Upstream has released version 1.11.4 on November 4, fixing two security issues: http://web.mit.edu/kerberos/krb5-1.11/ CVE-2013-1417 was fixed in July here: https://github.com/krb5/krb5/commit/4c023ba43c16396f0d199e2df1cfa59b88b62acc Looking at the code, I don't believe CVE-2013-1417 affects 1.9.2 in Mageia 2. For CVE-2013-1418, Fedora incorporated an upstream patch against 1.11.3 in Fedora 19 here: http://pkgs.fedoraproject.org/cgit/krb5.git/commit/?h=f19&id=74a7640cba4b98dde8e04127fef62718f4003a1e More details on CVE-2013-1418 are in the RedHat bug here: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-1418 The CVE-2013-1418 patch is easily re-diffed against 1.9.2 for Mageia 2. I've checked the CVE-2013-1417 and CVE-2013-1418 patches in to SVN for Mageia 3 and the CVE-2013-1418 patch into SVN for Mageia 2. I've also verified that 1.11.4 builds in Cauldron. Guillaume, if you'd like, I can check it into Cauldron SVN and request the freeze push, or you can do it. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO, MGA2TOO
Just compiling the advisories for when we do push this to QA. BTW the commit log entry for CVE-2013-1417 confirms that only 1.11.x is vulnerable. CVE-2013-1418 was also fixed in 1.10.7 for that branch. Advisory (Mageia 2): ======================== Updated krb5 packages fix security vulnerabilities: If a KDC serves multiple realms, certain requests can cause setup_server_realm() to dereference a null pointer, crashing the KDC. This can be triggered by an unauthenticated user (CVE-2013-1418). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1418 http://web.mit.edu/kerberos/krb5-1.11/README-1.11.4.txt https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-1418 ======================== Updated packages in core/updates_testing: ======================== krb5-1.9.2-2.7.mga2 libkrb53-1.9.2-2.7.mga2 libkrb53-devel-1.9.2-2.7.mga2 krb5-server-1.9.2-2.7.mga2 krb5-server-ldap-1.9.2-2.7.mga2 krb5-workstation-1.9.2-2.7.mga2 krb5-pkinit-openssl-1.9.2-2.7.mga2 from krb5-1.9.2-2.7.mga2.src.rpm Advisory (Mageia 3): ======================== Updated krb5 packages fix security vulnerabilities: An authenticated remote client can cause a KDC to crash by making a valid TGS-REQ to a KDC serving a realm with a single-component name. The process_tgs_req() function dereferences a null pointer because an unusual failure condition causes a helper function to return success (CVE-2013-1417). If a KDC serves multiple realms, certain requests can cause setup_server_realm() to dereference a null pointer, crashing the KDC. This can be triggered by an unauthenticated user (CVE-2013-1418). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1417 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1418 http://web.mit.edu/kerberos/krb5-1.11/README-1.11.4.txt https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-1418 ======================== Updated packages in core/updates_testing: ======================== krb5-1.11.1-1.3.mga3 libkrb53-devel-1.11.1-1.3.mga3 libkrb53-1.11.1-1.3.mga3 krb5-server-1.11.1-1.3.mga3 krb5-server-ldap-1.11.1-1.3.mga3 krb5-workstation-1.11.1-1.3.mga3 krb5-pkinit-openssl-1.11.1-1.3.mga3 from krb5-1.11.1-1.3.mga3.src.rpm
krb5-1.11.4-1.mga4 uploaded for Cauldron. Thanks Guillaume!
Version: Cauldron => 3Whiteboard: MGA3TOO, MGA2TOO => MGA2TOO
Patched packages uploaded for Mageia 2 and Mageia 3. Advisories and package lists in Comment 1.
CC: (none) => guillomovitchAssignee: guillomovitch => qa-bugs
Testing complete on Mageia 2 and 3, i586 and x86_64. Could someone from the sysadmin team push the advisories 11668.mga2.adv and 11668.mga3.adv to updates.
CC: (none) => davidwhodginsWhiteboard: MGA2TOO => MGA2TOO MGA3-64-OK MGA3-32-OK MGA2-64-OK MGA2-32-OK advisory validated_update
Keywords: (none) => validated_updateWhiteboard: MGA2TOO MGA3-64-OK MGA3-32-OK MGA2-64-OK MGA2-32-OK advisory validated_update => MGA2TOO MGA3-64-OK MGA3-32-OK MGA2-64-OK MGA2-32-OK advisoryCC: (none) => sysadmin-bugs
====================================================== Name: CVE-2013-6800 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6800 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20131115 Category: Reference: CONFIRM:http://krbdev.mit.edu/rt/Ticket/Display.html?id=7757 Reference: CONFIRM:https://github.com/krb5/krb5/commit/c2ccf4197f697c4ff143b8a786acdd875e70a89d An unspecified third-party database module for the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.10.x allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted request, a different vulnerability than CVE-2013-1418.
CC: (none) => oe
Summary: krb5 new security issues CVE-2013-1417 and CVE-2013-1418 => krb5 new security issues CVE-2013-1417, CVE-2013-1418, CVE-2013-6800
I concur with the RedHat folks that CVE-2013-6800 shouldn't have been assigned for this; it's just a simple NULL pointer dereference and it's CVE-2013-1418. We don't have 1.10.x packaged, and our update is for 1.11.x for Mageia 3. For 1.9.x for Mageia 2, I don't see any reason to call it anything other than CVE-2013-1418. https://bugzilla.redhat.com/show_bug.cgi?id=1031499
Summary: krb5 new security issues CVE-2013-1417, CVE-2013-1418, CVE-2013-6800 => krb5 new security issues CVE-2013-1417 and CVE-2013-1418
Mga2 update pushed: http://advisories.mageia.org/MGASA-2013-0335.html Mga3 update pushed: http://advisories.mageia.org/MGASA-2013-0336.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/574583/