Fedora has issued an advisory on December 24: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2KNHELH4YHNT6H2ESJWX2UIDXLBNGB2O/
Assigning to the registered maintainer.
Assignee: bugsquad => guillomovitchCC: (none) => marja11
Fixed in krb5-1.16.2-2.mga7 in Cauldron. Mageia 6 appears to be affected as well.
Version: Cauldron => 6
Advisory: ======================== Updated krb5 packages fix security vulnerability: An authenticated user who can obtain a TGT using an older encryption type (DES, DES3, or RC4) can cause an assertion failure in the KDC by sending an S4U2Self request (CVE-2018-20217). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20217 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2KNHELH4YHNT6H2ESJWX2UIDXLBNGB2O/ ======================== Updated packages in core/updates_testing: ======================== krb5-1.15.1-2.4.mga6 libkrb53-devel-1.15.1-2.4.mga6 libkrb53-1.15.1-2.4.mga6 krb5-server-1.15.1-2.4.mga6 krb5-server-ldap-1.15.1-2.4.mga6 krb5-workstation-1.15.1-2.4.mga6 krb5-pkinit-openssl-1.15.1-2.4.mga6 from krb5-1.15.1-2.4.mga6.src.rpm
Assignee: guillomovitch => qa-bugs
MGA6-32 MATE on IBM Thinkpad R50e No installation issues Followed procedures as per wiki https://wiki.mageia.org/en/QA_procedure:Krb5 at CLI: $ mkdir -p ~/bin $ wget https://bugs.mageia.org/attachment.cgi?id=9586 -O ~/bin/krb5_server_setup.sh --2019-01-09 11:09:47-- https://bugs.mageia.org/attachment.cgi?id=9586 Herleiden van bugs.mageia.org... 212.85.158.151, 2a02:2178:2:7::7 Verbinding maken met bugs.mageia.org|212.85.158.151|:443... verbonden. HTTP-verzoek is verzonden; wachten op antwoord... 200 OK Lengte: 3710 (3,6K) [text/plain] Wordt opgeslagen als: ‘/home/tester6/bin/krb5_server_setup.sh’ /home/tester6/bin/krb5_se 100%[==================================>] 3,62K --.-KB/s in 0s 2019-01-09 11:09:48 (14,5 MB/s) - '‘/home/tester6/bin/krb5_server_setup.sh’' opgeslagen [3710/3710] $ chmod a+x ~/bin/krb5_server_setup.sh Here I deviate from the procedure, because I never ever use sudo, so after su -l # /home/tester6/bin/krb5_server_setup.sh tester6 Checking dns setup for mach6.hviaene.thuis Good. Forward and reverse dsn settings for mach6.hviaene.thuis match The realm name will be set to MACH6.HVIAENE.THUIS Authenticating as principal root/admin@MACH6.HVIAENE.THUIS with password. Which includes installing krb5-appl-servers and xinetd, and further setting the passwords Edited /etc/xinetd.d/eklogin as per procedure. # systemctl restart xinetd.service and then as normal user: $ kinit Password for tester6@MACH6.HVIAENE.THUIS: $ klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: tester6@MACH6.HVIAENE.THUIS $ krlogin $(hostname) This rlogin session is encrypting all data transmissions. You have mail. That's OK to the procedure.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA6-32-OK
Thanks Herman for a fiddly test. Advisoried, validating.
Keywords: (none) => advisory, validated_updateCC: (none) => lewyssmith, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0028.html
Status: NEW => RESOLVEDResolution: (none) => FIXED