Bug 18058

Summary: krb5 new security issue CVE-2016-3119
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, herman.viaene, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/681100/
Whiteboard: has_procedure MGA5-32-OK advisory
Source RPM: krb5-1.12.2-8.3.mga5.src.rpm CVE:
Status comment:

Description David Walser 2016-03-23 19:40:25 CET 
Fedora has issued an advisory on March 22:
https://lists.fedoraproject.org/pipermail/package-announce/2016-March/179220.html

Updated and patched packages uploaded for Mageia 5 and Cauldron.

Advisory:
========================

Updated krb5 packages fix security vulnerabilities:

It was reported that in all versions of MIT krb5, an authenticated attacker
with permission to modify a principal entry can cause kadmind to dereference a
null pointer by supplying an empty DB argument to the modify_principal command,
if kadmind is configured to use the LDAP KDB module (CVE-2016-3119).

The krb5 package has been updated to version 1.12.5 and patched to fix this
issue and other bugs.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3119
http://web.mit.edu/kerberos/krb5-1.12/krb5-1.12.5.html
https://lists.fedoraproject.org/pipermail/package-announce/2016-March/179220.html
========================

Updated packages in core/updates_testing:
========================
krb5-1.12.5-1.mga5
libkrb53-devel-1.12.5-1.mga5
libkrb53-1.12.5-1.mga5
krb5-server-1.12.5-1.mga5
krb5-server-ldap-1.12.5-1.mga5
krb5-workstation-1.12.5-1.mga5
krb5-pkinit-openssl-1.12.5-1.mga5

from krb5-1.12.5-1.mga5.src.rpm
Comment 1 David Walser 2016-03-23 19:40:38 CET 
Testing procedure:
https://wiki.mageia.org/en/QA_procedure:Krb5

Whiteboard: (none) => has_procedure

Comment 2 Herman Viaene 2016-03-24 09:56:04 CET 
MGA5-32 on Acer D620 Xfce
No installation issues
Completed test procedure as per Comment1 : all OK.

CC: (none) => herman.viaene
Whiteboard: has_procedure => has_procedure MGA5-32-OK

Comment 3 claire robinson 2016-03-24 22:39:58 CET 
Validating. Advisory todo.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Dave Hodgins 2016-03-25 06:39:53 CET

CC: (none) => davidwhodgins
Whiteboard: has_procedure MGA5-32-OK => has_procedure MGA5-32-OK advisory

Comment 4 Mageia Robot 2016-03-25 07:39:52 CET 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0123.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED