-
krb5 (1.8.3+dfsg-5ubuntu2.3) natty-security; urgency=low
* SECURITY UPDATE: KDC heap corruption and crash vulnerabilities
- src/kdc/kdc_preauth.c, src/kdc/kdc_util.c,
src/lib/kdb/kdb_default.c: initialize pointers both at allocation
and assignment time
- CVE-2012-1015
* SECURITY UPDATE: denial of service in kadmind (LP: #1009422)
- src/lib/kadm5/srv/svr_principal.c: check for null password
- CVE-2012-1013
-- Steve Beattie <email address hidden> Mon, 23 Jul 2012 22:15:03 -0700
-
krb5 (1.8.3+dfsg-5ubuntu2.2) natty-security; urgency=low
* SECURITY UPDATE: fix multiple kdc DoS issues:
- db2/lockout.c, ldap/libkdb_ldap/ldap_principal2.c,
ldap/libkdb_ldap/lockout.c:
+ more strict checking for null pointers
+ disable assert iand return when db is locked
+ applied inline
- CVE-2011-1528 and CVE-2011-1529
- MITKRB5-SA-2011-006
-- Steve Beattie <email address hidden> Mon, 10 Oct 2011 15:23:12 -0700
-
krb5 (1.8.3+dfsg-5ubuntu2.1) natty-security; urgency=low
* SECURITY UPDATE: kadmind denial of service from freeing of uninitialized
pointer.
- src/kadmin/server/{network,schpw}.c: fix, thanks to upstream.
- CVE-2011-0285
- MITKRB5-SA-2011-004
-- Kees Cook <email address hidden> Mon, 18 Apr 2011 15:38:18 -0700
-
krb5 (1.8.3+dfsg-5ubuntu2) natty; urgency=low
* FFe LP: #733501
* Build for multiarch, with pre-depends on multiarch-support virtual
package.
* Add Breaks: on old versions of external packages (i.e., sssd) using
/usr/lib/krb5 due to the path transition.
-- Steve Langasek <email address hidden> Sat, 19 Mar 2011 04:15:00 -0700
-
krb5 (1.8.3+dfsg-5ubuntu1) natty; urgency=low
* SECURITY UPDATE: kdc denial of service due to double-free if PKINIT
capability is used.
- src/kdc/do_as_req.c: clear fields on allocation; applied inine,
thanks to upstream
- CVE-2011-0284
- MITKRB5-SA-2011-003
-- Steve Beattie <email address hidden> Tue, 15 Mar 2011 10:40:43 -0700
-
krb5 (1.8.3+dfsg-5) unstable; urgency=low
* KDC/LDAP DOS (CVE-2010-4022, CVE-2011-0281, and CVE-2011-0282,
Closes: #613487
* Fix delegation of credentials against Windows servers; significant
interoperability issue, Closes: #611906
* Set nt-srv-inst on TGS names to work against W2K8R2 KDCs, Closes:
#616429
* Don't fail authentication when PAC verification fails; support hmac-
md5 checksums even for non-RC4 keys, Closes: #616728
-- Chuck Short <email address hidden> Tue, 15 Mar 2011 11:21:57 +0000
-
krb5 (1.8.3+dfsg-4ubuntu1) natty; urgency=low
* SECURITY UPDATE: kpropd denial of service via invalid network input
- src/slave/kpropd.c: don't return on kpropd child exit; applied
inline.
- CVE-2010-4022
- MITKRB5-SA-2011-001
* SECURITY UPDATE: kdc denial of service from unauthenticated remote
attackers
- src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h,
src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c,
src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c,
src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:
applied inline
- CVE-2011-0281
- CVE-2011-0282
- MITKRB5-SA-2011-002
-- Steve Beattie <email address hidden> Fri, 11 Feb 2011 10:48:06 -0800
-
krb5 (1.8.3+dfsg-4) unstable; urgency=medium
* Ignore PACs without a server signature generated by OS X Open
Directory rather than failing authentication, Closes: #604925
-- Ubuntu Archive Auto-Sync <email address hidden> Wed, 15 Dec 2010 14:17:30 +0000
-
krb5 (1.8.3+dfsg-3) unstable; urgency=emergency
* MITKRB5-SA-2010-007
* CVE-2010-1324: An unauthenticated attacker can inject arbitrary
content into an existing GSS connection that appears to be integrity
protected from the legitimate peer under some circumstances
* GSS applications may accept a PAC produced by an attacker as if it
were signed by a KDC
* CVE-2010-1323: attackers have a 1/256 chance of being able to
produce krb_safe messages that appear to be from legitimate remote
sources. Other than use in KDC database copies this may not be a
huge issue only because no one actually uses krb_safe
messages. Similarly, an attacker can force clients to display
challenge/response values of the attacker's choice.
* CVE-2010-4020: An attacker may be able to generate what is
accepted as a ad-signedpath or ad-kdc-issued checksum with 1/256
probability
* New Vietnamese debconf translations, Thanks Clytie Siddall,
Closes: #601533
* Update standards version to 3.9.1 (no changes required
-- Ubuntu Archive Auto-Sync <email address hidden> Fri, 03 Dec 2010 16:47:21 +0000
-
krb5 (1.8.3+dfsg-2) unstable; urgency=high
* MITKRB5-SA-2010-006 [CVE-2010-1322]: null pointer dereference in
kdc_authdata.c leading to KDC crash, Closes: #599237
* Fix two memory leaks in krb5_get_init_creds path; one of these memory
leaks is quite common for any application such as PAM or kinit that
gets initial credentials, thanks Bastian Blank, Closes: #598032
* Install doc/CHANGES only in krb5-doc, not in all packages, saves
several megabytes on most Debian systems, Closes: #599562
krb5 (1.8.3+dfsg-1) unstable; urgency=low
* New Upstream release; only change is version bump from beta1 to final
* Bring back a libkrb53 oldlibs package. Note that this is technically a
policy violation because it doesn't provide libdes425.so.3 or
libkrb4.so.2 and thus provides a different ABI. However, some
packages, such as postgres8.4 require the lenny version to be present
for the squeeze transition, so we cannot force the removal of
libkrb53's reverse dependencies. We can conflict or break with lenny
packages that will not work with this libkrb53, but we may break
out-of-archive packages without notice. Absent someone coming up with
a patch to the modern libk5crypto-3 that allows it to work with the
lenny libkrb53 (a weekend's worth of work proved this would be quite
difficult), this is the best solution we've come up with, Closes: #596678
krb5 (1.8.3+dfsg~beta1-2) unstable; urgency=low
* Remove documentation that has moved to the krb5-appl package and is
not shipped upstream from Debian diff
krb5 (1.8.3+dfsg~beta1-1) unstable; urgency=low
* New Upstream version
* Add breaks with libkrb53 because libdes425 cannot work with new
libk5crypto3 (Closes: #557929)
* You want this version: it fixes an incompatibility with how PACs are
verified with Windows 2008
* As a result of libkrb53 breaks, we no longer get into problems with
krb5int_hmac, Closes: #566988
* Note that libkdb5-4 breaks rather than conflicts libkadm5srv6, Closes:
#565429
* Start kdc before x display managers, Closes: #588536
-- Kees Cook <email address hidden> Mon, 08 Nov 2010 11:14:51 +0000
-
krb5 (1.8.1+dfsg-5ubuntu0.1) maverick-security; urgency=low
* SECURITY UPDATE: remote authenticated user denial of service.
- src/kdc/kdc_authdata.c: patched inline, thanks to upstream.
- CVE-2010-1322, MITKRB5-SA-2010-006
-- Kees Cook <email address hidden> Mon, 04 Oct 2010 14:52:55 -0700
-
krb5 (1.8.1+dfsg-5) unstable; urgency=low
* Ignore duplicate token sent in mechListMIC from Windows 2000 SPNEGO
(LP: #551901)
* krb5-admin-server starts after krb5-kdc, Closes: #583494
krb5 (1.8.1+dfsg-4) unstable; urgency=low
* fix prerm script (Closes: #577389), thanks Harald Dunkel
-- Ubuntu Archive Auto-Sync <email address hidden> Fri, 28 May 2010 11:23:00 +0100