Two security issues fixed upstream in krb5 have been announced: http://openwall.com/lists/oss-security/2014/12/16/1 CVE-2014-5354 doesn't affect versions before 1.12, so Mageia 4 is not affected. Patched packages uploaded for Mageia 4 and Cauldron. Advisory: ======================== Updated krb5 packages fix security vulnerability: In MIT krb5, when kadmind is configured to use LDAP for the KDC database, an authenticated remote attacker can cause a NULL dereference by attempting to use a named ticket policy object as a password policy for a principal. The attacker needs to be authenticated as a user who has the elevated privilege for setting password policy by adding or modifying principals (CVE-2014-5353). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5353 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773226 ======================== Updated packages in core/updates_testing: ======================== krb5-1.11.4-1.3.mga4 libkrb53-devel-1.11.4-1.3.mga4 libkrb53-1.11.4-1.3.mga4 krb5-server-1.11.4-1.3.mga4 krb5-server-ldap-1.11.4-1.3.mga4 krb5-workstation-1.11.4-1.3.mga4 krb5-pkinit-openssl-1.11.4-1.3.mga4 from krb5-1.11.4-1.3.mga4.src.rpm Reproducible: Steps to Reproduce:
Testing procedure: https://wiki.mageia.org/en/QA_procedure:Krb5
Whiteboard: (none) => has_procedure
Given that the only thing impacted by this change is using the LDAP backend for the KDC database, which is unlikely to be tested by anyone, full testing via the procedure is not really necessary. Just testing that the packages install is sufficient, although I just tested the kinit is able to successfully give me a ticket (tested against an Active Directory KDC), so at least I know a gamma ray didn't hit the build system and completely break the updated build :o) Adding an OK for Mageia 4 i586.
Whiteboard: has_procedure => has_procedure MGA4-32-OK
Tested succesfully on Mageia4x64 following procedure mentioned in Comment 1 From current packages : --------------------- krb5-1.11.4-1.2.mga4 krb5-workstation-1.11.4-1.2.mga4 krb5-server-1.11.4-1.2.mga4 krb5-server-ldap-1.11.4-1.2.mga4 To updated testing packages : --------------------------- lib64krb53-1.11.4-1.3.mga4 krb5-1.11.4-1.3.mga4 krb5-workstation-1.11.4-1.3.mga4 krb5-server-1.11.4-1.3.mga4 krb5-server-ldap-1.11.4-1.3.mga4
CC: (none) => olchalWhiteboard: has_procedure MGA4-32-OK => has_procedure MGA4-32-OK MGA4-64-OK
Validating. Advisory uploaded. Could sysadmin please push to updates Thanks
Whiteboard: has_procedure MGA4-32-OK MGA4-64-OK => has_procedure advisory MGA4-32-OK MGA4-64-OKKeywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0536.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
URL: (none) => http://lwn.net/Vulnerabilities/627331/
LWN reference for CVE-2014-5354: http://lwn.net/Vulnerabilities/632907/