You are here
Home > Preporuke > Sigurnosni nedostaci programskog paketa krb5

Sigurnosni nedostaci programskog paketa krb5

——————————————————————————–
Fedora Update Notification
FEDORA-2014-8176
2014-07-09 01:27:31
——————————————————————————–

Name : krb5
Product : Fedora 19
Version : 1.11.3
Release : 24.fc19
URL : http://web.mit.edu/kerberos/www/
Summary : The Kerberos network authentication system
Description :
Kerberos V5 is a trusted-third-party network authentication system,
which can improve your network’s security by eliminating the insecure
practice of sending passwords over the network in unencrypted form.

——————————————————————————–
Update Information:

This update incorporates backported upstream fixes for potential crashes caused by attempts to process malformed GSSAPI messages (CVE-2014-4341, CVE-2014-4342). It also incorporates fexes for a possible double-free (CVE-2014-4343) and a possible NULL pointer dereference (CVE-2014-4344) in GSSAPI clients.
——————————————————————————–
ChangeLog:

* Mon Jul 21 2014 Nalin Dahyabhai <nalin@redhat.com> – 1.11.3-24
– gssapi: pull in upstream fix for a possible NULL dereference
in spnego (CVE-2014-4344)
* Wed Jul 16 2014 Nalin Dahyabhai <nalin@redhat.com> – 1.11.3-23
– gssapi: pull in proposed fix for a double free in initiators (David
Woodhouse, CVE-2014-4343, #1117963)
* Mon Jul 7 2014 Nalin Dahyabhai <nalin@redhat.com> – 1.11.3-22
– pull in fix for denial of service by injection of malformed GSSAPI tokens
(CVE-2014-4341, CVE-2014-4342, #1116181)
* Mon Feb 17 2014 Nalin Dahyabhai <nalin@redhat.com> – 1.11.3-21
– spnego: pull in patch from master to restore preserving the OID of the
mechanism the initiator requested when we have multiple OIDs for the same
mechanism, so that we reply using the same mechanism OID and the initiator
doesn’t get confused (#1066000, RT#7858)
* Fri Jan 31 2014 Nalin Dahyabhai <nalin@redhat.com> – 1.11.3-20
– add currently-proposed changes to teach ksu about credential cache
collections and the default_ccache_name setting (#1015559,#1026099)
* Fri Jan 31 2014 Nalin Dahyabhai <nalin@redhat.com>
– drop patch to add additional access() checks to ksu – they add to breakage
when non-FILE: caches are in use (#1026099), shouldn’t be resulting in any
benefit, and clash with proposed changes to fix its cache handling
* Tue Jan 21 2014 Nalin Dahyabhai <nalin@redhat.com> – 1.11.3-19
– pull in and backport multiple changes to allow replay caches to be added to
a GSS credential store as “rcache”-type credentials (RT#7818/#7819/#7836,
* Thu Dec 19 2013 Nalin Dahyabhai <nalin@redhat.com> – 1.11.3-18
– pull in fix from master to make reporting of errors encountered by
the SPNEGO mechanism work better (RT#7045, part of #1043962)
* Thu Dec 19 2013 Nalin Dahyabhai <nalin@redhat.com>
– update a test wrapper to properly handle things that the new libkrad does,
and add python-pyrad as a build requirement so that we can run its tests
* Wed Dec 18 2013 Nalin Dahyabhai <nalin@redhat.com> – 1.11.3-17
– backport fixes to krb5_copy_context (RT#7807, #1044735/#1044739)
* Wed Dec 18 2013 Nalin Dahyabhai <nalin@redhat.com> – 1.11.3-16
– backport fix to avoid double-freeing in the client when we’re configured
to use a clpreauth module that isn’t actually a clpreauth module (#1035203)
* Wed Dec 18 2013 Nalin Dahyabhai <nalin@redhat.com> – 1.11.3-15
– pull in fix from master to return a NULL pointer rather than allocating
zero bytes of memory if we read a zero-length input token (RT#7794, part
of #1043962)
– pull in fix from master to ignore an empty token from an acceptor if
we’ve already finished authenticating (RT#7797, part of #1043962)
– pull in fix from master to avoid a memory leak when a mechanism’s
init_sec_context function fails (RT#7803, part of #1043962)
– pull in fix from master to avoid a memory leak in a couple of error
cases which could occur while obtaining acceptor credentials (RT#7805,
part of #1043962)
* Tue Dec 17 2013 Nalin Dahyabhai <nalin@redhat.com> – 1.11.3-14
– backport additional changes to libkrad to make it function more like
the version in upstream 1.12, and a few things in the OTP plugin as well
(most visibly, that the secret that’s shared with the RADIUS server is read
from a file rather than used directly) (#1040056)
* Mon Nov 18 2013 Nalin Dahyabhai <nalin@redhat.com> – 1.11.3-13
– backport fix to not spin on a short read when reading the length of a
response over TCP (RT#7508, #1029674)
* Fri Nov 15 2013 Nalin Dahyabhai <nalin@redhat.com> – 1.11.3-12
– incorporate fix for a KDC NULL pointer dereference while handling referrals
(CVE-2013-1417, #1030744)
* Tue Nov 5 2013 Nalin Dahyabhai <nalin@redhat.com> – 1.11.3-11
– incorporate upstream patch for remote crash of KDCs which serve multiple
realms simultaneously (RT#7756, CVE-2013-1418/CVE-2013-6800,
* Thu Oct 24 2013 Nalin Dahyabhai <nalin@redhat.com> – 1.11.3-10
– add some minimal description to the top of the wrapper scripts we use
when starting krb5kdc and kadmind to describe why they exist (tooling)
– create and own /etc/gss (#1019937)
– pull up fix for importing previously-exported credential caches in the
gssapi library (RT# 7706, #1019420)
– backport the callback to use the libkrb5 prompter when we can’t load PEM
files for PKINIT (RT#7590, includes part of #965721/#1016690)
– extract the rest of the fix #965721/#1016690 from the changes for RT#7680
– pull up fix for not calling a kdb plugin’s check-transited-path
method before calling the library’s default version, which only knows
how to read what’s in the configuration file (RT#7709, #1013664)
– configure –without-krb5-config so that we don’t pull in the old default
ccache name when we want to stop setting a default ccache name at configure-
time
* Fri Aug 23 2013 Nalin Dahyabhai <nalin@redhat.com> 1.11.3-9
– take another stab at accounting for UnversionedDocdirs for the -libs
subpackage (spotted by ssorce)
– switch to just the snapshot of nss_wrapper we were using, since we
no longer need to carry anything that isn’t in the cwrap.org repository
(ssorce)
* Thu Aug 15 2013 Nalin Dahyabhai <nalin@redhat.com> 1.11.3-8
– drop a patch we weren’t not applying (build tooling)
– wrap kadmind and kpropd in scripts which check for the presence/absence
of files which dictate particular exit codes before exec’ing the actual
binaries, instead of trying to use ConditionPathExists in the unit files
to accomplish that, so that we exit with failure properly when what we
expect isn’t actually in effect on the system (#800343)
* Mon Jul 29 2013 Nalin Dahyabhai <nalin@redhat.com> 1.11.3-7
– attempt to account for UnversionedDocdirs for the -libs subpackage
* Fri Jul 26 2013 Nalin Dahyabhai <nalin@redhat.com> 1.11.3-6
– tweak configuration files used during tests to try to reduce the number
of conflicts encountered when builds for multiple arches land on the same
builder
* Mon Jul 22 2013 Nalin Dahyabhai <nalin@redhat.com> 1.11.3-5
– pull up changes to allow GSSAPI modules to provide more functions
(RT#7682, #986564/#986565)
* Fri Jul 19 2013 Nalin Dahyabhai <nalin@redhat.com> 1.11.3-4
– use (a bundled, for now, copy of) nss_wrapper to let us run some of the
self-tests at build-time in more places than we could previously (#978756)
– cover inconsistencies in whether or not there’s a local caching nameserver
that’s willing to answer when the build environment doesn’t have a
resolver configuration, so that nss_wrapper’s faking of the local
hostname can be complete
* Mon Jul 1 2013 Nalin Dahyabhai <nalin@redhat.com> 1.11.3-3
– specify dependencies on the same arch of krb5-libs by using the %{?_isa}
suffix, to avoid dragging 32-bit libraries onto 64-bit systems (#980155)
* Thu Jun 13 2013 Nalin Dahyabhai <nalin@redhat.com> 1.11.3-2
– special-case /run/user/0, attempting to create it when resolving a
directory cache below it fails due to ENOENT and we find that it doesn’t
already exist, either, before attempting to create the directory cache
(maybe helping, maybe just making things more confusing for #961235)
——————————————————————————–
References:

[ 1 ] Bug #1116180 – CVE-2014-4341 krb5: denial of service flaws when handling padding length longer than the plaintext
https://bugzilla.redhat.com/show_bug.cgi?id=1116180
[ 2 ] Bug #1121876 – CVE-2014-4343 krb5: double-free flaw in SPNEGO initiators
https://bugzilla.redhat.com/show_bug.cgi?id=1121876
[ 3 ] Bug #1121877 – CVE-2014-4344 krb5: NULL pointer dereference flaw in SPNEGO acceptor for continuation tokens
https://bugzilla.redhat.com/show_bug.cgi?id=1121877
——————————————————————————–

This update can be installed with the “yum” update program. Use
su -c ‘yum update krb5’ at the command line.
For more information, refer to “Managing Software with yum”,
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
——————————————————————————–
_______________________________________________
package-announce mailing list
package-announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-announce

——————————————————————————–
Fedora Update Notification
FEDORA-2014-8189
2014-07-09 01:28:02
——————————————————————————–

Name : krb5
Product : Fedora 20
Version : 1.11.5
Release : 10.fc20
URL : http://web.mit.edu/kerberos/www/
Summary : The Kerberos network authentication system
Description :
Kerberos V5 is a trusted-third-party network authentication system,
which can improve your network’s security by eliminating the insecure
practice of sending passwords over the network in unencrypted form.

——————————————————————————–
Update Information:

This update incorporates backported upstream fixes for potential crashes caused by attempts to process malformed GSSAPI messages (CVE-2014-4341, CVE-2014-4342). It also incorporates fexes for a possible double-free (CVE-2014-4343) and a possible NULL pointer dereference (CVE-2014-4344) in GSSAPI clients.
——————————————————————————–
ChangeLog:

* Mon Jul 21 2014 Nalin Dahyabhai <nalin@redhat.com> – 1.11.5-10
– gssapi: pull in upstream fix for a possible NULL dereference
in spnego (CVE-2014-4344)
* Wed Jul 16 2014 Nalin Dahyabhai <nalin@redhat.com> – 1.11.5-9
– gssapi: pull in proposed fix for a double free in initiators (David
Woodhouse, CVE-2014-4343, #1117963)
* Mon Jul 7 2014 Nalin Dahyabhai <nalin@redhat.com> – 1.11.5-8
– pull in fix for denial of service by injection of malformed GSSAPI tokens
(CVE-2014-4341, CVE-2014-4342, #1116181)
* Tue Jun 24 2014 Nalin Dahyabhai <nalin@redhat.com> – 1.11.5-7
– pull in changes from upstream which add processing of the contents of
/etc/gss/mech.d/*.conf when loading GSS modules (#1102839)
– pull in fix for building against tcl 8.6 (#1107061)
* Tue May 27 2014 Nalin Dahyabhai <nalin@redhat.com> – 1.11.5-6
– back out currently-proposed changes to teach ksu about credential cache
collections and the default_ccache_name setting (#1089035) for now
* Tue Mar 4 2014 Nathaniel McCallum <npmccallum@redhat.com> – 1.11.5-5
– Backport fix for change password requests when using FAST (RT#7868)
* Mon Feb 17 2014 Nalin Dahyabhai <nalin@redhat.com> – 1.11.5-4
– spnego: pull in patch from master to restore preserving the OID of the
mechanism the initiator requested when we have multiple OIDs for the same
mechanism, so that we reply using the same mechanism OID and the initiator
doesn’t get confused (#1066000, RT#7858)
* Mon Feb 10 2014 Nalin Dahyabhai <nalin@redhat.com> – 1.11.5-3
– pull in patch from master to move the default directory which the KDC uses
when computing the socket path for a local OTP daemon from the database
directory (/var/kerberos/krb5kdc) to the newly-added run directory
(/run/krb5kdc), in line with what we’re expecting in 1.13 (RT#7859, more
of #1040056 as #1063905)
– add a tmpfiles.d configuration file to have /run/krb5kdc created at
boot-time
– own /var/run/krb5kdc
* Fri Jan 31 2014 Nalin Dahyabhai <nalin@redhat.com> – 1.11.5-2
– rebuild because I tagged the previous package wrong
* Fri Jan 31 2014 Nalin Dahyabhai <nalin@redhat.com> – 1.11.5-1
– update to 1.11.5
– remove patch for RT#7650, obsoleted in 1.11.4
– remove patch for RT#7706, obsoleted in 1.11.4
– remove patch for RT#7756 (CVE-2013-1418), obsoleted in 1.11.4
– remove patch for RT#7668 (CVE-2013-1417), obsoleted in 1.11.4
– remove patch for RT#7508, obsoleted in 1.11.4
– remove patch for RT#7794, obsoleted in 1.11.4 as RT#7825
– remove patch for RT#7797, obsoleted in 1.11.4 as RT#7827
– remove patch for RT#7803, obsoleted in 1.11.4 as RT#7828
– remove patch for RT#7805, obsoleted in 1.11.4 as RT#7829
– remove patch for RT#7807, obsoleted in 1.11.4 as RT#7826
– remove patch for RT#7045, obsoleted in 1.11.4 as RT#7823
* Fri Jan 31 2014 Nalin Dahyabhai <nalin@redhat.com> – 1.11.3-40
– add currently-proposed changes to teach ksu about credential cache
collections and the default_ccache_name setting (#1015559,#1026099)
* Tue Jan 21 2014 Nalin Dahyabhai <nalin@redhat.com> – 1.11.3-39
– pull in upstream patch to fix the GSSAPI library’s checks for expired
client creds in gss_init_sec_context() so that they work with keyring
caches (RT#7820, #1030607)
* Tue Jan 21 2014 Nalin Dahyabhai <nalin@redhat.com>
– pull in and backport multiple changes to allow replay caches to be added to
a GSS credential store as “rcache”-type credentials (RT#7818/#7819/#7836,
* Thu Dec 19 2013 Nalin Dahyabhai <nalin@redhat.com> – 1.11.3-38
– pull in fix from master to make reporting of errors encountered by the SPNEGO
mechanism work better (RT#7045, part of #1043962)
* Thu Dec 19 2013 Nalin Dahyabhai <nalin@redhat.com>
– update a test wrapper to properly handle things that the new libkrad does,
and add python-pyrad as a build requirement so that we can run its tests
* Wed Dec 18 2013 Nalin Dahyabhai <nalin@redhat.com> – 1.11.3-37
– backport fixes to krb5_copy_context (RT#7807, #1044735/#1044739)
* Wed Dec 18 2013 Nalin Dahyabhai <nalin@redhat.com> – 1.11.3-36
– backport fix to avoid double-freeing in the client when we’re configured
to use a clpreauth module that isn’t actually a clpreauth module (#1035203)
* Wed Dec 18 2013 Nalin Dahyabhai <nalin@redhat.com> – 1.11.3-35
– pull in fix from master to return a NULL pointer rather than allocating
zero bytes of memory if we read a zero-length input token (RT#7794, part of
– pull in fix from master to ignore an empty token from an acceptor if
we’ve already finished authenticating (RT#7797, part of #1043962)
– pull in fix from master to avoid a memory leak when a mechanism’s
init_sec_context function fails (RT#7803, part of #1043962)
– pull in fix from master to avoid a memory leak in a couple of error
cases which could occur while obtaining acceptor credentials (RT#7805, part
of #1043962)
* Tue Dec 17 2013 Nalin Dahyabhai <nalin@redhat.com> – 1.11.3-34
– backport additional changes to libkrad to make it function more like
the version in upstream 1.12, and a few things in the OTP plugin as well
(most visibly, that the secret that’s shared with the RADIUS server is read
from a file rather than used directly) (#1040056)
——————————————————————————–
References:

[ 1 ] Bug #1116180 – CVE-2014-4341 krb5: denial of service flaws when handling padding length longer than the plaintext
https://bugzilla.redhat.com/show_bug.cgi?id=1116180
[ 2 ] Bug #1121876 – CVE-2014-4343 krb5: double-free flaw in SPNEGO initiators
https://bugzilla.redhat.com/show_bug.cgi?id=1121876
[ 3 ] Bug #1121877 – CVE-2014-4344 krb5: NULL pointer dereference flaw in SPNEGO acceptor for continuation tokens
https://bugzilla.redhat.com/show_bug.cgi?id=1121877
——————————————————————————–

This update can be installed with the “yum” update program. Use
su -c ‘yum update krb5’ at the command line.
For more information, refer to “Managing Software with yum”,
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
——————————————————————————–
_______________________________________________
package-announce mailing list
package-announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-announce

Top
More in Preporuke
Višestruke ranjivosti programskog paketa openssl

Otkrivene su višestruke ranjivosti u OpenSSL-u koje mogu rezultirati DoS stanjem, curenjem informacija te korištenjem starije verzije protokola (TLS 1.0)...

Close