Ubuntu has issued an advisory on October 13: https://ubuntu.com/security/notices/USN-5675-1 Mageia 8 is also affected.
Status comment: (none) => Patches available from upstream and UbuntuWhiteboard: (none) => MGA8TOO
Fixed in heimdal-7.7.0-10.mga9 by Guillaume.
Whiteboard: MGA8TOO => (none)Version: Cauldron => 8
Suggested advisory: ======================== The updated packages fix a security vulnerability: Heimdal was not properly handling logical conditions that related to memory management operations. An attacker could possibly use this issue to cause a denial of service. (CVE-2022-3116) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3116 https://ubuntu.com/security/notices/USN-5675-1 ======================== Updated packages in core/updates_testing: ======================== heimdal-devel-7.7.0-5.2.mga8 heimdal-devel-doc-7.7.0-5.2.mga8 heimdal-libs-7.7.0-5.2.mga8 heimdal-server-7.7.0-5.2.mga8 heimdal-workstation-7.7.0-5.2.mga8 from SRPM: heimdal-7.7.0-5.2.mga8.src.rpm
Status: NEW => ASSIGNEDAssignee: guillomovitch => qa-bugsCVE: (none) => CVE-2022-3116CC: (none) => nicolas.salgueroStatus comment: Patches available from upstream and Ubuntu => (none)Source RPM: heimdal-7.7.0-9.mga9.src.rpm => heimdal-7.7.0-5.1.mga8.src.rpm
Selecting heimdal-devel-7.7.0-5.2.mga8 to iinstall gives: The following packages have to be removed for others to be upgraded: curl-examples-7.74.0-1.8.mga8.noarch (due to unsatisfied curl-devel >= 1:7.74.0-1.8.mga8) lib64curl-devel-7.74.0-1.8.mga8.x86_64 (due to missing devel(libgssapi_krb5(64bit))) lib64gsasl-devel-1.8.1-2.1.mga8.x86_64 (due to missing devel(libgssapi_krb5(64bit))) lib64krb53-devel-1.18.3-1.mga8.x86_64 (due to conflicts with heimdal-devel-7.7.0-5.2.mga8.x86_64) lib64ssh-devel-0.9.6-1.mga8.x86_64 (due to missing devel(libgssapi_krb5(64bit))) lib64tirpc-devel-1.3.3-1.mga8.x86_64 (due to missing devel(libgssapi_krb5(64bit))) Proceeding without heimdal-devel.
CC: (none) => herman.viaene
Ref bug 29658, this conflict is a known phenomenon, so disregarding here. Following tests from that bug: # systemctl start heimdal-kdc # systemctl -l status heimdal-kdc ● heimdal-kdc.service - Heimdal KDC is a Kerberos 5 Key Distribution Center server Loaded: loaded (/usr/lib/systemd/system/heimdal-kdc.service; disabled; vendor preset: disabled) Active: active (running) since Tue 2022-10-25 14:23:38 CEST; 16s ago Docs: man:kdc(8) info:heimdal http://www.h5l.org/ Main PID: 17423 (kdc) Tasks: 3 (limit: 4364) Memory: 1.6M CPU: 43ms CGroup: /system.slice/heimdal-kdc.service ├─17423 /usr/libexec/kdc ├─17425 /usr/libexec/kdc └─17426 /usr/libexec/kdc Oct 25 14:23:38 mach7.hviaene.thuis systemd[1]: Started Heimdal KDC is a Kerberos 5 Key Distribution Center server. # kadmin kadmin: kadm5_init_with_password: No KDC found for realm HVIAENE.THUIS That's true As normal user: $ verify_krb5_conf verify_krb5_conf: krb5_config_parse_file: open /home/tester8/.krb5/config: No such file or directory verify_krb5_conf: krb5_config_parse_file: /etc/krb5.conf:3: binding before section That's inline with bug 29658, so OK for me.
Whiteboard: (none) => MGA8-64-OK
Validating, but wondering if it needs to wait for Bug 29260 before it's pushed. Advisory in Comment 2.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
No need to wait. While heimdal and kerberos work in the same fashion to allow secure login and usage over an insecure network, the packages are independent and conflict with each other. $ urpmq --conflicts heimdal-server|sort -u heimdal-server: krb5-server
CC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0395.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED