Debian Bug report logs -
#891869
krb5: CVE-2018-5729 CVE-2018-5730
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 1 Mar 2018 21:00:02 UTC
Severity: important
Tags: patch, security, upstream
Merged with 889685
Found in versions krb5/1.7dfsg~beta1-1, krb5/1.16-2
Fixed in version krb5/1.16.1-1
Done: Sam Hartman <hartmans@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Sam Hartman <hartmans@debian.org>
:
Bug#891869
; Package src:krb5
.
(Thu, 01 Mar 2018 21:00:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Sam Hartman <hartmans@debian.org>
.
(Thu, 01 Mar 2018 21:00:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: krb5
Version: 1.7dfsg~beta1-1
Severity: important
Tags: patch security upstream
Hi,
the following vulnerabilities were published for krb5.
CVE-2018-5729[0]:
|In MIT krb5 1.6 or later, an authenticated kadmin user with permission
|to add principals to an LDAP Kerberos database can cause a null
|dereference in kadmind, or circumvent a DN container check, by
|supplying tagged data intended to be internal to the database module.
|Thanks to Sharwan Ram and Pooja Anil for discovering the potential
|null dereference.
CVE-2018-5730[1]:
|In MIT krb5 1.6 or later, an authenticated kadmin user with permission
|to add principals to an LDAP Kerberos database can circumvent a DN
|containership check by supplying both a "linkdn" and "containerdn"
|database argument, or by supplying a DN string which is a left
|extension of a container DN string but is not hierarchically within
|the container DN.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see (but not much, most information is only in
the upstream commit):
[0] https://security-tracker.debian.org/tracker/CVE-2018-5729
[1] https://security-tracker.debian.org/tracker/CVE-2018-5730
Regards,
Salvatore
Marked as found in versions krb5/1.16-2.
Request was from Benjamin Kaduk <kaduk@mit.edu>
to control@bugs.debian.org
.
(Sun, 29 Apr 2018 17:30:04 GMT) (full text, mbox, link).
Merged 889685 891869
Request was from Benjamin Kaduk <kaduk@mit.edu>
to control@bugs.debian.org
.
(Sun, 29 Apr 2018 17:30:06 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from Sam Hartman <hartmans@debian.org>
to control@bugs.debian.org
.
(Tue, 17 Jul 2018 12:30:03 GMT) (full text, mbox, link).
Reply sent
to Sam Hartman <hartmans@debian.org>
:
You have taken responsibility.
(Wed, 03 Oct 2018 14:45:08 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Wed, 03 Oct 2018 14:45:08 GMT) (full text, mbox, link).
Message #16 received at 891869-close@bugs.debian.org (full text, mbox, reply):
Source: krb5
Source-Version: 1.16.1-1
We believe that the bug you reported is fixed in the latest version of
krb5, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 891869@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sam Hartman <hartmans@debian.org> (supplier of updated krb5 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 16 Jul 2018 20:09:54 -0400
Source: krb5
Binary: krb5-user krb5-kdc krb5-kdc-ldap krb5-admin-server krb5-kpropd krb5-multidev libkrb5-dev libkrb5-dbg krb5-pkinit krb5-otp krb5-k5tls krb5-doc libkrb5-3 libgssapi-krb5-2 libgssrpc4 libkadm5srv-mit11 libkadm5clnt-mit11 libk5crypto3 libkdb5-9 libkrb5support0 libkrad0 krb5-gss-samples krb5-locales libkrad-dev
Architecture: source
Version: 1.16.1-1
Distribution: unstable
Urgency: medium
Maintainer: Sam Hartman <hartmans@debian.org>
Changed-By: Sam Hartman <hartmans@debian.org>
Description:
krb5-admin-server - MIT Kerberos master server (kadmind)
krb5-doc - documentation for MIT Kerberos
krb5-gss-samples - MIT Kerberos GSS Sample applications
krb5-k5tls - TLS plugin for MIT Kerberos
krb5-kdc - MIT Kerberos key server (KDC)
krb5-kdc-ldap - MIT Kerberos key server (KDC) LDAP plugin
krb5-kpropd - MIT Kerberos key server (Slave KDC Support)
krb5-locales - internationalization support for MIT Kerberos
krb5-multidev - development files for MIT Kerberos without Heimdal conflict
krb5-otp - OTP plugin for MIT Kerberos
krb5-pkinit - PKINIT plugin for MIT Kerberos
krb5-user - basic programs to authenticate using MIT Kerberos
libgssapi-krb5-2 - MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
libgssrpc4 - MIT Kerberos runtime libraries - GSS enabled ONCRPC
libk5crypto3 - MIT Kerberos runtime libraries - Crypto Library
libkadm5clnt-mit11 - MIT Kerberos runtime libraries - Administration Clients
libkadm5srv-mit11 - MIT Kerberos runtime libraries - KDC and Admin Server
libkdb5-9 - MIT Kerberos runtime libraries - Kerberos database
libkrad-dev - MIT Kerberos RADIUS Library Development
libkrad0 - MIT Kerberos runtime libraries - RADIUS library
libkrb5-3 - MIT Kerberos runtime libraries
libkrb5-dbg - debugging files for MIT Kerberos
libkrb5-dev - headers and development libraries for MIT Kerberos
libkrb5support0 - MIT Kerberos runtime libraries - Support library
Closes: 660767 887937 891869
Changes:
krb5 (1.16.1-1) unstable; urgency=medium
.
* New upstream release
- Fix flaws in LDAP DN checking, including a null dereference KDC
crash which could be triggered by kadmin clients with administrative
privileges [CVE-2018-5729, CVE-2018-5730], Closes: #891869
* Install kerberos.openldap.ldif, which is probably more useful than
kerberos.ldif if you're hoping to use the Kerberos schema on Debian.
Also, the bugs in kerberos.ldif have been corrected; Closes: #660767
* Suggest krb5-k5tls from krb5-user, Closes: #887937
* Merge dep8 tests, thanks Canonical and Andreas Hasenack (LP:
#1677881)
Checksums-Sha1:
4f32dc314a81b1c116b0722fad433df4755afe25 3318 krb5_1.16.1-1.dsc
8353f2d900a7d52499c7c2605d5e295f71dd5e67 9477480 krb5_1.16.1.orig.tar.gz
792dba93a577693e02be94b46b2ba998283a1e14 97608 krb5_1.16.1-1.debian.tar.xz
Checksums-Sha256:
1f8cc61d7b29ba4887de0c17504aa64206207da6e46af50eecaef6d0e50a3dfd 3318 krb5_1.16.1-1.dsc
214ffe394e3ad0c730564074ec44f1da119159d94281bbec541dc29168d21117 9477480 krb5_1.16.1.orig.tar.gz
3881aefff33f5bfb54c96b1ccd5b20ded07d9890d8dc253acfc260e48d985236 97608 krb5_1.16.1-1.debian.tar.xz
Files:
890fc0bc22d1e6150c358477812edb1a 3318 net optional krb5_1.16.1-1.dsc
848e9b80d6aaaa798e3f3df24b83c407 9477480 net optional krb5_1.16.1.orig.tar.gz
0935eb1e12e404a9a0c3cc7c2ce7c500 97608 net optional krb5_1.16.1-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEE9Li3nMNy++OFgPTCQe7SUh/WssoFAluzj+cACgkQQe7SUh/W
sspa7Af+PLvROWCMRO3IK5L1J6cL0im5wQOCiKMh069X3CLOOXQ0inQxo3A8RA4y
tZfQ20RW3C1V64BkTDq8qoVATfMRLANx1DqSqja2p0vULySBnnHUKkKD8C/fEJ1x
wL5/MGf0HCG/K7fHHAawdQs0zn1TLaYf/JKkoQMXzaE87l6c8iOrNanz8rRf53uB
G35wisFYrn0hQXCPER3VDamJZkBY97QezGQCqk5vH2UBrWSdtkSSdnZu5gxAnGLz
HHVpNuIL5l1yiuMaPD7R2WAjI7dR7WR4iWrIyJaDoJX5+0NUqgX6y/wOz4T8ohna
s8xTVeIgnEjyqZ60fBrfvPABiplCYw==
=tWNz
-----END PGP SIGNATURE-----
Reply sent
to Sam Hartman <hartmans@debian.org>
:
You have taken responsibility.
(Wed, 03 Oct 2018 14:45:09 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Wed, 03 Oct 2018 14:45:09 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Tue, 06 Nov 2018 07:39:11 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:00:02 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.