019 10:06:07 GMT) (full text, mbox, link).
Message #54 received at 928966-close@bugs.debian.org (full text, mbox, reply):
Source: heimdal
Source-Version: 7.1.0+dfsg-13+deb9u3
We believe that the bug you reported is fixed in the latest version of
heimdal, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 928966@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Brian May <bam@debian.org> (supplier of updated heimdal package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 28 May 2019 17:16:51 +1000
Source: heimdal
Binary: heimdal-docs heimdal-kdc heimdal-multidev heimdal-dev heimdal-clients heimdal-kcm heimdal-servers heimdal-dbg libheimbase1-heimdal libasn1-8-heimdal libkrb5-26-heimdal libhdb9-heimdal libkadm5srv8-heimdal libkadm5clnt7-heimdal libgssapi3-heimdal libkafs0-heimdal libroken18-heimdal libotp0-heimdal libsl0-heimdal libkdc2-heimdal libhx509-5-heimdal libheimntlm0-heimdal libwind0-heimdal libhcrypto4-heimdal
Architecture: source i386 all
Version: 7.1.0+dfsg-13+deb9u3
Distribution: stretch-security
Urgency: medium
Maintainer: Brian May <bam@debian.org>
Changed-By: Brian May <bam@debian.org>
Description:
heimdal-clients - Heimdal Kerberos - clients
heimdal-dbg - Heimdal Kerberos - debugging symbols
heimdal-dev - Heimdal Kerberos - development files
heimdal-docs - Heimdal Kerberos - documentation
heimdal-kcm - Heimdal Kerberos - KCM daemon
heimdal-kdc - Heimdal Kerberos - key distribution center (KDC)
heimdal-multidev - Heimdal Kerberos - Multi-implementation Development
heimdal-servers - Heimdal Kerberos - server programs
libasn1-8-heimdal - Heimdal Kerberos - ASN.1 library
libgssapi3-heimdal - Heimdal Kerberos - GSSAPI support library
libhcrypto4-heimdal - Heimdal Kerberos - crypto library
libhdb9-heimdal - Heimdal Kerberos - kadmin server library
libheimbase1-heimdal - Heimdal Kerberos - Base library
libheimntlm0-heimdal - Heimdal Kerberos - NTLM support library
libhx509-5-heimdal - Heimdal Kerberos - X509 support library
libkadm5clnt7-heimdal - Heimdal Kerberos - kadmin client library
libkadm5srv8-heimdal - Libraries for Heimdal Kerberos
libkafs0-heimdal - Heimdal Kerberos - KAFS support library
libkdc2-heimdal - Heimdal Kerberos - KDC support library
libkrb5-26-heimdal - Heimdal Kerberos - libraries
libotp0-heimdal - Heimdal Kerberos - OTP support library
libroken18-heimdal - Heimdal Kerberos - roken support library
libsl0-heimdal - Heimdal Kerberos - SL support library
libwind0-heimdal - Heimdal Kerberos - stringprep implementation
Closes: 928966 929064
Changes:
heimdal (7.1.0+dfsg-13+deb9u3) stretch-security; urgency=medium
.
* CVE-2018-16860: Samba AD DC S4U2Self/S4U2Proxy unkeyed checksum.
Closes: #928966.
* CVE-2019-12098: Always confirm PA-PKINIT-KX for anon PKINIT.
Closes: #929064.
* Update test certificates to pre 2038 expiry.
Checksums-Sha1:
fbb747c51827d7e1ca51c1d516d88eff428d96aa 3706 heimdal_7.1.0+dfsg-13+deb9u3.dsc
8d808fa1eeb26c6263cc3b0b4c13bcf4c84ed268 8959650 heimdal_7.1.0+dfsg.orig.tar.gz
9f016941fb5d19fc7c18d2ddae9a9eb234f6eab9 266352 heimdal_7.1.0+dfsg-13+deb9u3.debian.tar.xz
f46ae72adacf698c0b3d41d691869c65b4b96a53 183636 heimdal-clients_7.1.0+dfsg-13+deb9u3_i386.deb
468da8cc943eaf33bca20c3ba9e06e18ddcffcce 4750958 heimdal-dbg_7.1.0+dfsg-13+deb9u3_i386.deb
5fb7c84ce6a7eba3629cfd1fabf343bd4614af66 141050 heimdal-dev_7.1.0+dfsg-13+deb9u3_i386.deb
414a9cce992adca24189ca1babbb78c52a7d6feb 104642 heimdal-docs_7.1.0+dfsg-13+deb9u3_all.deb
ada3939e04ba7f2f67586bbabb3c1d005037ce04 57802 heimdal-kcm_7.1.0+dfsg-13+deb9u3_i386.deb
e4cde10f01c43782c7df0c5b8f8997963a61da14 132736 heimdal-kdc_7.1.0+dfsg-13+deb9u3_i386.deb
b030da3c8f3b99f8765c5498fd555c3f6ef0fb82 1275234 heimdal-multidev_7.1.0+dfsg-13+deb9u3_i386.deb
4dcc94c382fc4e2f1547d3c793812a69866522af 35662 heimdal-servers_7.1.0+dfsg-13+deb9u3_i386.deb
de027a9bc15e3a0699dabc0ce53d21cf9810822d 15522 heimdal_7.1.0+dfsg-13+deb9u3_i386.buildinfo
a96ac1401dd5ee5842763afab75dfca5dabe39aa 217290 libasn1-8-heimdal_7.1.0+dfsg-13+deb9u3_i386.deb
481b89287dfb4f32641e88dd06f1a2d56797d615 133602 libgssapi3-heimdal_7.1.0+dfsg-13+deb9u3_i386.deb
12569b4f108396a0c271cdd95e76daa59447c0c5 120224 libhcrypto4-heimdal_7.1.0+dfsg-13+deb9u3_i386.deb
d22d8d824fe4646e0b30b03f4c645a2faff3ff98 95724 libhdb9-heimdal_7.1.0+dfsg-13+deb9u3_i386.deb
f6c5403b994b1d26aadb6028d3472c331a8aadba 56816 libheimbase1-heimdal_7.1.0+dfsg-13+deb9u3_i386.deb
9e66893cf30c20edce07e8c55c417b2b5947ae58 42190 libheimntlm0-heimdal_7.1.0+dfsg-13+deb9u3_i386.deb
1ab6d79366034fd46688ae65390fb1b2c06179ac 143982 libhx509-5-heimdal_7.1.0+dfsg-13+deb9u3_i386.deb
a37b0fb1f5cc4e00303255efe15f8c4ec6a757c0 45980 libkadm5clnt7-heimdal_7.1.0+dfsg-13+deb9u3_i386.deb
f1e89c35fe93e92a570c8a99e381fde79a84d9ee 64772 libkadm5srv8-heimdal_7.1.0+dfsg-13+deb9u3_i386.deb
adbe1c98965c7e9a30f3504c8a645dd4345c7313 42584 libkafs0-heimdal_7.1.0+dfsg-13+deb9u3_i386.deb
582181ce9578c0536a1cdce2888ad9e77150cb4f 85358 libkdc2-heimdal_7.1.0+dfsg-13+deb9u3_i386.deb
6ee7f5abc2b6884cc0c070b38c473a36d862acb1 259940 libkrb5-26-heimdal_7.1.0+dfsg-13+deb9u3_i386.deb
343b2022c7d9b21fe15ad18f2ec7c5e408fe34b6 51150 libotp0-heimdal_7.1.0+dfsg-13+deb9u3_i386.deb
016d4fefdd36c2d43ef37cc6b949a984134beb7d 69286 libroken18-heimdal_7.1.0+dfsg-13+deb9u3_i386.deb
36570846c147ea09a701034ee1d6e280a783c999 38200 libsl0-heimdal_7.1.0+dfsg-13+deb9u3_i386.deb
fa79022efb03068fd1c5ebe3152494ed225ad909 74168 libwind0-heimdal_7.1.0+dfsg-13+deb9u3_i386.deb
Checksums-Sha256:
b759c2ab9c6672ca2af37d025c7df2a3cf6d2347ccd272f85b7d28d0c83e60f3 3706 heimdal_7.1.0+dfsg-13+deb9u3.dsc
47a1439910d05ea884ad254646e7c48a9400a2c30f087ed8e8e0854697a480f9 8959650 heimdal_7.1.0+dfsg.orig.tar.gz
72d53ed4cba2d482609dfb49749d80c463dfaf3401236b2e448ab2dbefa0a82a 266352 heimdal_7.1.0+dfsg-13+deb9u3.debian.tar.xz
7d488a872696d405ce0c89c284ae605a9692812390cb9ce0b9c169eb4280ba43 183636 heimdal-clients_7.1.0+dfsg-13+deb9u3_i386.deb
cc6757291ab25e627740a136e60c41de7de33c79e3d2801b7a3ae749e1c9f030 4750958 heimdal-dbg_7.1.0+dfsg-13+deb9u3_i386.deb
b83d40ec40fb5794d2de52a9eb256d8748d0cfa1f680c4560f4cfa4eb70c8100 141050 heimdal-dev_7.1.0+dfsg-13+deb9u3_i386.deb
933f65566ea37698b2cf46d10ef4e03ce54f1f53b3698a665ca20a61d35b2750 104642 heimdal-docs_7.1.0+dfsg-13+deb9u3_all.deb
00703d1008c7e0336a28cce77ff69f3c4551369618537865c248031d3358d795 57802 heimdal-kcm_7.1.0+dfsg-13+deb9u3_i386.deb
0a9c2009e442b891ca97985306faca6be049ac53353439bf0e2a6ffbae529531 132736 heimdal-kdc_7.1.0+dfsg-13+deb9u3_i386.deb
4524a1ae83fe719e712c31b91c35105b1a2c953a968d35b758abe9d28e3a554a 1275234 heimdal-multidev_7.1.0+dfsg-13+deb9u3_i386.deb
f832d2c376446d1215e410cd152e9312a8fd76dbb7f980625929666f521590b5 35662 heimdal-servers_7.1.0+dfsg-13+deb9u3_i386.deb
ac73628820bb0018e47016d2f6b03ac702e4022b5e69109c47d9fc98eadb0eae 15522 heimdal_7.1.0+dfsg-13+deb9u3_i386.buildinfo
fc72435cfebae96f55a1788eed0f298db3a9d9d219bf3018a289d21510a116de 217290 libasn1-8-heimdal_7.1.0+dfsg-13+deb9u3_i386.deb
e5690e4b8358289dc053b4c0ff5d612e00e0268fc965cd7566585a80f3913312 133602 libgssapi3-heimdal_7.1.0+dfsg-13+deb9u3_i386.deb
9ca1aad4d1bde776f96d7ce014ccff41610b5443a8ee76772a721bce140f0429 120224 libhcrypto4-heimdal_7.1.0+dfsg-13+deb9u3_i386.deb
70989eb100d74480333eea84b8e1e4c63b061888663365f58ae75b4c47228737 95724 libhdb9-heimdal_7.1.0+dfsg-13+deb9u3_i386.deb
d0aa3a2dee87204dfbd8218b0b645cf44c8c1d56e013f84454ae1435f0df0256 56816 libheimbase1-heimdal_7.1.0+dfsg-13+deb9u3_i386.deb
f248ed63008a91fd35e4e654de46acb468b9201648b0f6c7d2431f53b16d7415 42190 libheimntlm0-heimdal_7.1.0+dfsg-13+deb9u3_i386.deb
247dd9c187cae6767244a20df743fc6f72a6927b77af3a7d4ce7c46ae21aa889 143982 libhx509-5-heimdal_7.1.0+dfsg-13+deb9u3_i386.deb
6dc3540fabbf81ac2f40d461b1dfeceb378443f0070e3e9af593f035b6d0d20d 45980 libkadm5clnt7-heimdal_7.1.0+dfsg-13+deb9u3_i386.deb
257f88afe07bb49f3cdefc6943be0c6a889d6b10ff9893eb87f090e0bcce87b9 64772 libkadm5srv8-heimdal_7.1.0+dfsg-13+deb9u3_i386.deb
2679c295ea2513a620b68e9b612f376a8613464710fa4515151f503cfa113d60 42584 libkafs0-heimdal_7.1.0+dfsg-13+deb9u3_i386.deb
e667e68bb9fa8cf75df9cde98fef17ecba7c00e5604d4020dbf76b4e2d9e531e 85358 libkdc2-heimdal_7.1.0+dfsg-13+deb9u3_i386.deb
d3b99d8245facfbf31f11d03f75b5e6038402c817449612ee0638445926520ef 259940 libkrb5-26-heimdal_7.1.0+dfsg-13+deb9u3_i386.deb
b6794a8426262ae9bfe303797e11d22336530fc7695292e38c5262776efd730f 51150 libotp0-heimdal_7.1.0+dfsg-13+deb9u3_i386.deb
0cd5048d52396ad3b88e3c2886e6dc8cf68e64644fff317b018bcf33f5c52737 69286 libroken18-heimdal_7.1.0+dfsg-13+deb9u3_i386.deb
2f4d923a32bc937d954ed185397dbba4df3003725e211c83cbdd18b5d693bae5 38200 libsl0-heimdal_7.1.0+dfsg-13+deb9u3_i386.deb
3a1ef2f1873a2d89e4f534e7918727c8476ead3b61e11be0df91b04565e210df 74168 libwind0-heimdal_7.1.0+dfsg-13+deb9u3_i386.deb
Files:
d4674c8ae492869ab3be7f61cac7876b 3706 net optional heimdal_7.1.0+dfsg-13+deb9u3.dsc
8a0ef9f85770b7a35072f0f32ec671ea 8959650 net optional heimdal_7.1.0+dfsg.orig.tar.gz
404230f3598d0a85082e088815f80969 266352 net optional heimdal_7.1.0+dfsg-13+deb9u3.debian.tar.xz
b0785d16a21ecfc6456c5e15c228047c 183636 net extra heimdal-clients_7.1.0+dfsg-13+deb9u3_i386.deb
13c7f5eea844f39d6c895998981a34ae 4750958 debug extra heimdal-dbg_7.1.0+dfsg-13+deb9u3_i386.deb
bf9f38ffa3618d38936d79bb3fde85c8 141050 devel extra heimdal-dev_7.1.0+dfsg-13+deb9u3_i386.deb
a61fb7d34f4f0eefcb4caed8191e4c61 104642 doc extra heimdal-docs_7.1.0+dfsg-13+deb9u3_all.deb
b428273b34569b8d6f8c6d262593fef7 57802 net extra heimdal-kcm_7.1.0+dfsg-13+deb9u3_i386.deb
5991e254f8356f1a2def0571a27fe763 132736 net extra heimdal-kdc_7.1.0+dfsg-13+deb9u3_i386.deb
7a8ca0c20f7faebde5c81bf2920b62bb 1275234 devel extra heimdal-multidev_7.1.0+dfsg-13+deb9u3_i386.deb
1dfd3e0d5acd0964f40ea07b0cf1d8b4 35662 net extra heimdal-servers_7.1.0+dfsg-13+deb9u3_i386.deb
5c32f45c866e2c467d4d1d14fdb84a78 15522 net optional heimdal_7.1.0+dfsg-13+deb9u3_i386.buildinfo
2e72e161cf9eae71495d6c8c7b445652 217290 libs optional libasn1-8-heimdal_7.1.0+dfsg-13+deb9u3_i386.deb
4891b0976c41fa529c6b17bd8894a0a5 133602 libs optional libgssapi3-heimdal_7.1.0+dfsg-13+deb9u3_i386.deb
cafbd40beba2c29b145219768ffa4885 120224 libs optional libhcrypto4-heimdal_7.1.0+dfsg-13+deb9u3_i386.deb
8ed72c10534182fb3da0f59c1a801991 95724 libs optional libhdb9-heimdal_7.1.0+dfsg-13+deb9u3_i386.deb
d5f5982e34a8c762872b4d6f148ff940 56816 libs optional libheimbase1-heimdal_7.1.0+dfsg-13+deb9u3_i386.deb
c16967156dfd0e1ba681330e8f67c52b 42190 libs optional libheimntlm0-heimdal_7.1.0+dfsg-13+deb9u3_i386.deb
9e6256a5c80d01034a790bc39db4f8ca 143982 libs optional libhx509-5-heimdal_7.1.0+dfsg-13+deb9u3_i386.deb
408853d6fb8458fba774dc06078d2ef8 45980 libs optional libkadm5clnt7-heimdal_7.1.0+dfsg-13+deb9u3_i386.deb
5b61eafdcdb3c5d939e7c6068dcb49fa 64772 libs optional libkadm5srv8-heimdal_7.1.0+dfsg-13+deb9u3_i386.deb
452856f06e18095ec2c859d2f287f1b4 42584 libs extra libkafs0-heimdal_7.1.0+dfsg-13+deb9u3_i386.deb
cca2ea65a5c5b116403c47e49cfc24a8 85358 libs extra libkdc2-heimdal_7.1.0+dfsg-13+deb9u3_i386.deb
1244a9dd070013307708252ef4e15748 259940 libs optional libkrb5-26-heimdal_7.1.0+dfsg-13+deb9u3_i386.deb
c8b741d407fd552a3ec4be41e0f28c64 51150 libs extra libotp0-heimdal_7.1.0+dfsg-13+deb9u3_i386.deb
91a82605ac36e5ed8d1f5fbd2cd342fa 69286 libs optional libroken18-heimdal_7.1.0+dfsg-13+deb9u3_i386.deb
ed8144a41d00954ab0d87900c7c0e6ee 38200 libs extra libsl0-heimdal_7.1.0+dfsg-13+deb9u3_i386.deb
763e89f911f3c8ace19ee8bffe1af819 74168 libs optional libwind0-heimdal_7.1.0+dfsg-13+deb9u3_i386.deb
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEKpwfR8DOwu5vyB4TKpJZkldkSvoFAlzt4woACgkQKpJZkldk
SvrEHxAAiOX/CZS9Ym8HDfXvKANi9L61JrnV2W6aHRDJlRTcIsUR4saJkaCxKiJj
EMHhutpu46Q7lpbmRaFCAjxTeEZy4gJBAh5O54B2AsqijYCNYHI0FxAf6AGtVMzd
4AraXGrEY/0Aom+4WXlbz4zQWToD1HPfusDXzSO6eazvgW24YODzNg/snDe41kRh
qWTcidBXwjQPGyTzEILpZYSLxEHvMQ/FGnKkCrSxvWBffNFgHWhR/JKT3fxpAItF
RQAWVvuADgRYCGAYft4jHO9t5EfBa/ESkHar6eGKnwAtYgsdmaorrfX+F1coOhc0
CuEeuE+IZXA83aXoUCJe7XJWP2+XayLRE9CGOiwEagL18ntYEmBvwTgrkKYcEadm
IQ/AKDhXQ6kj37zIb4uv3ot8X12MGjD/ujvCHB+syhieId7ZWZWy5VV2xI7R7wK6
qftrsPrDZIjCt2MjXwo6nuyNFS9JsAT6EJh+CRwvAtNFCoDUcbwKILjOlFReibgB
oVFJBaBwQ77UZKsuVf8bhqOSCLUEKWEj+CYq20YUz4PlbWfOxSZ4e7cYo9iCn0ya
j+va38mKWmja8YBNBhzsOGERuj7tzG7tSJoLZEjakA+Jkaz+WVSxEL2ITieayXnE
KZhSi3/PFcxIvnyduisKf8Ulq8UlYXTKGIsHsbkdauyU6yazqkY=
=wCK1
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:37:46 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.