Bug 14816 - krb5 new security issues CVE-2014-535[34]
Summary: krb5 new security issues CVE-2014-535[34]
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/627331/
Whiteboard: has_procedure advisory MGA4-32-OK MGA...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-12-16 16:08 CET by David Walser
Modified: 2015-02-11 18:39 CET (History)
2 users (show)

See Also:
Source RPM: krb5-1.11.4-1.2.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-12-16 16:08:35 CET
Two security issues fixed upstream in krb5 have been announced:
http://openwall.com/lists/oss-security/2014/12/16/1

CVE-2014-5354 doesn't affect versions before 1.12, so Mageia 4 is not affected.

Patched packages uploaded for Mageia 4 and Cauldron.

Advisory:
========================

Updated krb5 packages fix security vulnerability:

In MIT krb5, when kadmind is configured to use LDAP for the KDC
database, an authenticated remote attacker can cause a NULL dereference
by attempting to use a named ticket policy object as a password policy
for a principal.  The attacker needs to be authenticated as a user who
has the elevated privilege for setting password policy by adding or
modifying principals (CVE-2014-5353).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5353
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773226
========================

Updated packages in core/updates_testing:
========================
krb5-1.11.4-1.3.mga4
libkrb53-devel-1.11.4-1.3.mga4
libkrb53-1.11.4-1.3.mga4
krb5-server-1.11.4-1.3.mga4
krb5-server-ldap-1.11.4-1.3.mga4
krb5-workstation-1.11.4-1.3.mga4
krb5-pkinit-openssl-1.11.4-1.3.mga4

from krb5-1.11.4-1.3.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2014-12-16 16:08:51 CET
Testing procedure:
https://wiki.mageia.org/en/QA_procedure:Krb5

Whiteboard: (none) => has_procedure

Comment 2 David Walser 2014-12-16 22:29:57 CET
Given that the only thing impacted by this change is using the LDAP backend for the KDC database, which is unlikely to be tested by anyone, full testing via the procedure is not really necessary.  Just testing that the packages install is sufficient, although I just tested the kinit is able to successfully give me a ticket (tested against an Active Directory KDC), so at least I know a gamma ray didn't hit the build system and completely break the updated build :o)

Adding an OK for Mageia 4 i586.

Whiteboard: has_procedure => has_procedure MGA4-32-OK

Comment 3 olivier charles 2014-12-18 20:30:15 CET
Tested succesfully on Mageia4x64 following procedure mentioned in Comment 1

From current packages :
---------------------
krb5-1.11.4-1.2.mga4
krb5-workstation-1.11.4-1.2.mga4
krb5-server-1.11.4-1.2.mga4
krb5-server-ldap-1.11.4-1.2.mga4

To updated testing packages :
---------------------------
lib64krb53-1.11.4-1.3.mga4
krb5-1.11.4-1.3.mga4
krb5-workstation-1.11.4-1.3.mga4
krb5-server-1.11.4-1.3.mga4
krb5-server-ldap-1.11.4-1.3.mga4

CC: (none) => olchal
Whiteboard: has_procedure MGA4-32-OK => has_procedure MGA4-32-OK MGA4-64-OK

Comment 4 claire robinson 2014-12-18 22:47:37 CET
Validating. Advisory uploaded.

Could sysadmin please push to updates

Thanks

Whiteboard: has_procedure MGA4-32-OK MGA4-64-OK => has_procedure advisory MGA4-32-OK MGA4-64-OK
Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 5 Mageia Robot 2014-12-19 16:07:26 CET
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0536.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

David Walser 2014-12-22 20:26:19 CET

URL: (none) => http://lwn.net/Vulnerabilities/627331/

Comment 6 David Walser 2015-02-11 18:39:33 CET
LWN reference for CVE-2014-5354:
http://lwn.net/Vulnerabilities/632907/

Note You need to log in before you can comment on or make changes to this bug.