| Summary: | heimdal new security issue CVE-2022-3116 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | andrewsfarm, davidwhodgins, herman.viaene, nicolas.salguero, sysadmin-bugs |
| Version: | 8 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA8-64-OK | ||
| Source RPM: | heimdal-7.7.0-5.1.mga8.src.rpm | CVE: | CVE-2022-3116 |
| Status comment: | |||
|
Description
David Walser
2022-10-14 19:32:07 CEST
David Walser
2022-10-14 19:32:18 CEST
Status comment:
(none) =>
Patches available from upstream and Ubuntu Fixed in heimdal-7.7.0-10.mga9 by Guillaume. Whiteboard:
MGA8TOO =>
(none) Suggested advisory: ======================== The updated packages fix a security vulnerability: Heimdal was not properly handling logical conditions that related to memory management operations. An attacker could possibly use this issue to cause a denial of service. (CVE-2022-3116) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3116 https://ubuntu.com/security/notices/USN-5675-1 ======================== Updated packages in core/updates_testing: ======================== heimdal-devel-7.7.0-5.2.mga8 heimdal-devel-doc-7.7.0-5.2.mga8 heimdal-libs-7.7.0-5.2.mga8 heimdal-server-7.7.0-5.2.mga8 heimdal-workstation-7.7.0-5.2.mga8 from SRPM: heimdal-7.7.0-5.2.mga8.src.rpm Status:
NEW =>
ASSIGNED Selecting heimdal-devel-7.7.0-5.2.mga8 to iinstall gives: The following packages have to be removed for others to be upgraded: curl-examples-7.74.0-1.8.mga8.noarch (due to unsatisfied curl-devel >= 1:7.74.0-1.8.mga8) lib64curl-devel-7.74.0-1.8.mga8.x86_64 (due to missing devel(libgssapi_krb5(64bit))) lib64gsasl-devel-1.8.1-2.1.mga8.x86_64 (due to missing devel(libgssapi_krb5(64bit))) lib64krb53-devel-1.18.3-1.mga8.x86_64 (due to conflicts with heimdal-devel-7.7.0-5.2.mga8.x86_64) lib64ssh-devel-0.9.6-1.mga8.x86_64 (due to missing devel(libgssapi_krb5(64bit))) lib64tirpc-devel-1.3.3-1.mga8.x86_64 (due to missing devel(libgssapi_krb5(64bit))) Proceeding without heimdal-devel. CC:
(none) =>
herman.viaene Ref bug 29658, this conflict is a known phenomenon, so disregarding here. Following tests from that bug: # systemctl start heimdal-kdc # systemctl -l status heimdal-kdc ● heimdal-kdc.service - Heimdal KDC is a Kerberos 5 Key Distribution Center server Loaded: loaded (/usr/lib/systemd/system/heimdal-kdc.service; disabled; vendor preset: disabled) Active: active (running) since Tue 2022-10-25 14:23:38 CEST; 16s ago Docs: man:kdc(8) info:heimdal http://www.h5l.org/ Main PID: 17423 (kdc) Tasks: 3 (limit: 4364) Memory: 1.6M CPU: 43ms CGroup: /system.slice/heimdal-kdc.service ├─17423 /usr/libexec/kdc ├─17425 /usr/libexec/kdc └─17426 /usr/libexec/kdc Oct 25 14:23:38 mach7.hviaene.thuis systemd[1]: Started Heimdal KDC is a Kerberos 5 Key Distribution Center server. # kadmin kadmin: kadm5_init_with_password: No KDC found for realm HVIAENE.THUIS That's true As normal user: $ verify_krb5_conf verify_krb5_conf: krb5_config_parse_file: open /home/tester8/.krb5/config: No such file or directory verify_krb5_conf: krb5_config_parse_file: /etc/krb5.conf:3: binding before section That's inline with bug 29658, so OK for me. Whiteboard:
(none) =>
MGA8-64-OK Validating, but wondering if it needs to wait for Bug 29260 before it's pushed. Advisory in Comment 2. CC:
(none) =>
andrewsfarm, sysadmin-bugs No need to wait. While heimdal and kerberos work in the same fashion to allow secure login and usage over an insecure network, the packages are independent and conflict with each other. $ urpmq --conflicts heimdal-server|sort -u heimdal-server: krb5-server CC:
(none) =>
davidwhodgins An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0395.html Resolution:
(none) =>
FIXED |