Bug 14816

Summary: krb5 new security issues CVE-2014-535[34]
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: olchal, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/627331/
Whiteboard: has_procedure advisory MGA4-32-OK MGA4-64-OK
Source RPM: krb5-1.11.4-1.2.mga4.src.rpm CVE:
Status comment:

Description David Walser 2014-12-16 16:08:35 CET 
Two security issues fixed upstream in krb5 have been announced:
http://openwall.com/lists/oss-security/2014/12/16/1

CVE-2014-5354 doesn't affect versions before 1.12, so Mageia 4 is not affected.

Patched packages uploaded for Mageia 4 and Cauldron.

Advisory:
========================

Updated krb5 packages fix security vulnerability:

In MIT krb5, when kadmind is configured to use LDAP for the KDC
database, an authenticated remote attacker can cause a NULL dereference
by attempting to use a named ticket policy object as a password policy
for a principal.  The attacker needs to be authenticated as a user who
has the elevated privilege for setting password policy by adding or
modifying principals (CVE-2014-5353).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5353
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773226
========================

Updated packages in core/updates_testing:
========================
krb5-1.11.4-1.3.mga4
libkrb53-devel-1.11.4-1.3.mga4
libkrb53-1.11.4-1.3.mga4
krb5-server-1.11.4-1.3.mga4
krb5-server-ldap-1.11.4-1.3.mga4
krb5-workstation-1.11.4-1.3.mga4
krb5-pkinit-openssl-1.11.4-1.3.mga4

from krb5-1.11.4-1.3.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2014-12-16 16:08:51 CET 
Testing procedure:
https://wiki.mageia.org/en/QA_procedure:Krb5

Whiteboard: (none) => has_procedure

Comment 2 David Walser 2014-12-16 22:29:57 CET 
Given that the only thing impacted by this change is using the LDAP backend for the KDC database, which is unlikely to be tested by anyone, full testing via the procedure is not really necessary.  Just testing that the packages install is sufficient, although I just tested the kinit is able to successfully give me a ticket (tested against an Active Directory KDC), so at least I know a gamma ray didn't hit the build system and completely break the updated build :o)

Adding an OK for Mageia 4 i586.

Whiteboard: has_procedure => has_procedure MGA4-32-OK

Comment 3 olivier charles 2014-12-18 20:30:15 CET 
Tested succesfully on Mageia4x64 following procedure mentioned in Comment 1

From current packages :
---------------------
krb5-1.11.4-1.2.mga4
krb5-workstation-1.11.4-1.2.mga4
krb5-server-1.11.4-1.2.mga4
krb5-server-ldap-1.11.4-1.2.mga4

To updated testing packages :
---------------------------
lib64krb53-1.11.4-1.3.mga4
krb5-1.11.4-1.3.mga4
krb5-workstation-1.11.4-1.3.mga4
krb5-server-1.11.4-1.3.mga4
krb5-server-ldap-1.11.4-1.3.mga4

CC: (none) => olchal
Whiteboard: has_procedure MGA4-32-OK => has_procedure MGA4-32-OK MGA4-64-OK

Comment 4 claire robinson 2014-12-18 22:47:37 CET 
Validating. Advisory uploaded.

Could sysadmin please push to updates

Thanks

Whiteboard: has_procedure MGA4-32-OK MGA4-64-OK => has_procedure advisory MGA4-32-OK MGA4-64-OK
Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 5 Mageia Robot 2014-12-19 16:07:26 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0536.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

David Walser 2014-12-22 20:26:19 CET

URL: (none) => http://lwn.net/Vulnerabilities/627331/

Comment 6 David Walser 2015-02-11 18:39:33 CET 
LWN reference for CVE-2014-5354:
http://lwn.net/Vulnerabilities/632907/