-
krb5 (1.8.1+dfsg-5ubuntu0.8) maverick-security; urgency=low
* SECURITY UPDATE: fix multiple kdc DoS issues:
- db2/lockout.c, ldap/libkdb_ldap/ldap_principal2.c,
ldap/libkdb_ldap/lockout.c:
+ more strict checking for null pointers
+ disable assert and return when db is locked
+ applied inline from upstream
- CVE-2011-1528 and CVE-2011-1529
- MITKRB5-SA-2011-006
-- Steve Beattie <email address hidden> Tue, 11 Oct 2011 06:52:39 -0700
-
krb5 (1.8.1+dfsg-5ubuntu0.7) maverick-security; urgency=low
* SECURITY UPDATE: kadmind denial of service from freeing of uninitialized
pointer.
- src/kadmin/server/{network,schpw}.c: fix, thanks to upstream.
- CVE-2011-0285
- MITKRB5-SA-2011-004
-- Kees Cook <email address hidden> Mon, 18 Apr 2011 15:40:00 -0700
-
krb5 (1.8.1+dfsg-5ubuntu0.6) maverick-security; urgency=low
* SECURITY UPDATE: kdc denial of service due to double-free if PKINIT
capability is used.
- src/kdc/do_as_req.c: clear fields on allocation; applied inline,
thanks to upstream
- CVE-2011-0284
- MITKRB5-SA-2011-003
-- Steve Beattie <email address hidden> Mon, 14 Mar 2011 15:46:36 -0700
-
krb5 (1.8.1+dfsg-5ubuntu0.4) maverick-security; urgency=low
* SECURITY UPDATE: kpropd denial of service via invalid network input
- src/slave/kpropd.c: don't return on kpropd child exit; applied
inline.
- CVE-2010-4022
- MITKRB5-SA-2011-001
* SECURITY UPDATE: kdc denial of service from unauthenticated remote
attackers
- src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h,
src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c,
src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c,
src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:
applied inline
- CVE-2011-0281
- CVE-2011-0282
- MITKRB5-SA-2011-002
-- Steve Beattie <email address hidden> Wed, 09 Feb 2011 11:58:55 -0800
-
krb5 (1.8.1+dfsg-5ubuntu0.2) maverick-security; urgency=low
* SECURITY UPDATE: message forgery and privilege escalation via
unacceptable checksums
- src/lib/crypto/krb/dk/derive.c, src/lib/crypto/krb/keyed_checksum_types.c,
src/lib/gssapi/krb5/util_crypt.c, src/lib/krb5/krb/mk_safe.c,
src/lib/krb5/krb/pac.c, src/lib/krb5/krb/preauth2.c,
src/plugins/preauth/pkinit/pkinit_srv.c: patched inline, thanks to
upstream.
- CVE-2010-1323
- CVE-2010-1324
- CVE-2010-4020
- MITKRB5-SA-2010-007
-- Marc Deslauriers <email address hidden> Wed, 08 Dec 2010 09:11:44 -0500
-
krb5 (1.8.1+dfsg-5ubuntu0.1) maverick-security; urgency=low
* SECURITY UPDATE: remote authenticated user denial of service.
- src/kdc/kdc_authdata.c: patched inline, thanks to upstream.
- CVE-2010-1322, MITKRB5-SA-2010-006
-- Kees Cook <email address hidden> Mon, 04 Oct 2010 14:52:55 -0700
-
krb5 (1.8.1+dfsg-5) unstable; urgency=low
* Ignore duplicate token sent in mechListMIC from Windows 2000 SPNEGO
(LP: #551901)
* krb5-admin-server starts after krb5-kdc, Closes: #583494
krb5 (1.8.1+dfsg-4) unstable; urgency=low
* fix prerm script (Closes: #577389), thanks Harald Dunkel
-- Ubuntu Archive Auto-Sync <email address hidden> Fri, 28 May 2010 11:23:00 +0100
-
krb5 (1.8.1+dfsg-3) unstable; urgency=high
* CVE-2010-1321 GSS-API accept sec context null pointer deref, Closes:
#582261
* Force use of bash for build, Closes: #581473
* Start slapd before krb5 when krb5-kdc-ldap installed, Closes:
#582122
-- Ubuntu Archive Auto-Sync <email address hidden> Thu, 20 May 2010 23:33:02 +0100
-
krb5 (1.8.1+dfsg-2) unstable; urgency=high
* Fix crash in renewal and validation, Thanks Joel Johnson for such a
prompt bug report, Closes: #577490
krb5 (1.8.1+dfsg-1) unstable; urgency=high
* New upstream release
* Fixes significant ABI incompatibility between Heimdal and MIT in the
init_creds_step API; backward incompatible change in the meaning of
the flags API. Since this was introduced in 1.8 and since no better
solution was found, it's felt that getting 1.8.1 out everywhere that
had 1.8 very promptly is the right approach. Otherwise software build
against 1.8 will be broken in the future.
* Testing of Kerberos 1.8 showed an incompatibility between Heimdal/MIT
Kerberos and Microsoft Kerberos; resolve this incompatibility. As a
result, mixing KDCs between 1.8 and 1.8.1 in the same realm may
produce undesirable results for constrained delegation. Again,
another reason to replace 1.8 with 1.8.1 as soon as possible.
* Acknowledge security team upload, thanks for picking up the slack and
sorry it was necessary
krb5 (1.8+dfsg-1.1) unstable; urgency=high
* Non-maintainer upload by the Security Team.
* Fixed CVE-2010-0628: denial of service (assertion failure and daemon crash)
via an invalid packet that triggers incorrect preparation of an error
token. (Closes: 575740)
* Makes src/slave/kpropd.c ISO C90 compliant (Closes: #574703)
krb5 (1.8+dfsg-1) unstable; urgency=low
* New upstream version
* Include new upstream notice file in docs
* Update symbols files
* Include upstream ticket 6676: fix handling of cross-realm tickets
issued by W2K8R2
* Add ipv6 support to kprop, Michael Stapelberg, Closes: #549476
* New Brazilian Portuguese translations, Thanks Eder L. Marques,
Closes: #574149
-- Sam Hartman <email address hidden> Wed, 14 Apr 2010 21:37:02 +0100
