Bug 3178

Summary: krb5 needs to be patched for CVE-2011-1528 and CVE-2011-1529
Product: Mageia Reporter: Pascal Terjan <pterjan>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: arnaud.patard, guillomovitch, mageia, saispo, sysadmin-bugs, tmb
Version: 1Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
Whiteboard:
Source RPM: krb5 CVE:
Status comment:

Description Pascal Terjan 2011-10-25 12:56:07 CEST 
CVE-2011-1528
The krb5_ldap_lockout_audit function in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.8 through 1.8.4 and 1.9 through 1.9.1, when the LDAP back end is used, allows remote attackers to cause a denial of service (assertion failure and daemon exit) via unspecified vectors, related to the locked_check_p function.

CVE-2011-1529
The lookup_lockout_policy function in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.8 through 1.8.4 and 1.9 through 1.9.1, when the db2 (aka Berkeley DB) or LDAP back end is used, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via vectors that trigger certain process_as_req errors.
Comment 1 Manuel Hiebel 2011-10-25 13:08:56 CEST 
As there is no maintainer of the package, I added the committers of the package.

Please, see also bug 2064.

CC: (none) => arnaud.patard, guillomovitch, mageia, saispo

Comment 2 Guillaume Rousse 2011-11-01 16:55:32 CET 
Patched release 1.8.3-5.1 available in updates_testing, untested.
Comment 3 Manuel Hiebel 2011-11-01 18:26:58 CET 
Ok thanks.

As we don't really have a 'security team' I assign this bug to the QA.

Assignee: bugsquad => qa-bugs

Comment 4 claire robinson 2011-11-02 10:42:34 CET 
How do you suggest testing this?
Comment 5 Guillaume Rousse 2011-11-02 13:36:03 CET 
It depends what you want to test exactly.

If you just want to test the new package release is functional, you have to setup a KDC, create a minimal kerberos realm, and test retrieving credentials for it.

If you want to test than the vulnerabilities have been corrected, you also have to find an exploit, and test it against your server.

In both case, if you don't know Kerberos, that's quite difficult to do. So, my suggestion would be extra-minimalist: just try to install the package. Sure, that is quite far away from functional testing. But probably not very far from the testing level of current package in mageia 1 anyway...
Comment 6 claire robinson 2011-11-02 14:35:14 CET 
Thankyou Guillaume.

I've updated it, it seems to be recursively required by more or less everything so will check for any breakage.
Comment 7 claire robinson 2011-11-03 13:39:22 CET 
No breakage noticed, so I think testing complete x86_64 unless there is a better way to do this.
Comment 8 claire robinson 2011-11-04 10:31:37 CET 
No negative effects notice i586 either so I am going to validate.

Advisory
--------------------
This security update provides fixes for two CVEs

CVE-2011-1528
The krb5_ldap_lockout_audit function in the Key Distribution Center (KDC) in
MIT Kerberos 5 (aka krb5) 1.8 through 1.8.4 and 1.9 through 1.9.1, when the
LDAP back end is used, allows remote attackers to cause a denial of service
(assertion failure and daemon exit) via unspecified vectors, related to the
locked_check_p function.

CVE-2011-1529
The lookup_lockout_policy function in the Key Distribution Center (KDC) in MIT
Kerberos 5 (aka krb5) 1.8 through 1.8.4 and 1.9 through 1.9.1, when the db2
(aka Berkeley DB) or LDAP back end is used, allows remote attackers to cause a
denial of service (NULL pointer dereference and daemon crash) via vectors that
trigger certain process_as_req errors.
---------------------------

krb5-1.8.3-5.1.mga1.src.rpm  


Could sysadmin please push from core/updates_testing to core/updates

Thankyou!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 9 Thomas Backlund 2011-11-04 22:17:16 CET 
Update pushed.

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED