Ubuntu has issued an advisory on November 11: https://ubuntu.com/security/notices/USN-5142-1 The Samba issues are in Bug 29641. CVE-2021-3671 may also affect Samba if it's built with internal heimdal. Ubuntu links to two upstream commits to fix the issue: https://ubuntu.com/security/CVE-2021-3671 Mageia 8 is also affected.
See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=29641Whiteboard: (none) => MGA8TOOStatus comment: (none) => Patches available from Ubuntu and upstream
Assigning to the registered maintainer
CC: (none) => marja11Assignee: bugsquad => guillomovitch
Patched packages uploaded for Mageia 8 and Cauldron by Guillaume. heimdal-devel-7.7.0-5.1.mga8 heimdal-devel-doc-7.7.0-5.1.mga8 heimdal-libs-7.7.0-5.1.mga8 heimdal-workstation-7.7.0-5.1.mga8 heimdal-server-7.7.0-5.1.mga8 from heimdal-7.7.0-5.1.mga8.src.rpm
CC: (none) => guillomovitchAssignee: guillomovitch => qa-bugsStatus comment: Patches available from Ubuntu and upstream => (none)Version: Cauldron => 8Whiteboard: MGA8TOO => (none)
MGA8-64 Plasma on Lenovo B50 No installation issues. Ref bug 22142 Comment 5 for testing # systemctl start heimdal-kdc # systemctl -l status heimdal-kdc ● heimdal-kdc.service - Heimdal KDC is a Kerberos 5 Key Distribution Center server Loaded: loaded (/usr/lib/systemd/system/heimdal-kdc.service; disabled; vendor preset: disabled) Active: active (running) since Thu 2021-12-02 15:21:01 CET; 15s ago Docs: man:kdc(8) info:heimdal http://www.h5l.org/ Main PID: 15507 (kdc) Tasks: 5 (limit: 9396) Memory: 2.2M CPU: 11ms CGroup: /system.slice/heimdal-kdc.service ├─15507 /usr/libexec/kdc ├─15509 /usr/libexec/kdc ├─15510 /usr/libexec/kdc ├─15511 /usr/libexec/kdc └─15512 /usr/libexec/kdc dec 02 15:21:01 mach5.hviaene.thuis systemd[1]: Started Heimdal KDC is a Kerberos 5 Key Distribution Center server. # kadmin kadmin: kadm5_init_with_password: No KDC found for realm HVIAENE.THUIS As normal user $ verify_krb5_conf verify_krb5_conf: krb5_config_parse_file: open /home/tester8/.krb5/config: No such file or directory verify_krb5_conf: krb5_config_parse_file: /etc/krb5.conf:3: binding before section Seems acceptable.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA8-64-OK
Maybe OK'ed too quickly: when trying to install heimdal-devel I get (partly translated) the following paclages have to be removed in order to upgrae others: curl-examples-7.74.0-1.4.mga8.noarch (because of unfulfilled curl-devel >= 1:7.74.0-1.4.mga8) lib64appstream-glib-devel-0.7.18-5.mga8.x86_64 (vanwege ontbrekende devel(libsoup-2.4(64bit))) lib64curl-devel-7.74.0-1.4.mga8.x86_64 (vanwege ontbrekende devel(libgssapi_krb5(64bit))) lib64flatpak-devel-1.10.5-1.mga8.x86_64 (vanwege ontbrekende devel(libsoup-2.4(64bit)), vanwege ontbrekende devel(libmalcontent-0(64bit))) lib64goa-devel-3.38.0-1.mga8.x86_64 (vanwege ontbrekende devel(libsoup-2.4(64bit)), vanwege ontbrekende devel(librest-0.7(64bit))) lib64krb53-devel-1.18.3-1.mga8.x86_64 (vanwege conflicten met heimdal-devel-7.7.0-5.1.mga8.x86_64) lib64malcontent-devel-0.10.0-1.mga8.x86_64 (vanwege ontbrekende devel(libappstream-glib(64bit)), vanwege onvoldane pkgconfig(appstream-glib) >= 0.7.15) lib64qt5base5-devel-5.15.2-4.5.mga8.x86_64 (vanwege onvoldane lib64qt5network-devel == 5.15.2-4.5.mga8) lib64qt5network-devel-5.15.2-4.5.mga8.x86_64 (vanwege ontbrekende devel(libgssapi_krb5(64bit))) lib64rest0.7-devel-0.8.1-3.mga8.x86_64 (vanwege ontbrekende pkgconfig(libsoup-2.4), vanwege ontbrekende devel(libsoup-2.4(64bit)), vanwege ontbrekende devel(libsoup-gnome-2.4(64bit))) lib64soup-devel-2.72.0-1.mga8.x86_64 (vanwege ontbrekende devel(libgssapi_krb5(64bit))) lib64ssh-devel-0.9.6-1.mga8.x86_64 (vanwege ontbrekende devel(libgssapi_krb5(64bit))) lib64webkit2-devel-2.34.1-1.mga8.x86_64 (vanwege ontbrekende pkgconfig(libsoup-2.4), vanwege ontbrekende devel(libsoup-2.4(64bit))) lib64wireshark-devel-3.4.10-1.mga8.x86_64 (vanwege ontbrekende devel(libk5crypto(64bit))) lib64zapojit-devel-0.0.3-9.1.mga8.x86_64 (vanwege ontbrekende pkgconfig(libsoup-2.4), vanwege ontbrekende devel(libsoup-2.4(64bit)), vanwege ontbrekende pkgconfig(rest-0.7), vanwege ontbrekende devel(librest-0.7(64bit)), vanwege ontbrekende devel(libgoa-1.0(64bit)), vanwege ontbrekende pkgconfig(goa-1.0)) Leaving for others to restore the OK if this is not essential
Whiteboard: MGA8-64-OK => (none)
That's perfectly normal given the conflict between lib64krb53-devel and heimdal-devel. As usual, just checking if the problem already exist with the already shipped version should help deciding if it is a regression or not.
Well, I did not have the older version, and I delete most of the tested packages after tesing since I want to keep this testing instance as close as possible to a default installation. And secondly, a new version should also be tested as a prime installation, shouldn't it??? Anyway, tx for your clerification.
Whiteboard: (none) => MGA8-64-OK
Validating.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Removing the validation. What about samba? Does it need to be updated to use the updated heimdal package?
Keywords: validated_update => (none)CC: (none) => davidwhodgins
The library was only patched, so samba wouldn't need rebuilt. If it's using bundled code it'll need to be addressed there. It would be nice to see the library package correctly named according to our packaging policy, but that change will have to be made in Cauldron.
Re-validating. Advisory committed to svn.
Keywords: (none) => advisory, validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0543.html
Status: NEW => RESOLVEDResolution: (none) => FIXED