Upstream has issued an advisory on February 3: http://web.mit.edu/Kerberos/advisories/MITKRB5-SA-2015-001.txt Debian has issued an advisory for this: https://www.debian.org/security/2015/dsa-3153 Patched packages uploaded for Mageia 4 and Cauldron. Advisory: ======================== Updated krb5 packages fix security vulnerabilities: Incorrect memory management in the libgssapi_krb5 library might result in denial of service or the execution of arbitrary code (CVE-2014-5352). Incorrect memory management in kadmind's processing of XDR data might result in denial of service or the execution of arbitrary code (CVE-2014-9421). Incorrect processing of two-component server principals might result in impersonation attacks (CVE-2014-9422). An information leak in the libgssrpc library (CVE-2014-9423). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5352 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9421 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9422 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9423 http://web.mit.edu/Kerberos/advisories/MITKRB5-SA-2015-001.txt https://www.debian.org/security/2015/dsa-3153 ======================== Updated packages in core/updates_testing: ======================== krb5-1.11.4-1.4.mga4 libkrb53-devel-1.11.4-1.4.mga4 libkrb53-1.11.4-1.4.mga4 krb5-server-1.11.4-1.4.mga4 krb5-server-ldap-1.11.4-1.4.mga4 krb5-workstation-1.11.4-1.4.mga4 krb5-pkinit-openssl-1.11.4-1.4.mga4 from krb5-1.11.4-1.4.mga4.src.rpm Reproducible: Steps to Reproduce:
Testing procedure: https://wiki.mageia.org/en/QA_procedure:Krb5
Whiteboard: (none) => has_procedure
URL: (none) => http://lwn.net/Vulnerabilities/631828/
Testing on Mageia 4x64 real hardware following procedure mentioned in Comment 1 From current packages : --------------------- $ rpm -q -i krb5-server Name : krb5-server Version : 1.11.4 Release : 1.3.mga4 Architecture: x86_64 To updated testing packages : --------------------------- - krb5-1.11.4-1.4.mga4.x86_64 - krb5-pkinit-openssl-1.11.4-1.4.mga4.x86_64 - krb5-server-1.11.4-1.4.mga4.x86_64 - krb5-server-ldap-1.11.4-1.4.mga4.x86_64 - krb5-workstation-1.11.4-1.4.mga4.x86_64 - lib64krb53-1.11.4-1.4.mga4.x86_64 - lib64krb53-devel-1.11.4-1.4.mga4.x86_64 In both instances after restarting xinetd.service, command $ krlogin $(hostname) showed : This rlogin session is encrypting all data transmissions. All OK
CC: (none) => olchalWhiteboard: has_procedure => has_procedure MGA4-64-OK
Advisory uploaded.
Whiteboard: has_procedure MGA4-64-OK => has_procedure advisory MGA4-64-OK
I've never been able to get Dave's full test cases working in a VM with the secure msec level set, but I have krb5.conf configured for our AD server domain here, and kinit (AD username) works and klist shows me my ticket. I think that's a sufficient test (Mageia 4 i586).
Whiteboard: has_procedure advisory MGA4-64-OK => has_procedure advisory MGA4-64-OK MGA4-32-OK
Validating. Please push to 4 updates. Thanks
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0066.html
Status: NEW => RESOLVEDResolution: (none) => FIXED