Upstream has released krb5 1.11.1, which fixes a security issue: http://web.mit.edu/kerberos/krb5-1.11/ Updated package uploaded for Cauldron. Patched package uploaded for Mageia 2. Patch checked into Mageia 1 SVN. Advisory: ======================== Updated krb5 packages fix security vulnerability: It was reported that the KDC plugin for PKINIT could dereference a NULL pointer when a malformed packet caused processing to terminate early, which led to a crash of the KDC process. An attacker would require a valid PKINIT certificate or have observed a successful PKINIT authentication to execute a successful attack. In addition, an unauthenticated attacker could execute the attack of anonymouse PKINIT was enabled (CVE-2013-1415). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1415 http://web.mit.edu/kerberos/krb5-1.11/ https://bugzilla.redhat.com/show_bug.cgi?id=914749 ======================== Updated packages in core/updates_testing: ======================== krb5-1.9.2-2.4.mga2 libkrb53-devel-1.9.2-2.4.mga2 libkrb53-1.9.2-2.4.mga2 krb5-server-1.9.2-2.4.mga2 krb5-server-ldap-1.9.2-2.4.mga2 krb5-workstation-1.9.2-2.4.mga2 krb5-pkinit-openssl-1.9.2-2.4.mga2 from krb5-1.9.2-2.4.mga2.src.rpm Reproducible: Steps to Reproduce:
Testing complete on Mageia 2 i586 and x86_64 using the procedure at https://wiki.mageia.org/en/QA_procedure:Krb5 Could someone from the sysadmin team push the srpm krb5-1.9.2-2.4.mga2.src.rpm from Mageia 2 Core Updates Testing to Core Updates. Advisory: Updated krb5 packages fix security vulnerability: It was reported that the KDC plugin for PKINIT could dereference a NULL pointer when a malformed packet caused processing to terminate early, which led to a crash of the KDC process. An attacker would require a valid PKINIT certificate or have observed a successful PKINIT authentication to execute a successful attack. In addition, an unauthenticated attacker could execute the attack of anonymouse PKINIT was enabled (CVE-2013-1415). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1415 http://web.mit.edu/kerberos/krb5-1.11/ https://bugzilla.redhat.com/show_bug.cgi?id=914749 https://bugs.mageia.org/show_bug.cgi?id=9226
Keywords: (none) => validated_updateCC: (none) => davidwhodgins, sysadmin-bugsWhiteboard: (none) => MGA2-64-OK MGA2-32-OK
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0087
Status: NEW => RESOLVEDCC: (none) => dmorganecResolution: (none) => FIXED