Bug 21550 - heimdal new security issue CVE-2017-6594
Summary: heimdal new security issue CVE-2017-6594
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA5-32-OK advisory
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2017-08-17 12:20 CEST by David Walser
Modified: 2017-08-25 22:36 CEST (History)
4 users (show)

See Also:
Source RPM: heimdal-1.5.3-6.1.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2017-08-17 12:20:50 CEST
openSUSE has issued an advisory today (August 17):
https://lists.opensuse.org/opensuse-updates/2017-08/msg00062.html
Comment 1 Marja Van Waes 2017-08-17 19:21:30 CEST
Assigning to the registered maintainer.

CC: (none) => marja11
Assignee: bugsquad => guillomovitch

Comment 2 Guillaume Rousse 2017-08-21 21:59:14 CEST
release 1.5.3-6.2.mga5 just submitted in updates_testing

Assignee: guillomovitch => qa-bugs

Comment 3 David Walser 2017-08-21 22:37:38 CEST
Advisory:
========================

Updated heimdal packages fix security vulnerability:

Transit path validation inadvertently caused the previous hop realm to not be
added to the transit path of issued tickets. This may, in some cases, enable
bypass of capath policy in Heimdal versions 1.5 through 7.2 (CVE-2017-6594).

Note, this may break sites that rely on the bug. With the bug some incomplete
[capaths] worked, that should not have. These may now break authentication in
some cross-realm configurations.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6594
https://lists.opensuse.org/opensuse-updates/2017-08/msg00062.html
========================

Updated packages in core/updates_testing:
========================
heimdal-workstation-1.5.3-6.2.mga5
heimdal-server-1.5.3-6.2.mga5
heimdal-libs-1.5.3-6.2.mga5
heimdal-ftp-1.5.3-6.2.mga5
heimdal-rsh-1.5.3-6.2.mga5
heimdal-telnet-1.5.3-6.2.mga5
heimdal-ftpd-1.5.3-6.2.mga5
heimdal-rshd-1.5.3-6.2.mga5
heimdal-telnetd-1.5.3-6.2.mga5
heimdal-daemons-1.5.3-6.2.mga5
heimdal-devel-1.5.3-6.2.mga5
heimdal-devel-doc-1.5.3-6.2.mga5

from heimdal-1.5.3-6.2.mga5.src.rpm
Comment 4 Herman Viaene 2017-08-25 11:27:10 CEST
MGA5-32 on Asus A6000VM Xfce
No installation issues.
This is beyond me, but I found a site that might inspire someone else to do more indepth testing: 
http://chschneider.eu/linux/server/heimdal.shtml

A few commands I could at least enter .
As root:
# systemctl start heimdal
# systemctl status heimdal
â heimdal.service - LSB: Heimdal Kerberos servers
   Loaded: loaded (/etc/rc.d/init.d/heimdal)
   Active: active (running) since vr 2017-08-25 11:12:57 CEST; 10s ago
  Process: 7569 ExecStart=/etc/rc.d/init.d/heimdal start (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/heimdal.service
           ââ7579 /usr/sbin/kdc --detach

aug 25 11:12:57 mach6.hviaene.thuis heimdal[7569]: Starting Heimdal Kerberos 5 Key Distribution Center:/usr/bin...pid'
aug 25 11:12:57 mach6.hviaene.thuis heimdal[7569]: Typ '/usr/bin/dirname --help' voor meer informatie.
aug 25 11:12:57 mach6.hviaene.thuis heimdal[7569]: [  OK  ]
Hint: Some lines were ellipsized, use -l to show in full.
and then
# kadmin
kadmin> quit
I have no idea what I could do else at this prompt.
As normal user:
$ verify_krb5_conf 
verify_krb5_conf: krb5_config_parse_file: open /home/tester5/.krb5/config: No such file or directory
verify_krb5_conf: /realms/EXAMPLE.COM/kdc: Name or service not known (kerberos.example.com)
verify_krb5_conf: /realms/EXAMPLE.COM/admin_server: Name or service not known (kerberos.example.com)
Which seems sensible as no real configuration hes been done.

Unless someone objects OK for me.

Whiteboard: (none) => MGA5-32-OK
CC: (none) => herman.viaene

Comment 5 Lewis Smith 2017-08-25 21:33:50 CEST
Herman: heroic to even try this thing! Thanks.
Advisory uploaded; validating also as it is for Mageia 5 only.

Keywords: (none) => validated_update
Whiteboard: MGA5-32-OK => MGA5-32-OK advisory
CC: (none) => lewyssmith, sysadmin-bugs

Comment 6 Mageia Robot 2017-08-25 22:36:42 CEST
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0308.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.