A security issue in MIT krb5 has been fixed upstream in 1.13: https://bugzilla.redhat.com/show_bug.cgi?id=1145425 Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron. Advisory: ======================== Updated krb5 packages fix security vulnerability: The kadm5_randkey_principal_3 function in lib/kadm5/srv/svr_principal.c in kadmind in MIT Kerberos 5 (aka krb5) before 1.13 sends old keys in a response to a -randkey -keepold request, which allows remote authenticated users to forge tickets by leveraging administrative access (CVE-2014-5351). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5351 https://bugzilla.redhat.com/show_bug.cgi?id=1145425 ======================== Updated packages in core/updates_testing: ======================== krb5-1.11.1-1.5.mga3 libkrb53-devel-1.11.1-1.5.mga3 libkrb53-1.11.1-1.5.mga3 krb5-server-1.11.1-1.5.mga3 krb5-server-ldap-1.11.1-1.5.mga3 krb5-workstation-1.11.1-1.5.mga3 krb5-pkinit-openssl-1.11.1-1.5.mga3 krb5-1.11.4-1.2.mga4 libkrb53-devel-1.11.4-1.2.mga4 libkrb53-1.11.4-1.2.mga4 krb5-server-1.11.4-1.2.mga4 krb5-server-ldap-1.11.4-1.2.mga4 krb5-workstation-1.11.4-1.2.mga4 krb5-pkinit-openssl-1.11.4-1.2.mga4 from SRPMS: krb5-1.11.1-1.5.mga3.src.rpm krb5-1.11.4-1.2.mga4.src.rpm Reproducible: Steps to Reproduce:
Testing procedure: https://wiki.mageia.org/en/QA_procedure:Krb5
Whiteboard: (none) => MGA3TOO has_procedure
krb5 current packages : --------------------- - krb5-pkinit-openssl-1.11.1-1.4.mga3.x86_64 - krb5-server-1.11.1-1.4.mga3.x86_64 - krb5-server-ldap-1.11.1-1.4.mga3.x86_64 - krb5-workstation-1.11.1-1.4.mga3.x86_64 - lib64ev4-4.11-3.mga3.x86_64 - lib64ldap2.4_2-devel-2.4.33-7.1.mga3.x86_64 - lib64verto1-0.2.5-2.mga3.x86_64 - lib64wrap-devel-7.6-43.mga3.x86_64 - libverto-libev-0.2.5-2.mga3.x86_64 Followed procedure mentionned in comment 1 To make it work, had to # urpmi bind configure firewall and reboot. Could then complete procedure. Updated to testing packages --------------------------- - krb5-1.11.1-1.5.mga3.x86_64 - krb5-pkinit-openssl-1.11.1-1.5.mga3.x86_64 - krb5-server-1.11.1-1.5.mga3.x86_64 - krb5-server-ldap-1.11.1-1.5.mga3.x86_64 - krb5-workstation-1.11.1-1.5.mga3.x86_64 - lib64krb53-1.11.1-1.5.mga3.x86_64 - lib64krb53-devel-1.11.1-1.5.mga3.x86_64 rebooted $ kinit $ klist $ krlogin $(hostname) still showed expected results. OK then.
CC: (none) => olchalWhiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure MGA3-64-OK
Testing complete on a Mageia 4 x86-64 VM in the same way as comment 1 suggested. Now going to test a Mageia 4 i586 VM.
CC: (none) => shlomifWhiteboard: MGA3TOO has_procedure MGA3-64-OK => MGA3TOO has_procedure MGA3-64-OK MGA4-64-OK
(In reply to Shlomi Fish from comment #3) > Testing complete on a Mageia 4 x86-64 VM in the same way as comment 1 > suggested. > > Now going to test a Mageia 4 i586 VM. test procedure ran fine on a Mageia 4 i586 VM.
Whiteboard: MGA3TOO has_procedure MGA3-64-OK MGA4-64-OK => MGA3TOO has_procedure MGA3-64-OK MGA4-64-OK MGA4-32-OK
I finally got this to work (Mageia 3 i586). I noticed that the path to kadm5.keytab in the script is incorrect (should be /var/lib/krb5kdc). The trick to finally getting this to work was, I had to change my /etc/hosts entry that had my hostname from 127.0.0.1 to my actual IP address.
Whiteboard: MGA3TOO has_procedure MGA3-64-OK MGA4-64-OK MGA4-32-OK => MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-64-OK MGA4-32-OK
Validating, advisory uploaded.
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-64-OK MGA4-32-OK => MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-64-OK MGA4-32-OK advisoryCC: (none) => remi, sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0477.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/622610/