SUSE has issued an advisory on September 29: https://lists.suse.com/pipermail/sle-security-updates/2022-September/012454.html Mageia 8 is also affected.
Whiteboard: (none) => MGA8TOOSeverity: normal => major
This looks right to assign to neoclust, registered maintainer.
Assignee: bugsquad => mageia
Suggested advisory: ======================== The updated packages fix a security vulnerability: NULL pointer dereference in krb5-appl telnetd. (CVE-2022-39028) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-39028 https://lists.suse.com/pipermail/sle-security-updates/2022-September/012454.html ======================== Updated packages in core/updates_testing: ======================== krb5-appl-clients-1.0.3-13.2.mga8 krb5-appl-servers-1.0.3-13.2.mga8 from SRPM: krb5-appl-1.0.3-13.2.mga8.src.rpm
Assignee: mageia => qa-bugsSource RPM: krb5-appl-1.0.3-15.mga9.src.rpm => krb5-appl-1.0.3-13.1.mga8.src.rpmSummary: krb5-appl new security issue CVE-2022-39208 => krb5-appl new security issue CVE-2022-39028Status: NEW => ASSIGNEDWhiteboard: MGA8TOO => (none)CVE: (none) => CVE-2022-39028Version: Cauldron => 8CC: (none) => nicolas.salguero
MGA8-64 MATE on Acer Aspire 5253 No installation issues Tried to follow bug 28460 and the https://wiki.mageia.org/en/QA_procedure:Krb5, but after editing the conf file and # systemctl restart xinetd.service # systemctl -l status xinetd.service ● xinetd.service - Xinetd A Powerful Replacement For Inetd Loaded: loaded (/usr/lib/systemd/system/xinetd.service; enabled; vendor preset: enabled) Active: active (running) since Tue 2022-10-25 14:42:43 CEST; 19s ago Docs: man:xinetd man:xinetd.conf man:xinetd.log Main PID: 22374 (xinetd) Tasks: 1 (limit: 4364) Memory: 744.0K CPU: 236ms CGroup: /system.slice/xinetd.service └─22374 /usr/sbin/xinetd -stayalive -dontfork Oct 25 14:42:43 mach7.hviaene.thuis systemd[1]: Started Xinetd A Powerful Replacement For Inetd. Oct 25 14:42:43 mach7.hviaene.thuis xinetd[22374]: Reading included configuration file: /etc/xinetd.d/cvs [file=/etc/xinetd.conf] [line=60] Oct 25 14:42:43 mach7.hviaene.thuis xinetd[22374]: Reading included configuration file: /etc/xinetd.d/eklogin [file=/etc/xinetd.d/eklogin] [line=12] Oct 25 14:42:43 mach7.hviaene.thuis xinetd[22374]: Reading included configuration file: /etc/xinetd.d/ekrb5-telnet [file=/etc/xinetd.d/ekrb5-telnet] [line=13] Oct 25 14:42:43 mach7.hviaene.thuis xinetd[22374]: Reading included configuration file: /etc/xinetd.d/gssftp [file=/etc/xinetd.d/gssftp] [line=14] Oct 25 14:42:43 mach7.hviaene.thuis xinetd[22374]: Reading included configuration file: /etc/xinetd.d/klogin [file=/etc/xinetd.d/klogin] [line=14] Oct 25 14:42:43 mach7.hviaene.thuis xinetd[22374]: Reading included configuration file: /etc/xinetd.d/krb5-telnet [file=/etc/xinetd.d/krb5-telnet] [line=12] Oct 25 14:42:43 mach7.hviaene.thuis xinetd[22374]: Reading included configuration file: /etc/xinetd.d/kshell [file=/etc/xinetd.d/kshell] [line=13] Oct 25 14:42:43 mach7.hviaene.thuis xinetd[22374]: 2.3.15.4 started with libwrap loadavg options compiled in. Oct 25 14:42:43 mach7.hviaene.thuis xinetd[22374]: Started working: 1 available service as normal user: $ kinit bash: kinit: command not found
CC: (none) => herman.viaene
kinit is in krb5-workstation
kinit worked in Mageia 7, but has never worked in Mageia 8. krb5-appl should be dropped from Mageia since it does not work. No broken updates for a broken package should be validated. Same with the rest of the kerberos packages.
CC: (none) => davidwhodgins
krb5-appl is usable even if kerberos isn't working. That's a separate issue of another package (and I seriously doubt it's broken for all use cases).
Without kinit working none of the programs in krb5-appl-clients or krb5-appl-servers can work. The workstation provides the authentication via for users and servers. It ensures only validly logged in users anywhere on an untrusted network can login, and that they can only access validated servers, to ensure there isn't a man in the middle attack. Without the workstation the clients can not connect, and the servers cannot be accessed, even from the same computer the servers are running on. The only krb5 packages that are of any use on Mageia 8 are lib64krb53 and libkrb53 which are used by other applications. All of the other rpm packages created from the krb5 source rpm are broken.
The krb5-appl programs are kerberized and support that, but telnet and ftp work without it.
Verified that ftp and telnet clients work fine. Let's move this along.
Whiteboard: (none) => MGA8-64-OK
Letting it through just for ftp/telnet bothers me, but ok. Validating the update. Advisory committed to svn.
CC: (none) => sysadmin-bugsKeywords: (none) => advisory, validated_update
ftp and telnet are what these packages are primarily used for.
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0394.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED