Fedora has issued an advisory on July 24: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4HNWXM6OQU7G23MG7XWIOBRGP43ECLDT/ The RedHat bug for this is here: https://bugzilla.redhat.com/show_bug.cgi?id=1473560 Patched packages uploaded for Mageia 5, Mageia 6, and Cauldron. Advisory: ======================== Updated krb5 packages fix security vulnerability: A denial of service flaw was found in MIT Kerberos krb5kdc service. An authenticated attacker could use this flaw to cause krb5kdc to exit with an assertion failure by making an invalid S4U2Self or S4U2Proxy request (CVE-2017-11368). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11368 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4HNWXM6OQU7G23MG7XWIOBRGP43ECLDT/ ======================== Updated packages in core/updates_testing: ======================== krb5-1.12.5-1.2.mga5 libkrb53-devel-1.12.5-1.2.mga5 libkrb53-1.12.5-1.2.mga5 krb5-server-1.12.5-1.2.mga5 krb5-server-ldap-1.12.5-1.2.mga5 krb5-workstation-1.12.5-1.2.mga5 krb5-pkinit-openssl-1.12.5-1.2.mga5 krb5-1.15.1-2.1.mga6 libkrb53-devel-1.15.1-2.1.mga6 libkrb53-1.15.1-2.1.mga6 krb5-server-1.15.1-2.1.mga6 krb5-server-ldap-1.15.1-2.1.mga6 krb5-workstation-1.15.1-2.1.mga6 krb5-pkinit-openssl-1.15.1-2.1.mga6 from SRPMS: krb5-1.12.5-1.2.mga5.src.rpm krb5-1.15.1-2.1.mga6.src.rpm
Testing procedure: https://wiki.mageia.org/en/QA_procedure:Krb5
Whiteboard: (none) => has_procedure
CC: (none) => lewyssmithWhiteboard: has_procedure => has_procedure MGA5TOO advisory
MGA6-32 on Asus A6000VM MATE No installation issues. I run into problems with the procedure at least partly due to the fact that I definitely refuse to do sudo So I tried as root: # /home/tester6/bin/krb5_server_setup.sh tester6 Checking dns setup for mach6.hviaene.thuis Good. Forward and reverse dsn settings for mach6.hviaene.thuis match The realm name will be set to MACH6.HVIAENE.THUIS Use of uninitialized value in null operation at /usr/lib/perl5/vendor_perl/5.22.2/i386-linux-thread-multi/URPM/Resolve.pm line 1847. Om aan de afhankelijkheden te voldoen worden de volgende pakketten geïnstalleerd: Pakket Versie Uitgave Arch (medium "Core Release (distrib1)") krb5-appl-servers 1.0.3 8.mga6 i586 xinetd 2.3.15 9.mga6 i586 698KB aan extra schijfruimte zal worden gebruikt. 274KB aan pakketten zal worden opgehaald. Verdergaan met de installatie van de 2 pakketten? (J/n) j $MIRRORLIST: media/core/release/xinetd-2.3.15-9.mga6.i586.rpm $MIRRORLIST: media/core/release/krb5-appl-servers-1.0.3-8.mga6.i586.rpm installeren van krb5-appl-servers-1.0.3-8.mga6.i586.rpm xinetd-2.3.15-9.mga6.i586.rpm vanaf /var/cache/urpmi/rpms Voorbereiden... ###################################################################################### 1/2: xinetd ###################################################################################### 2/2: krb5-appl-servers ###################################################################################### Setting realm name in /usr/lib/tmpfiles.d/krb5kdc.conf /var/lib/krb5kdc/kdc.conf Setting realm and host names in /etc/krb5.conf Setting realm name in /var/lib/krb5kdc/kadm5.acl Creating database in /var/lib/krb5kdc/principal Loading random data Initializing database '/var/lib/krb5kdc/principal' for realm 'MACH6.HVIAENE.THUIS', master key name 'K/M@MACH6.HVIAENE.THUIS' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: Re-enter KDC database master key to verify: kadmin.local: unable to get default realm kadmin.local: unable to get default realm kadmin.local: unable to get default realm kadmin.local: unable to get default realm kadmin.local: unable to get default realm kadmin.local: unable to get default realm Redirecting to /bin/systemctl start krb5kdc.service Job for krb5kdc.service failed because the control process exited with error code. See "systemctl status krb5kdc.service" and "journalctl -xe" for details. Opmerking: Verzoek wordt doorgestuurd naar 'systemctl enable krb5kdc.service'. Opmerking: Verzoek wordt doorgestuurd naar 'systemctl enable kadmin.service'. Copy /etc/krb5.conf to any client stations, and install krb5-appl-clients on them [root@mach6 ~]# systemctl status krb5kdc.service ● krb5kdc.service - Kerberos 5 KDC Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; enabled; vendor preset: enabled) Active: failed (Result: exit-code) since wo 2017-08-09 13:54:16 CEST; 1min 16s ago aug 09 13:54:16 mach6.hviaene.thuis systemd[1]: Starting Kerberos 5 KDC... aug 09 13:54:16 mach6.hviaene.thuis krb5kdc[9113]: krb5kdc: Configuration file does not specify default realm, attempting aug 09 13:54:16 mach6.hviaene.thuis systemd[1]: krb5kdc.service: Control process exited, code=exited status=1 aug 09 13:54:16 mach6.hviaene.thuis systemd[1]: Failed to start Kerberos 5 KDC. aug 09 13:54:16 mach6.hviaene.thuis systemd[1]: krb5kdc.service: Unit entered failed state. aug 09 13:54:16 mach6.hviaene.thuis systemd[1]: krb5kdc.service: Failed with result 'exit-code'. Turned out that the realm settings were in the conf file but all commented out, so I removed the "#"'s and went on # systemctl start krb5kdc.service is OK now edited /etc/xinetd.d/eklogin and # systemctl restart xinetd.service also OK but $ kinit kinit: Unknown credential cache type while getting default ccache
CC: (none) => herman.viaene
Seems that in Mageia 6, /etc/krb5.conf in the package has changed so that the lines with example.com, or EXAMPLE.COM, which the script changes to the realm based on the host name, are commented out. I'll change the script to handle it, and then attach it to this bug report.
CC: (none) => davidwhodgins
Created attachment 9586 [details] Updated kerberos setup script for qa testing
Modified the wiki page to have the above attachment number. Tested both arches on both releases with results similar to ... [dave@i5v ~]$ kinit Password for dave@I5V.HODGINS.HOMEIP.NET: [dave@i5v ~]$ klist Ticket cache: FILE:/tmp/krb5cc_500 Default principal: dave@I5V.HODGINS.HOMEIP.NET Valid starting Expires Service principal 12/08/17 00:59:22 13/08/17 00:59:22 krbtgt/I5V.HODGINS.HOMEIP.NET@I5V.HODGINS.HOMEIP.NET Validating the update.
CC: (none) => sysadmin-bugsWhiteboard: has_procedure MGA5TOO advisory => has_procedure MGA5TOO advisory MGA5-64-OK MGA5-32-OK MGA6-64-OK MGA6-32-OKKeywords: (none) => validated_update
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0256.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED