Also, krlogin on mga8 does not appear to function. It was working on mga7.
https://bugs.mageia.org/show_bug.cgi?id=28460#c8

CC: (none) => davidwhodgins

Fixed in cauldron and mga8

src:
     - krb5-1.18.3-1.1.mga8

Assignee: guillomovitch => qa-bugs
CC: (none) => mageia
Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)

krb5-1.18.3-1.1.mga8
krb5-workstation-1.18.3-1.1.mga8
libkrb53-1.18.3-1.1.mga8
krb5-server-1.18.3-1.1.mga8
libkrb53-devel-1.18.3-1.1.mga8
krb5-server-ldap-1.18.3-1.1.mga8
krb5-pkinit-1.18.3-1.1.mga8

from krb5-1.18.3-1.1.mga8.src.rpm

Status comment: Patch available from Fedora => (none)

Used the procedure at https://wiki.mageia.org/en/QA_procedure:Krb5
to install krb5 and set it up with the above packages in qarepo.

I also made sure krb5kdc.service and kadmin.service were enabled and running.

It installs and sets up cleanly, however the failure of krlogin to function
noted in comment 1 is still present.

While this is not a regression over the prior mga8 versions, it is a regression
from Mageia 7.

We can validate it based on a clean install and no regression over the prior
version, but I'd prefer to fix what ever is causing krlogin to do nothing and
fix it, whether it's a packaging change or a change in the test procedure that's
needed.

Ideas?

Adding Guillaume back to the cc list as the registered maintainer for krb5.

CC: (none) => guillomovitch

Advisory:
========================

Updated krb5 packages fix security vulnerability:

In MIT krb5 releases 1.16 and later prior to 1.19.2, an unauthenticated attacker can cause a null dereference in the KDC by sending a request containing a PA-ENCRYPTED-CHALLENGE padata element without using FAST (CVE-2021-36222).

References:
 - https://bugs.mageia.org/show_bug.cgi?id=29260
 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36222
 - https://vulmon.com/vulnerabilitydetails?qid=CVE-2021-36222
 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CCCYLGJLCVVNJVOQKUGKXR2SNQIPFBFS/
========================

Updated packages in core/updates_testing:
========================
krb5-1.18.3-1.1.mga8
krb5-pkinit-1.18.3-1.1.mga8
krb5-server-1.18.3-1.1.mga8
krb5-server-ldap-1.18.3-1.1.mga8
krb5-workstation-1.18.3-1.1.mga8
lib(64)krb53-1.18.3-1.1.mga8
lib(64)krb53-devel-1.18.3-1.1.mga8

from SRPM:
krb5-1.18.3-1.1.mga8.src.rpm

CC: (none) => ouaurelien

If comment 5 is indicating the packages have been rebuilt, the release needs
to be bumped to get the replaced testing versions to propagate to the mirrors.

As is, no change from comment 4 as krlogin appears to be a no-op.

No, Comment 5 was just an advisory.  There hasn't been a response from Guillaume yet.

Fedora has issued an advisory for 1.18.x today (July 21):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FXO2RMANKAFCHYZB2DUHXIYIHVD26JDB/

Adding the feedback tag as per comment 6 and comment 4

Keywords: (none) => feedback

I recommend filing a new bug for the krlogin issue and validating this.

Why. If you can't login to the key distribution center no kerberos based
applications can work. For example telnet (after setting it up just like in m7
where it works)  ...
$ telnet x8t.hodgins.homeip.net
Trying 192.168.10.14...
Connected to x8t.hodgins.homeip.net (192.168.10.14).
Escape character is '^]'.
Unencrypted connection refused. Goodbye.

Connection closed by foreign host.

A KDC null deref is a denial of service that the update is  supposed to fix.
With the key distribution center not working, there is no service to deny, and
the update does nothing. Without a fix, the package should be dropped from
cauldron.

Well, we can't drop the package because krb5 is more than a KDC, it's also the Kerberos 5 library which is used by a ton of packages.  Since the vulnerability itself seems to just affect the server part and not the library, then you have a valid point on the update not being as important.  Perhaps Guillaume knows some way to make it work.

Regarding comment 11, that's after a non-working krlogin ...

[dave@x3 ~]$ kinit
Password for dave@X8T.HODGINS.HOMEIP.NET: 
[dave@x3 ~]$ krlogin x8t.hodgins.homeip.net
[dave@x3 ~]$ telnet x8t.hodgins.homeip.net
Trying 192.168.10.14...
Connected to x8t.hodgins.homeip.net (192.168.10.14).
Escape character is '^]'.
Unencrypted connection refused. Goodbye.

Connection closed by foreign host.

Regarding comment 12. Perhaps the package could be altered to only generate
the lib packages, not the krb5-... packages in future.

Forgot to show the kinit ...

[dave@x3 ~]$ klist
klist: No credentials cache found (filename: /tmp/krb5cc_500)
[dave@x3 ~]$ kinit
Password for dave@X8T.HODGINS.HOMEIP.NET: 
[dave@x3 ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: dave@X8T.HODGINS.HOMEIP.NET

Valid starting       Expires              Service principal
2021-08-10 17:37:31  2021-08-11 17:37:31  krbtgt/X8T.HODGINS.HOMEIP.NET@X8T.HODGINS.HOMEIP.NET
        renew until 2021-08-10 17:37:31
[dave@x3 ~]$ krlogin x8t.hodgins.homeip.net
[dave@x3 ~]$ telnet x8t.hodgins.homeip.net
Trying 192.168.10.14...
Connected to x8t.hodgins.homeip.net (192.168.10.14).
Escape character is '^]'.
Unencrypted connection refused. Goodbye.

Connection closed by foreign host.

Fedora has issued an advisory today (August 21):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/P7AFEQGFR3FNSR2E7F6TUACWHAX2J4PQ/

Whiteboard: (none) => MGA8TOO
Keywords: feedback => (none)
Version: 8 => Cauldron
Assignee: qa-bugs => guillomovitch
Status comment: (none) => Patch available from Fedora
Summary: krb5 new security issue CVE-2021-36222 => krb5 new security issues CVE-2021-36222 and CVE-2021-37750

(In reply to David Walser from comment #15)
> Fedora has issued an advisory today (August 21):
> https://lists.fedoraproject.org/archives/list/package-announce@lists.
> fedoraproject.org/thread/P7AFEQGFR3FNSR2E7F6TUACWHAX2J4PQ/

openSUSE has issued an advisory for this today (October 18):
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4LN5FUC4TZVB7GKLTDOBR7UQD6W4262A/

new CVE is now fixed in mga8:


src:
    - krb5-1.18.3-1.2.mga8


unfortunatly it does not build on cauldron.

Status comment: Patch available from Fedora => (none)

libkrb53-1.18.3-1.2.mga8
krb5-workstation-1.18.3-1.2.mga8
krb5-server-1.18.3-1.2.mga8
libkrb53-devel-1.18.3-1.2.mga8
krb5-server-ldap-1.18.3-1.2.mga8
krb5-1.18.3-1.2.mga8
krb5-pkinit-1.18.3-1.2.mga8

from krb5-1.18.3-1.2.mga8.src.rpm

Status comment: (none) => Build failure in Cauldron

build fixed in cauldron.

Version: Cauldron => 8
Status comment: Build failure in Cauldron => (none)
Whiteboard: MGA8TOO => (none)
Assignee: guillomovitch => qa-bugs

MGA8-64 Plasma on Lenovo B50 in Dutch
No installation issues.
Tried to follow the wiki as I did inbug 24068 Comment 4, but run into trouble 
# ./bin/krb5_server_setup.sh tester8
Checking dns setup for mach5.hviaene.thuis
Good. Forward and reverse dsn settings for mach5.hviaene.thuis match
The realm name will be set to MACH5.HVIAENE.THUIS
Het volgende pakket moet worden verwijderd om andere te kunnen opwaarderen:
rsh-0.17-36.1.mga8.x86_64
 (vanwege conflicten met krb5-appl-clients) (j/N) j


    $MIRRORLIST: media/core/updates/krb5-appl-clients-1.0.3-13.1.mga8.x86_64.rpm
    $MIRRORLIST: media/core/updates/krb5-appl-servers-1.0.3-13.1.mga8.x86_64.rpm                                                                                                                                    
installeren van krb5-appl-servers-1.0.3-13.1.mga8.x86_64.rpm krb5-appl-clients-1.0.3-13.1.mga8.x86_64.rpm vanaf /var/cache/urpmi/rpms                                                                               
Voorbereiden...                  ##################################################################################################################################################################################
      1/2: krb5-appl-clients     ##################################################################################################################################################################################
      2/2: krb5-appl-servers     ##################################################################################################################################################################################
bezig met verwijderen van pakket rsh-0.17-36.1.mga8.x86_64
      1/1: verwijderen van rsh-0.17-36.1.mga8.x86_64
                                 ##################################################################################################################################################################################
Setting realm name in /var/lib/krb5kdc/kdc.conf
Removing '#' characters and setting realm and host names in /etc/krb5.conf
Setting realm name in /var/lib/krb5kdc/kadm5.acl
Creating database in /var/lib/krb5kdc/principal
Loading random data
Initializing database '/var/lib/krb5kdc/principal' for realm 'MACH5.HVIAENE.THUIS',
master key name 'K/M@MACH5.HVIAENE.THUIS'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key: 
Re-enter KDC database master key to verify: 
kadmin.local: No KCM server found while opening default credentials cache
kadmin.local: No KCM server found while opening default credentials cache
kadmin.local: No KCM server found while opening default credentials cache
kadmin.local: No KCM server found while opening default credentials cache
kadmin.local: No KCM server found while opening default credentials cache
kadmin.local: No KCM server found while opening default credentials cache
Redirecting to /bin/systemctl start krb5kdc.service
Redirecting to /bin/systemctl start kadmin.service
kerberos server setup complete
systemd
Opmerking: Verzoek wordt doorgestuurd naar 'systemctl enable krb5kdc.service'.
Created symlink /etc/systemd/system/multi-user.target.wants/krb5kdc.service → /usr/lib/systemd/system/krb5kdc.service.
systemd
Opmerking: Verzoek wordt doorgestuurd naar 'systemctl enable kadmin.service'.
Created symlink /etc/systemd/system/multi-user.target.wants/kadmin.service → /usr/lib/systemd/system/kadmin.service.
Copy /etc/krb5.conf to any client stations, and install krb5-appl-clients on them

And subsequent gets (of course)
$ kinit
kinit: No KCM server found while getting default ccache

CC: (none) => herman.viaene

krlogin still fails to do anything.

[dave@x8v ~]$ kinit
Password for dave@X8V.HODGINS.HOMEIP.NET: 
[dave@x8v ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: dave@X8V.HODGINS.HOMEIP.NET

Valid starting       Expires              Service principal
2021-12-11 15:10:02  2021-12-12 15:10:02  krbtgt/X8V.HODGINS.HOMEIP.NET@X8V.HODGINS.HOMEIP.NET
        renew until 2021-12-11 15:10:02
[dave@x8v ~]$ krlogin $(hostname)
[dave@x8v ~]$ telnet x8v.hodgins.homeip.net
Trying 192.168.10.112...
Connected to x8v.hodgins.homeip.net (192.168.10.112).
Escape character is '^]'.
Unencrypted connection refused. Goodbye.

Connection closed by foreign host.

If I try by ip address, I at least get an error message indicating the krlogin
is being processed.
[dave@x8v ~]$ krlogin x8v.hodgins.homeip.net
[dave@x8v ~]$ host x8v.hodgins.homeip.net
x8v.hodgins.homeip.net has address 192.168.10.112
[dave@x8v ~]$ krlogin 192.168.10.112
error getting credentials: Server not found in Kerberos database

This appears to show that krlogin is getting the request, it's just failing
to setup the encrypted connection, without any error message.

This is the same as in comment 1.

Adding the feedback marker again.

Keywords: (none) => feedback

I an just bumping this because it have been sitting 282 days.

CC: (none) => fri

Fixed in:
https://advisories.mageia.org/MGASA-2022-0467.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED