https://bugzilla.redhat.com/show_bug.cgi?id=962531 " Vincent Danen 2013-05-13 15:17:25 EDT A flaw in certain programs that handle UDP traffic was discovered and assigned the name CVE-1999-0103 (that CVE specifically mentions echo and chargen as vulnerable). In 2002, a Nessus plugin was included [1] that reference this CVE name, but was for the kpasswd service. Until recently, this issue had not been reported upstream. This issue has since been reported upstream [2] and is now fixed [3]. If a malicious remote user were to spoof their IP address to that of another server running kadmind with the password change port (kpasswd, port 464), or to the target server's IP address itself), kpasswd will pass UDP packets to the spoofed address and reply each time. This can be used to consume bandwidth and CPU on the affected servers running kadmind. This should be fixed in the for krb5-1.11.3 release. [1] http://marc.info/?l=nessus&m=102418951803893&w=2 [2] http://krbdev.mit.edu/rt/Ticket/Display.html?id=7637 [3] https://github.com/krb5/krb5/commit/cf1a0c411b2668c57c41e9c4efd15ba17b6b322c"
krb5-1.9.2-2.6.mga2 has been submitted. fix for krb5 in cauldron has been committed.
Wow, only took 11 years to be reported upstream. We'll have to wait until after the Mageia 3 release to fix this now.
CC: (none) => luigiwalserVersion: 2 => CauldronWhiteboard: (none) => MGA3TOO, MGA2TOO
The Cauldron one is in updates_testing, so once Mageia 3 is branched it'll just need to be resubmitted to the build system.
Mandriva has issued an advisory for this today (May 21): http://www.mandriva.com/en/support/security/advisories/mbs1/MDVSA-2013:166/
Summary: CVE-2002-2443: krb5 - UDP ping-pong flaw in kpasswd => krb5 - UDP ping-pong flaw in kpasswd (CVE-2002-2443)
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2443 => http://lwn.net/Vulnerabilities/551277/
Patched packages uploaded for Mageia 2, Mageia 3, and Cauldron. Advisory: ======================== Updated krb5 packages fix security vulnerability: The kpasswd service provided by kadmind was vulnerable to a UDP ping-pong attack (CVE-2002-2443). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2443 https://bugzilla.redhat.com/show_bug.cgi?id=962531 http://www.mandriva.com/en/support/security/advisories/mbs1/MDVSA-2013:166/ ======================== Updated packages in core/updates_testing: ======================== krb5-1.9.2-2.6.mga2 libkrb53-1.9.2-2.6.mga2 libkrb53-devel-1.9.2-2.6.mga2 krb5-server-1.9.2-2.6.mga2 krb5-server-ldap-1.9.2-2.6.mga2 krb5-workstation-1.9.2-2.6.mga2 krb5-pkinit-openssl-1.9.2-2.6.mga2 krb5-1.11.1-1.1.mga3 libkrb53-devel-1.11.1-1.1.mga3 libkrb53-1.11.1-1.1.mga3 krb5-server-1.11.1-1.1.mga3 krb5-server-ldap-1.11.1-1.1.mga3 krb5-workstation-1.11.1-1.1.mga3 krb5-pkinit-openssl-1.11.1-1.1.mga3 from Source RPMs: krb5-1.9.2-2.6.mga2.src.rpm krb5-1.11.1-1.1.mga3.src.rpm
Version: Cauldron => 3Assignee: bugsquad => qa-bugsWhiteboard: MGA3TOO, MGA2TOO => MGA2TOOSeverity: normal => major
No poc that I've found, so just testing as per https://wiki.mageia.org/en/QA_procedure:Krb5 Testing shortly.
CC: (none) => davidwhodgins
Testing complete on Mageia 2 i586 and x86_64. There have been enough changes in Mageia 3, so that the qa krb5 setup script isn't working. Once I've figured out what's changed, and updated the script to handle it, I'll test on Mageia 3.
Whiteboard: MGA2TOO => MGA2TOO MGA2-64-OK MGA2-32-OK
Before and after installing the update, on Mageia 3, kadmind is failing to start, with /var/log/kadmind.log showing May 26 19:49:18 i3v.hodgins.homeip.net kadmind[1201](Error): kadmind: could not initialize loop, aborting The krb5kdc also fails to start. krb5kdc.log has krb5kdc: Cannot allocate memory - while creating main loop
Whiteboard: MGA2TOO MGA2-64-OK MGA2-32-OK => MGA2TOO MGA2-64-OK MGA2-32-OK feedback
Created attachment 4056 [details] krb5_server_setup.sh modified to work on Mageia 2 or 3.
CC: (none) => guillomovitch
Created attachment 4057 [details] krb5_server_setup.sh modified to also fix changed location of kadm5.keytab
Attachment 4056 is obsolete: 0 => 1
For the memory problem in krb5kdc, found http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=652699 After installing libverto-libev, I can start both the krb5kd service and the kadmin services. Do you want to hold this update until the requires is added, or should I open a separate bug report, and validate this one, when I'm finished testing?
This actually sounds like something that should be fixed. Normally library requires are picked up automatically, but it could be that it dlopen()'s this library, in which case it wouldn't be. I see that libverto-libev provides a "libverto-module-base," but so do a couple other libverto subpackages. I don't know if krb5 can use any of them or if it needs a specific one (%{lib}vert-libev in this case). Guillaume, do you know which requires we should add here?
I've finished testing, with the libverto-libev package installed, and am prepared to validate this bug report with bug 10307 opened for the missing requires, but I'll hold off till a decision is made.
According to my understanding, and fedora package, any liberto backend should work, so just requiring "libverto-module-base" should be enough.
Thanks Dave and Guillaume. Fixed packages uploaded for Mageia 3 and Cauldron. Advisory: ======================== Updated krb5 packages fix security vulnerability: The kpasswd service provided by kadmind was vulnerable to a UDP ping-pong attack (CVE-2002-2443). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2443 https://bugzilla.redhat.com/show_bug.cgi?id=962531 http://www.mandriva.com/en/support/security/advisories/mbs1/MDVSA-2013:166/ ======================== Updated packages in core/updates_testing: ======================== krb5-1.9.2-2.6.mga2 libkrb53-1.9.2-2.6.mga2 libkrb53-devel-1.9.2-2.6.mga2 krb5-server-1.9.2-2.6.mga2 krb5-server-ldap-1.9.2-2.6.mga2 krb5-workstation-1.9.2-2.6.mga2 krb5-pkinit-openssl-1.9.2-2.6.mga2 krb5-1.11.1-1.2.mga3 libkrb53-devel-1.11.1-1.2.mga3 libkrb53-1.11.1-1.2.mga3 krb5-server-1.11.1-1.2.mga3 krb5-server-ldap-1.11.1-1.2.mga3 krb5-workstation-1.11.1-1.2.mga3 krb5-pkinit-openssl-1.11.1-1.2.mga3 from Source RPMs: krb5-1.9.2-2.6.mga2.src.rpm krb5-1.11.1-1.2.mga3.src.rpm
Whiteboard: MGA2TOO MGA2-64-OK MGA2-32-OK feedback => MGA2TOO MGA2-64-OK MGA2-32-OK
Testing complete on Mageia 3 i586 and x86_64, and updates made to testing procedure https://wiki.mageia.org/en/QA_procedure:Krb5 Could someone from the sysadmin team push the srpm krb5-1.11.1-1.2.mga3.src.rpm from Mageia 3 Core Updates Testing to Core Updates, and the srpm krb5-1.9.2-2.6.mga2.src.rpm from Mageia 2 Core Updates Testing to Core Updates. Advisory: Updated krb5 packages fix security vulnerability: The kpasswd service provided by kadmind was vulnerable to a UDP ping-pong attack (CVE-2002-2443). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2443 https://bugzilla.redhat.com/show_bug.cgi?id=962531 http://www.mandriva.com/en/support/security/advisories/mbs1/MDVSA-2013:166/ https://bugs.mageia.org/show_bug.cgi?id=10090
Keywords: (none) => validated_updateWhiteboard: MGA2TOO MGA2-64-OK MGA2-32-OK => MGA2TOO MGA2-64-OK MGA2-32-OK MGA3-64-OK MGA3-32-OKCC: (none) => sysadmin-bugs
Update has been pushed.
Status: NEW => RESOLVEDCC: (none) => boklmResolution: (none) => FIXED
CC: boklm => (none)