Bug 24068

Summary: krb5 new security issue CVE-2018-20217
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: herman.viaene, lewyssmith, marja11, sysadmin-bugs
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-32-OK
Source RPM: krb5-1.16.1-1.mga7.src.rpm CVE:
Status comment:

Comment 1 Marja Van Waes 2018-12-26 08:01:28 CET 
Assigning to the registered maintainer.

Assignee: bugsquad => guillomovitch
CC: (none) => marja11

Comment 2 David Walser 2019-01-01 01:49:14 CET 
Fixed in krb5-1.16.2-2.mga7 in Cauldron.

Mageia 6 appears to be affected as well.

Version: Cauldron => 6

Comment 3 David Walser 2019-01-01 20:35:30 CET 
Advisory:
========================

Updated krb5 packages fix security vulnerability:

An authenticated user who can obtain a TGT using an older encryption type (DES,
DES3, or RC4) can cause an assertion failure in the KDC by sending an S4U2Self
request (CVE-2018-20217).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20217
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2KNHELH4YHNT6H2ESJWX2UIDXLBNGB2O/
========================

Updated packages in core/updates_testing:
========================
krb5-1.15.1-2.4.mga6
libkrb53-devel-1.15.1-2.4.mga6
libkrb53-1.15.1-2.4.mga6
krb5-server-1.15.1-2.4.mga6
krb5-server-ldap-1.15.1-2.4.mga6
krb5-workstation-1.15.1-2.4.mga6
krb5-pkinit-openssl-1.15.1-2.4.mga6

from krb5-1.15.1-2.4.mga6.src.rpm

Assignee: guillomovitch => qa-bugs

Comment 4 Herman Viaene 2019-01-09 11:44:54 CET 
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues
Followed procedures as per wiki https://wiki.mageia.org/en/QA_procedure:Krb5
at CLI:
$ mkdir -p ~/bin
$ wget https://bugs.mageia.org/attachment.cgi?id=9586 -O ~/bin/krb5_server_setup.sh
--2019-01-09 11:09:47--  https://bugs.mageia.org/attachment.cgi?id=9586
Herleiden van bugs.mageia.org... 212.85.158.151, 2a02:2178:2:7::7
Verbinding maken met bugs.mageia.org|212.85.158.151|:443... verbonden.
HTTP-verzoek is verzonden; wachten op antwoord... 200 OK
Lengte: 3710 (3,6K) [text/plain]
Wordt opgeslagen als: ‘/home/tester6/bin/krb5_server_setup.sh’

/home/tester6/bin/krb5_se 100%[==================================>]   3,62K  --.-KB/s    in 0s      

2019-01-09 11:09:48 (14,5 MB/s) - '‘/home/tester6/bin/krb5_server_setup.sh’' opgeslagen [3710/3710]

$ chmod a+x ~/bin/krb5_server_setup.sh
Here I deviate from the procedure, because I never ever use sudo, so after su -l
# /home/tester6/bin/krb5_server_setup.sh tester6
Checking dns setup for mach6.hviaene.thuis
Good. Forward and reverse dsn settings for mach6.hviaene.thuis match
The realm name will be set to MACH6.HVIAENE.THUIS
Authenticating as principal root/admin@MACH6.HVIAENE.THUIS with password.
Which includes installing krb5-appl-servers and xinetd, and further setting the passwords
Edited /etc/xinetd.d/eklogin as per procedure.
# systemctl restart xinetd.service

and then as normal user:
$ kinit
Password for tester6@MACH6.HVIAENE.THUIS: 
$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: tester6@MACH6.HVIAENE.THUIS

$ krlogin $(hostname)
This rlogin session is encrypting all data transmissions.
You have mail.

That's OK to the procedure.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA6-32-OK

Comment 5 Lewis Smith 2019-01-09 20:34:35 CET 
Thanks Herman for a fiddly test. Advisoried, validating.

Keywords: (none) => advisory, validated_update
CC: (none) => lewyssmith, sysadmin-bugs

Comment 6 Mageia Robot 2019-01-10 11:54:59 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0028.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED