-
krb5 (1.8.1+dfsg-2ubuntu0.14) lucid-security; urgency=medium
* SECURITY UPDATE: ticket forging via old keys
- src/lib/kadm5/srv/svr_principal.c: return only new keys
- af0ed4df4dfae762ab5fb605f5a0c8f59cb4f6ca
- CVE-2014-5321
* SECURITY UPDATE: use-after-free and double-free memory access
violations
- properly handle context deletion in
src/lib/gssapi/krb5/context_time.c,
src/lib/gssapi/krb5/export_sec_context.c,
src/lib/gssapi/krb5/gssapiP_krb5.h,
src/lib/gssapi/krb5/gssapi_krb5.c,
src/lib/gssapi/krb5/inq_context.c,
src/lib/gssapi/krb5/k5seal.c,
src/lib/gssapi/krb5/k5sealiov.c,
src/lib/gssapi/krb5/k5unseal.c,
src/lib/gssapi/krb5/k5unsealiov.c,
src/lib/gssapi/krb5/lucid_context.c,
src/lib/gssapi/krb5/prf.c,
src/lib/gssapi/krb5/process_context_token.c,
src/lib/gssapi/krb5/wrap_size_limit.c.
- 82dc33da50338ac84c7b4102dc6513d897d0506a
- CVE-2014-5352
* SECURITY UPDATE: denial of service via LDAP query with no results
- src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c: properly handle
policy name.
- d1f707024f1d0af6e54a18885322d70fa15ec4d3
- CVE-2014-5353
* SECURITY UPDATE: denial of service via database entry for a keyless
principal
- src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c: support keyless
principals.
- 877ad027ca2103f3ac2f581451fdd347a76b8981
- CVE-2014-5354
* SECURITY UPDATE: denial of service or code execution in kadmind XDR
data processing
- fix double free in src/lib/kadm5/kadm_rpc_xdr.c,
src/lib/rpc/auth_gssapi_misc.c.
- a197e92349a4aa2141b5dff12e9dd44c2a2166e3
- CVE-2014-9421
* SECURITY UPDATE: impersonation attack via two-component server
principals
- src/kadmin/server/kadm_rpc_svc.c: fix kadmind server validation.
- 6609658db0799053fbef0d7d0aa2f1fd68ef32d8
- CVE-2014-9422
* SECURITY UPDATE: gssrpc data leakage
- src/lib/rpc/svc_auth_gss.c: fix leakage.
- 5bb8a6b9c9eb8dd22bc9526751610aaa255ead9c
- CVE-2014-9423
-- Marc Deslauriers <email address hidden> Fri, 06 Feb 2015 15:51:07 -0500
-
krb5 (1.8.1+dfsg-2ubuntu0.13) lucid-security; urgency=medium
* SECURITY UPDATE: denial of service via malformed KRB5_PADATA_PK_AS_REQ
AS-REQ request
- src/plugins/preauth/pkinit/pkinit_crypto_openssl.c: don't dereference
null pointer.
- c773d3c775e9b2d88bcdff5f8a8ba88d7ec4e8ed
- CVE-2013-1415
* SECURITY UPDATE: denial of service via crafted TGS-REQ request
- src/kdc/do_tgs_req.c: don't pass null pointer to strlcpy().
- 8ee70ec63931d1e38567905387ab9b1d45734d81
- CVE-2013-1416
* SECURITY UPDATE: multi-realm denial of service via crafted request
- src/kdc/main.c: don't dereference a null pointer.
- c2ccf4197f697c4ff143b8a786acdd875e70a89d
- CVE-2013-1418
- CVE-2013-6800
* SECURITY UPDATE: denial of service via invalid tokens
- src/lib/gssapi/krb5/k5unseal.c, src/lib/gssapi/krb5/k5unsealiov.c:
handle invalid tokens.
- fb99962cbd063ac04c9a9d2cc7c75eab73f3533d
- CVE-2014-4341
- CVE-2014-4342
* SECURITY UPDATE: denial of service via double-free in SPNEGO
- src/lib/gssapi/spnego/spnego_mech.c: fix double-free.
- f18ddf5d82de0ab7591a36e465bc24225776940f
- CVE-2014-4343
* SECURITY UPDATE: denial of service via null deref in SPNEGO acceptor
- src/lib/gssapi/spnego/spnego_mech.c: validate REMAIN.
- 524688ce87a15fc75f87efc8c039ba4c7d5c197b
- CVE-2014-4344
* SECURITY UPDATE: denial of service and possible code execution in
kadmind with LDAP backend
- src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c: fix off-by-one
- 81c332e29f10887c6b9deb065f81ba259f4c7e03
- CVE-2014-4345
-- Marc Deslauriers <email address hidden> Fri, 08 Aug 2014 15:03:17 -0400
-
krb5 (1.8.1+dfsg-2ubuntu0.11) lucid-security; urgency=low
* SECURITY UPDATE: KDC heap corruption and crash vulnerabilities
- src/kdc/kdc_preauth.c, src/kdc/kdc_util.c,
src/lib/kdb/kdb_default.c: initialize pointers both at allocation
and assignment time
- CVE-2012-1015
* SECURITY UPDATE: denial of service in kadmind (LP: #1009422)
- src/lib/kadm5/srv/svr_principal.c: check for null password
- CVE-2012-1013
-- Steve Beattie <email address hidden> Mon, 23 Jul 2012 22:16:20 -0700
-
krb5 (1.8.1+dfsg-2ubuntu0.10) lucid-security; urgency=low
* SECURITY UPDATE: fix multiple kdc DoS issues:
- db2/lockout.c, ldap/libkdb_ldap/ldap_principal2.c,
ldap/libkdb_ldap/lockout.c:
+ more strict checking for null pointers
+ disable assert and return when db is locked
+ applied inline from upstream
- CVE-2011-1528 and CVE-2011-1529
- MITKRB5-SA-2011-006
-- Steve Beattie <email address hidden> Tue, 11 Oct 2011 06:52:21 -0700
-
krb5 (1.8.1+dfsg-2ubuntu0.9) lucid-security; urgency=low
* SECURITY UPDATE: kadmind denial of service from freeing of uninitialized
pointer.
- src/kadmin/server/{network,schpw}.c: fix, thanks to upstream.
- CVE-2011-0285
- MITKRB5-SA-2011-004
-- Kees Cook <email address hidden> Mon, 18 Apr 2011 15:40:24 -0700
-
krb5 (1.8.1+dfsg-2ubuntu0.8) lucid-security; urgency=low
* SECURITY UPDATE: kdc denial of service due to double-free if PKINIT
capability is used.
- src/kdc/do_as_req.c: clear fields on allocation; applied inline,
thanks to upstream
- CVE-2011-0284
- MITKRB5-SA-2011-003
-- Steve Beattie <email address hidden> Mon, 14 Mar 2011 16:01:50 -0700
-
krb5 (1.8.1+dfsg-2ubuntu0.6) lucid-security; urgency=low
* SECURITY UPDATE: kpropd denial of service via invalid network input
- src/slave/kpropd.c: don't return on kpropd child exit; applied
inline.
- CVE-2010-4022
- MITKRB5-SA-2011-001
* SECURITY UPDATE: kdc denial of service from unauthenticated remote
attackers
- src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h,
src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c,
src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c,
src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:
applied inline
- CVE-2011-0281
- CVE-2011-0282
- MITKRB5-SA-2011-002
-- Steve Beattie <email address hidden> Wed, 09 Feb 2011 12:31:51 -0800
-
krb5 (1.8.1+dfsg-2ubuntu0.4) lucid-security; urgency=low
* SECURITY UPDATE: message forgery and privilege escalation via
unacceptable checksums
- src/lib/crypto/krb/dk/derive.c, src/lib/crypto/krb/keyed_checksum_types.c,
src/lib/gssapi/krb5/util_crypt.c, src/lib/krb5/krb/mk_safe.c,
src/lib/krb5/krb/pac.c, src/lib/krb5/krb/preauth2.c,
src/plugins/preauth/pkinit/pkinit_srv.c: patched inline, thanks to
upstream.
- CVE-2010-1323
- CVE-2010-1324
- CVE-2010-4020
- MITKRB5-SA-2010-007
-- Marc Deslauriers <email address hidden> Wed, 08 Dec 2010 09:20:59 -0500
-
krb5 (1.8.1+dfsg-2ubuntu0.3) lucid-security; urgency=low
* SECURITY UPDATE: remote authenticated user denial of service.
- src/kdc/kdc_authdata.c: patched inline, thanks to upstream.
- CVE-2010-1322, MITKRB5-SA-2010-006
-- Kees Cook <email address hidden> Mon, 04 Oct 2010 14:59:53 -0700
-
krb5 (1.8.1+dfsg-2ubuntu0.2) lucid-security; urgency=low
* SECURITY UPDATE: unauthenticated remote attacker can crash kadmind.
- debian/patches/MITKRB5-SA-2010-005: applied upstream fixes inline
- CVE-2010-1321
-- Kees Cook <email address hidden> Tue, 20 Jul 2010 02:09:42 -0700
-
krb5 (1.8.1+dfsg-2ubuntu0.1) lucid-proposed; urgency=low
* src/lib/gssapi/spnego/spnego_mech.c: Ignore duplicate token sent in
mechListMIC from Windows 2000 SPNEGO (LP: #551901)
-- Thierry Carrez <email address hidden> Tue, 01 Jun 2010 14:55:50 +0200
-
krb5 (1.8.1+dfsg-2) unstable; urgency=high
* Fix crash in renewal and validation, Thanks Joel Johnson for such a
prompt bug report, Closes: #577490
krb5 (1.8.1+dfsg-1) unstable; urgency=high
* New upstream release
* Fixes significant ABI incompatibility between Heimdal and MIT in the
init_creds_step API; backward incompatible change in the meaning of
the flags API. Since this was introduced in 1.8 and since no better
solution was found, it's felt that getting 1.8.1 out everywhere that
had 1.8 very promptly is the right approach. Otherwise software build
against 1.8 will be broken in the future.
* Testing of Kerberos 1.8 showed an incompatibility between Heimdal/MIT
Kerberos and Microsoft Kerberos; resolve this incompatibility. As a
result, mixing KDCs between 1.8 and 1.8.1 in the same realm may
produce undesirable results for constrained delegation. Again,
another reason to replace 1.8 with 1.8.1 as soon as possible.
* Acknowledge security team upload, thanks for picking up the slack and
sorry it was necessary
krb5 (1.8+dfsg-1.1) unstable; urgency=high
* Non-maintainer upload by the Security Team.
* Fixed CVE-2010-0628: denial of service (assertion failure and daemon crash)
via an invalid packet that triggers incorrect preparation of an error
token. (Closes: 575740)
* Makes src/slave/kpropd.c ISO C90 compliant (Closes: #574703)
krb5 (1.8+dfsg-1) unstable; urgency=low
* New upstream version
* Include new upstream notice file in docs
* Update symbols files
* Include upstream ticket 6676: fix handling of cross-realm tickets
issued by W2K8R2
* Add ipv6 support to kprop, Michael Stapelberg, Closes: #549476
* New Brazilian Portuguese translations, Thanks Eder L. Marques,
Closes: #574149
-- Sam Hartman <email address hidden> Wed, 14 Apr 2010 21:37:02 +0100
-
krb5 (1.8+dfsg~alpha1-7ubuntu1) lucid; urgency=low
* SECURITY UPDATE: unauthenticated remote service crash.
- src/lib/gssapi/spnego/spnego_mech.c: back-ported upstream fixes
from krb5 1.8.1.
- MITKRB5-SA-2010-002 (CVE-2010-0628)
-- Kees Cook <email address hidden> Tue, 23 Mar 2010 11:37:07 -0700
-
krb5 (1.8+dfsg~alpha1-7) unstable; urgency=high
* MITKRB5-SA-2010-001: Avoid an assertion failure leading to a denial of
service in the KDC by doing better input validation. (CVE-2010-0283)
* Update standards version to 3.8.4 (no changes required).
krb5 (1.8+dfsg~alpha1-6) unstable; urgency=medium
* Import upstream fixes including:
- A non-conformance with RFC 4120 that causes enc_padata to be
included when the client may not support it
- Weak crypto acts as a filter and does not reject if DES is
included in krb5.conf, fixes Samba net ads join, Closes: #566977
* Medium urgency because of the samba bug fix. If the samba maintainers
request the release team to bump to high I'd support that.
* Update libkdb5 symbols for new upstream internal interface
-- Timo Aaltonen <email address hidden> Thu, 18 Feb 2010 06:48:33 +0000
-
krb5 (1.8+dfsg~alpha1-5) unstable; urgency=high
[ Sam Hartman ]
* New API to allow an application to enable weak crypto
* Rename libkadm5clnt and libkadm5srv to libkadm5clnt_mit and
libkadm5srv_mit in order to avoid conflicts with Heimdal packages.
Sorry for the second trip through new, but we needed to coordinate
with upstream on the ABI issues involved with this change.
* Medium urgency in order to get a fix for openafs-krb5 weak crypto into
testing sooner
* Include fix for pam-krb5 segfault with wrong password; bump urgency to
high.
[ Russ Allbery ]
* Change libkrb5-dbg to only depend on libkrb5-3, libk5crypto3, or
libkrb5support0. All of the other packages for which it provides
debugging symbols also depend on one of those packages and always
will, so listing the disjunction of every library package is
overkill. Remove from the Depends several obsolete library packages
no longer included.
* Drop obsolete Replaces for libkadm5srv-mit7 and libkadm5clnt-mit7.
* Wrap krb5-multidev dependencies and description and shorten the short
description.
* Reformat NEWS.Debian to avoid using a bulleted list per devref.
[ Sam Hartman ]
* Link libkadm5{clnt,srv}.so specially so that the links work without
libkrb5-dev installed
-- Ubuntu Archive Auto-Sync <email address hidden> Wed, 27 Jan 2010 01:31:47 +0000
-
krb5 (1.8+dfsg~alpha1-4) unstable; urgency=high
* Add replaces to deal with moving files from krb5-multidev to
libkrb5-dev, Closes: #565217
* This is definitely the getting all the conflicts combinations right is
tricky series of releases. Sorry about the wasted cycles.
krb5 (1.8+dfsg~alpha1-3) unstable; urgency=high
* Move files to avoid overlap between heimdal-dev and krb5-multidev,
Closes: #565132
krb5 (1.8+dfsg~alpha1-2) unstable; urgency=high
* While Kerberos 1.8 is not vulnerable to CVE-2009-4212 (the vulnerable
code was removed during the 1.8 release process for code
simplification and code size reasons), this is urgency high to get a
version of Kerberos that fixes that integer underflow in the AES and
RC4 code into testing.
* For now, heimdal and MIT shared libraries for kadm5 will conflict;
discussions of how to fix this are ongoing upstream, Closes: #564666
* New translations; sorry about missing them in the last upload
- Vietnamese, Thanks Clytie Siddall, Closes: #548204
- Basque, Thanks Piarres Beobide, Closes: #534284
* Update standards version (no changes required)
* Pull upstream changes made since alpha1 into the package. In
particular this includes a fix to a bug where unkeyed checksums are
accepted by the FAST KDC backend. That bug was introduced between 1.7
and 1.8 alpha1 so is only present in prior Debian packages of 1.8. See
upstream tickets 6632 and 6633.
krb5 (1.8+dfsg~alpha1-1) unstable; urgency=low
* Include symlinks in libkrb5-dev too
* New upstream release
* Fix .so symlinks in krb5-multidev
krb5 (1.8+dfsg~aa+r23527-1) experimental; urgency=low
* MIT krb5 trunk prior to 1.8 branch
* Remove krb5-telnet, krb5-ftpd, krb5-clients, krb5-rsh-server, no
longer provided upstream. These are provided now in a separate source
distribution.
* Bring back functions needed by Samba, Closes: #531635
* I know that the symbols revisions are generating lintian warnings;
that will be cleaned up when upstream actually makes an alpha release
* Implement krb5-multidev similar to heimdal-multidev so that packages
can be built against both MIT Kerberos and Heimdal
-- Ubuntu Archive Auto-Sync <email address hidden> Fri, 22 Jan 2010 11:25:24 +0000
-
krb5 (1.7+dfsg-4) unstable; urgency=high
* cve-2009-3295, MIT-KRB5-SA-2009-003: KDC crash when failing to find
the realm of a host., Thanks 2Jakob Haufe for the report to Debian
-- Ubuntu Archive Auto-Sync <email address hidden> Tue, 05 Jan 2010 00:30:46 +0000
-
krb5 (1.7+dfsg-3) unstable; urgency=low
* Fix typo in control file
* Exclude usr/lib/krb5/plugins from dh_makeshlibs call to deal with
behavior change in dh_makeshlibs, Closes: #558719
krb5 (1.7+dfsg-2) unstable; urgency=low
* Only picked up part of the upstream fix to #557979; upstream fully
reverted to 1.6.
krb5 (1.7+dfsg-1) unstable; urgency=low
* New upstream version, Closes: #554225
* Several fixes applied after the 1.7 release:
- 6506: correctly handle keytab vs stash file
- 6508: kadmind ACL parsing could reference uninitialized memory
- 6509: kadmind can reference null pointer on ACL error
- 6511: uninitialized memory passed to krb5_free_error in change
password client path
- 6514: none replay cache memory leak
- 6515: profile library mutex performance improvements
- 6541: memory leak in PAC verify code
- 6542: Check for null characters in pkinit certs
- 6543: login vs user order in ftpd sometimes wrong
- 6551: Memory leak in spnego accept_sec_context error path
* libkrb5-dev depends on libkadm5clnt6 (LP: #472080)
* Avoid locking out accounts on PREAUTH_FAILED, Closes: #557979, (LP:
#489418)
krb5 (1.7dfsg~beta3-2) UNRELEASED; urgency=low
* Update to policy 3.8.2 (no changes)
-- Ubuntu Archive Auto-Sync <email address hidden> Mon, 14 Dec 2009 18:46:18 +0000
-
krb5 (1.7dfsg~beta3-1) unstable; urgency=low
* New upstream release
* Revert relaxation of Debian symbol versions introduced in
1.7dfsg~beta1-3
* Fix kproplog's manpage (LP: #374819)
krb5 (1.7dfsg~beta2-4) unstable; urgency=low
* Upstream fixes to RT #6490, Closes: #528729
- Use MS usage 9 not 8 for tgs-rep encrypted in subkey
- Do not use keyed checksum with RC4; WS2003 expects it to be
encrypted in the subsession key, everyone else expects the session
key. Note that a keyed checksum for RC4 would work against WS2008.
* Patch from Marc Dequ?nes (Duck) for HURD portability, Closes:
#528828
krb5 (1.7dfsg~beta2-3) unstable; urgency=low
* Use correct enctype identifier in lucid security context export,
Closes: #528514
-- Ubuntu Archive Auto-Sync <email address hidden> Mon, 01 Jun 2009 10:43:23 +0100
