Fedora has issued an advisory today (August 28): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2XIPFDWKYB3HQKSWLVJ6AAPFEG6BEPE3/ It corresponds to this upstream pull request which has a CVE noted on it: https://github.com/krb5/krb5/pull/694 Patch committed in Mageia 6 and Cauldron SVN.
(In reply to David Walser from comment #0) > > Patch committed in Mageia 6 and Cauldron SVN. Thx :-) Assigning to the registered maintainer.
CC: (none) => marja11Assignee: bugsquad => guillomovitch
Fedora has issued an advisory on September 9: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2FPRUP4YVOEBGEROUYWZFEQ64HTMGNED/ This is another minor issue, but it also affects Mageia 5. I've checked the patch into Mageia 6 and Cauldron SVN. The patch needs a minor rediff adjustment for Mageia 5.
Whiteboard: (none) => MGA5TOOSummary: krb5 new security issue CVE-2017-7562 => krb5 new security issue CVE-2017-7562 and CVE-2017-11462
openSUSE has issued an advisory for CVE-2017-11462 today (October 12): https://lists.opensuse.org/opensuse-updates/2017-10/msg00041.html They patched the same version we have in Mageia 5.
SUSE has issued an advisory today (November 8): https://lists.opensuse.org/opensuse-security-announce/2017-11/msg00011.html They fixed a new issue, CVE-2017-15088. The RedHat bug has a link to the upstream commit that fixed the issue: https://bugzilla.redhat.com/show_bug.cgi?id=1504045
Severity: normal => majorSummary: krb5 new security issue CVE-2017-7562 and CVE-2017-11462 => krb5 new security issue CVE-2017-7562, CVE-2017-11462, and CVE-2017-15088
(In reply to David Walser from comment #4) > SUSE has issued an advisory today (November 8): > https://lists.opensuse.org/opensuse-security-announce/2017-11/msg00011.html > > They fixed a new issue, CVE-2017-15088. > > The RedHat bug has a link to the upstream commit that fixed the issue: > https://bugzilla.redhat.com/show_bug.cgi?id=1504045 openSUSE has issued an advisory for this today (November 10): https://lists.opensuse.org/opensuse-updates/2017-11/msg00039.html
krb5-1.15.1-2.2.mga6 submitted in update_testing for mageia 6, fixing CVE-2017-7562, CVE-2017-11462 and CVE-2017-15088. krb5-1.12.5-1.3.mga5 submitted in update_testing for mageia 5, fixing CVE-2017-11462 and CVE-2017-15088 only, as CVE-2017-7562 doesn't apply.
Thanks Guillaume! Testing procedure: https://wiki.mageia.org/en/QA_procedure:Krb5 Advisory: ======================== Updated krb5 packages fix security vulnerabilities: An authentication bypass flaw was found in the way krb5's certauth interface handled the validation of client certificates. A remote attacker able to communicate with the KDC could potentially use this flaw to impersonate arbitrary principals under rare and erroneous circumstances (CVE-2017-7562). RFC 2744 permits a GSS-API implementation to delete an existing security context on a second or subsequent call to gss_init_sec_context() or gss_accept_sec_context() if the call results in an error. This API behavior has been found to be dangerous, leading to the possibility of memory errors in some callers. For safety, GSS-API implementations should instead preserve existing security contexts on error until the caller deletes them (CVE-2017-11462). A buffer overflow vulnerability was found in get_matching_data() function when both the CA cert and the user cert have a long subject affecting krb5 that includes certauth plugin. Attack requires a validated certificate with a long subject and issuer, and a "pkinit_cert_match" string attribute on some principal in the database. A remote code execution exploit might also require that the attacker gets to choose the contents of the issuer in the validated cert (CVE-2017-15088). Note that the CVE-2017-7562 issue only affected Mageia 6. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7562 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11462 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15088 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2XIPFDWKYB3HQKSWLVJ6AAPFEG6BEPE3/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2FPRUP4YVOEBGEROUYWZFEQ64HTMGNED/ https://lists.opensuse.org/opensuse-updates/2017-11/msg00039.html ======================== Updated packages in core/updates_testing: ======================== krb5-1.12.5-1.3.mga5 libkrb53-devel-1.12.5-1.3.mga5 libkrb53-1.12.5-1.3.mga5 krb5-server-1.12.5-1.3.mga5 krb5-server-ldap-1.12.5-1.3.mga5 krb5-workstation-1.12.5-1.3.mga5 krb5-pkinit-openssl-1.12.5-1.3.mga5 krb5-1.15.1-2.2.mga6 libkrb53-devel-1.15.1-2.2.mga6 libkrb53-1.15.1-2.2.mga6 krb5-server-1.15.1-2.2.mga6 krb5-server-ldap-1.15.1-2.2.mga6 krb5-workstation-1.15.1-2.2.mga6 krb5-pkinit-openssl-1.15.1-2.2.mga6 from SRPMS: krb5-1.12.5-1.3.mga5.src.rpm krb5-1.15.1-2.2.mga6.src.rpm
Assignee: guillomovitch => qa-bugsCC: (none) => guillomovitchKeywords: (none) => has_procedure
MGA5-32 on Asus A6000VM Xfce No installation issues. Followed procedure given above: but I installed krb5_server_setup.sh in /bin # krb5_server_setup.sh works OK,no problems encountered then # systemctl start krb5kdc.service # systemctl -l status krb5kdc.service â krb5kdc.service - Kerberos 5 KDC Loaded: loaded (/usr/lib/systemd/system/krb5kdc.service; enabled) Active: active (running) since di 2017-11-14 12:13:10 CET; 1min 42s ago Main PID: 13080 (krb5kdc) CGroup: /system.slice/krb5kdc.service ââ13080 /usr/sbin/krb5kdc -P /var/run/krb5kdc.pid # systemctl restart xinetd.service [root@mach6 bin]# systemctl -l status xinetd.service â xinetd.service - Xinetd A Powerful Replacement For Inetd Loaded: loaded (/usr/lib/systemd/system/xinetd.service; enabled) Active: active (running) since di 2017-11-14 12:15:16 CET; 14s ago Process: 13270 ExecStart=/usr/sbin/xinetd -stayalive -pidfile /run/xinetd.pid $EXTRAOPTIONS (code=exited, status=0/SUCCESS) Main PID: 13272 (xinetd) CGroup: /system.slice/xinetd.service ââ13272 /usr/sbin/xinetd -stayalive -pidfile /run/xinetd.pid nov 14 12:15:16 mach6.hviaene.thuis xinetd[13272]: removing cvspserver nov 14 12:15:16 mach6.hviaene.thuis xinetd[13272]: removing eklogin nov 14 12:15:16 mach6.hviaene.thuis xinetd[13272]: removing telnet nov 14 12:15:16 mach6.hviaene.thuis xinetd[13272]: removing ftp nov 14 12:15:16 mach6.hviaene.thuis xinetd[13272]: removing klogin nov 14 12:15:16 mach6.hviaene.thuis xinetd[13272]: removing telnet nov 14 12:15:16 mach6.hviaene.thuis xinetd[13272]: removing kshell nov 14 12:15:16 mach6.hviaene.thuis xinetd[13272]: removing ssh nov 14 12:15:16 mach6.hviaene.thuis xinetd[13272]: xinetd Version 2.3.15 started with libwrap options compiled in. nov 14 12:15:16 mach6.hviaene.thuis xinetd[13272]: Started working: 0 available services but then, continuing as root: # kinit Password for root@XXXX.YYYYY.ZZZZ: # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: root@XXXX.YYYY.ZZZZ Valid starting Expires Service principal 14-11-17 12:16:07 15-11-17 12:16:07 krbtgt/XXXX.YYYY.ZZZZ@XXXX.YYYY.ZZZZ both seem OK, # krlogin $(hostname) This rlogin session is encrypting all data transmissions. You have new mail. Seems OK
CC: (none) => herman.viaeneWhiteboard: MGA5TOO => MGA5TOO MGA5-32-OK
Keywords: (none) => advisory
Set up kerberos on both releases, both arches, confirmed working, installed the updates and rebooted, and confirmed still working on both arches, both releases. Validating the update.
Keywords: (none) => validated_updateWhiteboard: MGA5TOO MGA5-32-OK => MGA5TOO MGA5-32-OK MGA5-64-OK MGA6-64-OK MGA6-32-OKCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2017-0420.html
Status: NEW => RESOLVEDResolution: (none) => FIXED