Bug 29658 - heimdal new security issue CVE-2021-3671
Summary: heimdal new security issue CVE-2021-3671
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2021-11-12 21:50 CET by David Walser
Modified: 2021-12-08 21:05 CET (History)
6 users (show)

See Also:
Source RPM: heimdal-7.7.0-5.mga8.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2021-11-12 21:50:33 CET
Ubuntu has issued an advisory on November 11:
https://ubuntu.com/security/notices/USN-5142-1

The Samba issues are in Bug 29641.  CVE-2021-3671 may also affect Samba if it's built with internal heimdal.

Ubuntu links to two upstream commits to fix the issue:
https://ubuntu.com/security/CVE-2021-3671

Mageia 8 is also affected.
David Walser 2021-11-12 21:50:50 CET

See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=29641
Whiteboard: (none) => MGA8TOO
Status comment: (none) => Patches available from Ubuntu and upstream

Comment 1 Marja Van Waes 2021-11-20 17:12:55 CET
Assigning to the registered maintainer

CC: (none) => marja11
Assignee: bugsquad => guillomovitch

Comment 2 David Walser 2021-11-28 21:34:30 CET
Patched packages uploaded for Mageia 8 and Cauldron by Guillaume.

heimdal-devel-7.7.0-5.1.mga8
heimdal-devel-doc-7.7.0-5.1.mga8
heimdal-libs-7.7.0-5.1.mga8
heimdal-workstation-7.7.0-5.1.mga8
heimdal-server-7.7.0-5.1.mga8

from heimdal-7.7.0-5.1.mga8.src.rpm

CC: (none) => guillomovitch
Assignee: guillomovitch => qa-bugs
Status comment: Patches available from Ubuntu and upstream => (none)
Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)

Comment 3 Herman Viaene 2021-12-02 15:26:32 CET
MGA8-64 Plasma on Lenovo B50
No installation issues.
Ref bug 22142 Comment 5 for testing
# systemctl start heimdal-kdc
# systemctl -l status heimdal-kdc
● heimdal-kdc.service - Heimdal KDC is a Kerberos 5 Key Distribution Center server
     Loaded: loaded (/usr/lib/systemd/system/heimdal-kdc.service; disabled; vendor preset: disabled)
     Active: active (running) since Thu 2021-12-02 15:21:01 CET; 15s ago
       Docs: man:kdc(8)
             info:heimdal
             http://www.h5l.org/
   Main PID: 15507 (kdc)
      Tasks: 5 (limit: 9396)
     Memory: 2.2M
        CPU: 11ms
     CGroup: /system.slice/heimdal-kdc.service
             ├─15507 /usr/libexec/kdc
             ├─15509 /usr/libexec/kdc
             ├─15510 /usr/libexec/kdc
             ├─15511 /usr/libexec/kdc
             └─15512 /usr/libexec/kdc

dec 02 15:21:01 mach5.hviaene.thuis systemd[1]: Started Heimdal KDC is a Kerberos 5 Key Distribution Center server.
# kadmin
kadmin: kadm5_init_with_password: No KDC found for realm HVIAENE.THUIS
As normal user
$ verify_krb5_conf 
verify_krb5_conf: krb5_config_parse_file: open /home/tester8/.krb5/config: No such file or directory
verify_krb5_conf: krb5_config_parse_file: /etc/krb5.conf:3: binding before section
Seems acceptable.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA8-64-OK

Comment 4 Herman Viaene 2021-12-02 15:33:00 CET
Maybe OK'ed too quickly: when trying to install heimdal-devel I get (partly translated)

the following paclages have to be removed in order to upgrae others:
curl-examples-7.74.0-1.4.mga8.noarch
 (because of unfulfilled curl-devel >= 1:7.74.0-1.4.mga8)
lib64appstream-glib-devel-0.7.18-5.mga8.x86_64
 (vanwege ontbrekende devel(libsoup-2.4(64bit)))
lib64curl-devel-7.74.0-1.4.mga8.x86_64
 (vanwege ontbrekende devel(libgssapi_krb5(64bit)))
lib64flatpak-devel-1.10.5-1.mga8.x86_64
 (vanwege ontbrekende devel(libsoup-2.4(64bit)),
  vanwege ontbrekende devel(libmalcontent-0(64bit)))
lib64goa-devel-3.38.0-1.mga8.x86_64
 (vanwege ontbrekende devel(libsoup-2.4(64bit)),
  vanwege ontbrekende devel(librest-0.7(64bit)))
lib64krb53-devel-1.18.3-1.mga8.x86_64
 (vanwege conflicten met heimdal-devel-7.7.0-5.1.mga8.x86_64)
lib64malcontent-devel-0.10.0-1.mga8.x86_64
 (vanwege ontbrekende devel(libappstream-glib(64bit)),
  vanwege onvoldane pkgconfig(appstream-glib) >= 0.7.15)
lib64qt5base5-devel-5.15.2-4.5.mga8.x86_64
 (vanwege onvoldane lib64qt5network-devel == 5.15.2-4.5.mga8)
lib64qt5network-devel-5.15.2-4.5.mga8.x86_64
 (vanwege ontbrekende devel(libgssapi_krb5(64bit)))
lib64rest0.7-devel-0.8.1-3.mga8.x86_64
 (vanwege ontbrekende pkgconfig(libsoup-2.4),
  vanwege ontbrekende devel(libsoup-2.4(64bit)),
  vanwege ontbrekende devel(libsoup-gnome-2.4(64bit)))
lib64soup-devel-2.72.0-1.mga8.x86_64
 (vanwege ontbrekende devel(libgssapi_krb5(64bit)))
lib64ssh-devel-0.9.6-1.mga8.x86_64
 (vanwege ontbrekende devel(libgssapi_krb5(64bit)))
lib64webkit2-devel-2.34.1-1.mga8.x86_64
 (vanwege ontbrekende pkgconfig(libsoup-2.4),
  vanwege ontbrekende devel(libsoup-2.4(64bit)))
lib64wireshark-devel-3.4.10-1.mga8.x86_64
 (vanwege ontbrekende devel(libk5crypto(64bit)))
lib64zapojit-devel-0.0.3-9.1.mga8.x86_64
 (vanwege ontbrekende pkgconfig(libsoup-2.4),
  vanwege ontbrekende devel(libsoup-2.4(64bit)),
  vanwege ontbrekende pkgconfig(rest-0.7),
  vanwege ontbrekende devel(librest-0.7(64bit)),
  vanwege ontbrekende devel(libgoa-1.0(64bit)),
  vanwege ontbrekende pkgconfig(goa-1.0))

Leaving for others to restore the OK if this is not essential

Whiteboard: MGA8-64-OK => (none)

Comment 5 Guillaume Rousse 2021-12-02 19:05:27 CET
That's perfectly normal given the conflict between lib64krb53-devel and heimdal-devel. As usual, just checking if the problem already exist with the already shipped version should help deciding if it is a regression or not.
Comment 6 Herman Viaene 2021-12-03 08:46:50 CET
Well, I did not have the older version, and I delete most of the tested packages after tesing since I want to keep this testing instance as close as possible to a default installation. And secondly, a new version should also be tested as a prime installation, shouldn't it???
Anyway, tx for your clerification.

Whiteboard: (none) => MGA8-64-OK

Comment 7 Thomas Andrews 2021-12-05 18:24:35 CET
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 8 Dave Hodgins 2021-12-08 01:45:37 CET
Removing the validation. What about samba? Does it need to be updated to use
the updated heimdal package?

Keywords: validated_update => (none)
CC: (none) => davidwhodgins

Comment 9 David Walser 2021-12-08 02:29:13 CET
The library was only patched, so samba wouldn't need rebuilt.  If it's using bundled code it'll need to be addressed there.  It would be nice to see the library package correctly named according to our packaging policy, but that change will have to be made in Cauldron.
Comment 10 Dave Hodgins 2021-12-08 03:44:38 CET
Re-validating. Advisory committed to svn.

Keywords: (none) => advisory, validated_update

Comment 11 Mageia Robot 2021-12-08 21:05:33 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0543.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.