Fedora has issued an advisory today (July 14): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CCCYLGJLCVVNJVOQKUGKXR2SNQIPFBFS/ Mageia 8 is also affected.
Whiteboard: (none) => MGA8TOOStatus comment: (none) => Patch available from Fedora
Also, krlogin on mga8 does not appear to function. It was working on mga7. https://bugs.mageia.org/show_bug.cgi?id=28460#c8
CC: (none) => davidwhodgins
Fixed in cauldron and mga8 src: - krb5-1.18.3-1.1.mga8
Assignee: guillomovitch => qa-bugsCC: (none) => mageiaVersion: Cauldron => 8Whiteboard: MGA8TOO => (none)
krb5-1.18.3-1.1.mga8 krb5-workstation-1.18.3-1.1.mga8 libkrb53-1.18.3-1.1.mga8 krb5-server-1.18.3-1.1.mga8 libkrb53-devel-1.18.3-1.1.mga8 krb5-server-ldap-1.18.3-1.1.mga8 krb5-pkinit-1.18.3-1.1.mga8 from krb5-1.18.3-1.1.mga8.src.rpm
Status comment: Patch available from Fedora => (none)
Used the procedure at https://wiki.mageia.org/en/QA_procedure:Krb5 to install krb5 and set it up with the above packages in qarepo. I also made sure krb5kdc.service and kadmin.service were enabled and running. It installs and sets up cleanly, however the failure of krlogin to function noted in comment 1 is still present. While this is not a regression over the prior mga8 versions, it is a regression from Mageia 7. We can validate it based on a clean install and no regression over the prior version, but I'd prefer to fix what ever is causing krlogin to do nothing and fix it, whether it's a packaging change or a change in the test procedure that's needed. Ideas? Adding Guillaume back to the cc list as the registered maintainer for krb5.
CC: (none) => guillomovitch
Advisory: ======================== Updated krb5 packages fix security vulnerability: In MIT krb5 releases 1.16 and later prior to 1.19.2, an unauthenticated attacker can cause a null dereference in the KDC by sending a request containing a PA-ENCRYPTED-CHALLENGE padata element without using FAST (CVE-2021-36222). References: - https://bugs.mageia.org/show_bug.cgi?id=29260 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36222 - https://vulmon.com/vulnerabilitydetails?qid=CVE-2021-36222 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CCCYLGJLCVVNJVOQKUGKXR2SNQIPFBFS/ ======================== Updated packages in core/updates_testing: ======================== krb5-1.18.3-1.1.mga8 krb5-pkinit-1.18.3-1.1.mga8 krb5-server-1.18.3-1.1.mga8 krb5-server-ldap-1.18.3-1.1.mga8 krb5-workstation-1.18.3-1.1.mga8 lib(64)krb53-1.18.3-1.1.mga8 lib(64)krb53-devel-1.18.3-1.1.mga8 from SRPM: krb5-1.18.3-1.1.mga8.src.rpm
CC: (none) => ouaurelien
If comment 5 is indicating the packages have been rebuilt, the release needs to be bumped to get the replaced testing versions to propagate to the mirrors. As is, no change from comment 4 as krlogin appears to be a no-op.
No, Comment 5 was just an advisory. There hasn't been a response from Guillaume yet.
Fedora has issued an advisory for 1.18.x today (July 21): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FXO2RMANKAFCHYZB2DUHXIYIHVD26JDB/
Adding the feedback tag as per comment 6 and comment 4
Keywords: (none) => feedback
I recommend filing a new bug for the krlogin issue and validating this.
Why. If you can't login to the key distribution center no kerberos based applications can work. For example telnet (after setting it up just like in m7 where it works) ... $ telnet x8t.hodgins.homeip.net Trying 192.168.10.14... Connected to x8t.hodgins.homeip.net (192.168.10.14). Escape character is '^]'. Unencrypted connection refused. Goodbye. Connection closed by foreign host. A KDC null deref is a denial of service that the update is supposed to fix. With the key distribution center not working, there is no service to deny, and the update does nothing. Without a fix, the package should be dropped from cauldron.
Well, we can't drop the package because krb5 is more than a KDC, it's also the Kerberos 5 library which is used by a ton of packages. Since the vulnerability itself seems to just affect the server part and not the library, then you have a valid point on the update not being as important. Perhaps Guillaume knows some way to make it work.
Regarding comment 11, that's after a non-working krlogin ... [dave@x3 ~]$ kinit Password for dave@X8T.HODGINS.HOMEIP.NET: [dave@x3 ~]$ krlogin x8t.hodgins.homeip.net [dave@x3 ~]$ telnet x8t.hodgins.homeip.net Trying 192.168.10.14... Connected to x8t.hodgins.homeip.net (192.168.10.14). Escape character is '^]'. Unencrypted connection refused. Goodbye. Connection closed by foreign host. Regarding comment 12. Perhaps the package could be altered to only generate the lib packages, not the krb5-... packages in future.
Forgot to show the kinit ... [dave@x3 ~]$ klist klist: No credentials cache found (filename: /tmp/krb5cc_500) [dave@x3 ~]$ kinit Password for dave@X8T.HODGINS.HOMEIP.NET: [dave@x3 ~]$ klist Ticket cache: FILE:/tmp/krb5cc_500 Default principal: dave@X8T.HODGINS.HOMEIP.NET Valid starting Expires Service principal 2021-08-10 17:37:31 2021-08-11 17:37:31 krbtgt/X8T.HODGINS.HOMEIP.NET@X8T.HODGINS.HOMEIP.NET renew until 2021-08-10 17:37:31 [dave@x3 ~]$ krlogin x8t.hodgins.homeip.net [dave@x3 ~]$ telnet x8t.hodgins.homeip.net Trying 192.168.10.14... Connected to x8t.hodgins.homeip.net (192.168.10.14). Escape character is '^]'. Unencrypted connection refused. Goodbye. Connection closed by foreign host.
Fedora has issued an advisory today (August 21): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/P7AFEQGFR3FNSR2E7F6TUACWHAX2J4PQ/
Whiteboard: (none) => MGA8TOOKeywords: feedback => (none)Version: 8 => CauldronAssignee: qa-bugs => guillomovitchStatus comment: (none) => Patch available from FedoraSummary: krb5 new security issue CVE-2021-36222 => krb5 new security issues CVE-2021-36222 and CVE-2021-37750
(In reply to David Walser from comment #15) > Fedora has issued an advisory today (August 21): > https://lists.fedoraproject.org/archives/list/package-announce@lists. > fedoraproject.org/thread/P7AFEQGFR3FNSR2E7F6TUACWHAX2J4PQ/ openSUSE has issued an advisory for this today (October 18): https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4LN5FUC4TZVB7GKLTDOBR7UQD6W4262A/
new CVE is now fixed in mga8: src: - krb5-1.18.3-1.2.mga8 unfortunatly it does not build on cauldron.
libkrb53-1.18.3-1.2.mga8 krb5-workstation-1.18.3-1.2.mga8 krb5-server-1.18.3-1.2.mga8 libkrb53-devel-1.18.3-1.2.mga8 krb5-server-ldap-1.18.3-1.2.mga8 krb5-1.18.3-1.2.mga8 krb5-pkinit-1.18.3-1.2.mga8 from krb5-1.18.3-1.2.mga8.src.rpm
Status comment: (none) => Build failure in Cauldron
build fixed in cauldron.
Version: Cauldron => 8Status comment: Build failure in Cauldron => (none)Whiteboard: MGA8TOO => (none)Assignee: guillomovitch => qa-bugs
MGA8-64 Plasma on Lenovo B50 in Dutch No installation issues. Tried to follow the wiki as I did inbug 24068 Comment 4, but run into trouble # ./bin/krb5_server_setup.sh tester8 Checking dns setup for mach5.hviaene.thuis Good. Forward and reverse dsn settings for mach5.hviaene.thuis match The realm name will be set to MACH5.HVIAENE.THUIS Het volgende pakket moet worden verwijderd om andere te kunnen opwaarderen: rsh-0.17-36.1.mga8.x86_64 (vanwege conflicten met krb5-appl-clients) (j/N) j $MIRRORLIST: media/core/updates/krb5-appl-clients-1.0.3-13.1.mga8.x86_64.rpm $MIRRORLIST: media/core/updates/krb5-appl-servers-1.0.3-13.1.mga8.x86_64.rpm installeren van krb5-appl-servers-1.0.3-13.1.mga8.x86_64.rpm krb5-appl-clients-1.0.3-13.1.mga8.x86_64.rpm vanaf /var/cache/urpmi/rpms Voorbereiden... ################################################################################################################################################################################## 1/2: krb5-appl-clients ################################################################################################################################################################################## 2/2: krb5-appl-servers ################################################################################################################################################################################## bezig met verwijderen van pakket rsh-0.17-36.1.mga8.x86_64 1/1: verwijderen van rsh-0.17-36.1.mga8.x86_64 ################################################################################################################################################################################## Setting realm name in /var/lib/krb5kdc/kdc.conf Removing '#' characters and setting realm and host names in /etc/krb5.conf Setting realm name in /var/lib/krb5kdc/kadm5.acl Creating database in /var/lib/krb5kdc/principal Loading random data Initializing database '/var/lib/krb5kdc/principal' for realm 'MACH5.HVIAENE.THUIS', master key name 'K/M@MACH5.HVIAENE.THUIS' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: Re-enter KDC database master key to verify: kadmin.local: No KCM server found while opening default credentials cache kadmin.local: No KCM server found while opening default credentials cache kadmin.local: No KCM server found while opening default credentials cache kadmin.local: No KCM server found while opening default credentials cache kadmin.local: No KCM server found while opening default credentials cache kadmin.local: No KCM server found while opening default credentials cache Redirecting to /bin/systemctl start krb5kdc.service Redirecting to /bin/systemctl start kadmin.service kerberos server setup complete systemd Opmerking: Verzoek wordt doorgestuurd naar 'systemctl enable krb5kdc.service'. Created symlink /etc/systemd/system/multi-user.target.wants/krb5kdc.service → /usr/lib/systemd/system/krb5kdc.service. systemd Opmerking: Verzoek wordt doorgestuurd naar 'systemctl enable kadmin.service'. Created symlink /etc/systemd/system/multi-user.target.wants/kadmin.service → /usr/lib/systemd/system/kadmin.service. Copy /etc/krb5.conf to any client stations, and install krb5-appl-clients on them And subsequent gets (of course) $ kinit kinit: No KCM server found while getting default ccache
CC: (none) => herman.viaene
krlogin still fails to do anything. [dave@x8v ~]$ kinit Password for dave@X8V.HODGINS.HOMEIP.NET: [dave@x8v ~]$ klist Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: dave@X8V.HODGINS.HOMEIP.NET Valid starting Expires Service principal 2021-12-11 15:10:02 2021-12-12 15:10:02 krbtgt/X8V.HODGINS.HOMEIP.NET@X8V.HODGINS.HOMEIP.NET renew until 2021-12-11 15:10:02 [dave@x8v ~]$ krlogin $(hostname) [dave@x8v ~]$ telnet x8v.hodgins.homeip.net Trying 192.168.10.112... Connected to x8v.hodgins.homeip.net (192.168.10.112). Escape character is '^]'. Unencrypted connection refused. Goodbye. Connection closed by foreign host. If I try by ip address, I at least get an error message indicating the krlogin is being processed. [dave@x8v ~]$ krlogin x8v.hodgins.homeip.net [dave@x8v ~]$ host x8v.hodgins.homeip.net x8v.hodgins.homeip.net has address 192.168.10.112 [dave@x8v ~]$ krlogin 192.168.10.112 error getting credentials: Server not found in Kerberos database This appears to show that krlogin is getting the request, it's just failing to setup the encrypted connection, without any error message. This is the same as in comment 1.
Adding the feedback marker again.
I an just bumping this because it have been sitting 282 days.
CC: (none) => fri
Depends on: (none) => 31157
Depends on: (none) => 31172
Depends on: 31172 => (none)
Source RPM: krb5-1.19.1-1.mga9.src.rpm => krb5-1.18.3-1.mga8.src.rpmKeywords: feedback => (none)Assignee: qa-bugs => guillomovitch
Fixed in: https://advisories.mageia.org/MGASA-2022-0467.html
Status: NEW => RESOLVEDResolution: (none) => FIXED