ELSA-2014-1389

ELSA-2014-1389 - krb5 security and bug fix update

Type:SECURITY
Severity:MODERATE
Release Date:2014-10-15

Description


[1.10.3-33]
- actually apply that last patch

[1.10.3-32]
- incorporate fix for MITKRB5-SA-2014-001 (CVE-2014-4345, #1128157)

[1.10.3-31]
- ksu: when evaluating .k5users, don't throw away data from .k5users when we're
not passed a command to run, which implicitly means we're attempting to run
the target user's shell (#1026721, revised)

[1.10.3-30]
- ksu: when evaluating .k5users, treat lines with just a principal name as if
they contained the principal name followed by '*', and don't throw away data
from .k5users when we're not passed a command to run, which implicitly means
we're attempting to run the target user's shell (#1026721, revised)

[1.10.3-29]
- gssapi: pull in upstream fix for a possible NULL dereference in spnego
(CVE-2014-4344, #1121510)
- gssapi: pull in proposed-and-accepted fix for a double free in initiators
(David Woodhouse, CVE-2014-4343, #1121510)

[1.10.3-28]
- correct a type mistake in the backported fix for CVE-2013-1418/CVE-2013-6800

[1.10.3-27]
- pull in backported fix for denial of service by injection of malformed
GSSAPI tokens (CVE-2014-4341, CVE-2014-4342, #1121510)
- incorporate backported patch for remote crash of KDCs which serve multiple
realms simultaneously (RT#7756, CVE-2013-1418/CVE-2013-6800, more of

[1.10.3-26]
- pull in backport of patch to not subsequently always require that responses
come from master KDCs if we get one from a master somewhere along the way
while chasing referrals (RT#7650, #1113652)

[1.10.3-25]
- ksu: if the -e flag isn't used, use the target user's shell when checking
for authorization via the target user's .k5users file (#1026721)

[1.10.3-24]
- define _GNU_SOURCE in files where we use EAI_NODATA, to make sure that
it's declared (#1059730)

[1.10.3-23]
- spnego: pull in patch from master to restore preserving the OID of the
mechanism the initiator requested when we have multiple OIDs for the same
mechanism, so that we reply using the same mechanism OID and the initiator
doesn't get confused (#1087068, RT#7858)

[1.10.3-22]
- add patch from Jatin Nansi to avoid attempting to clear memory at the
NULL address if krb5_encrypt_helper() returns an error when called
from encrypt_credencpart() (#1055329, pull #158)

[1.10.3-21]
- drop patch to add additional access() checks to ksu - they shouldn't be
resulting in any benefit

[1.10.3-20]
- apply patch from Nikolai Kondrashov to pass a default realm set in
/etc/sysconfig/krb5kdc to the kdb_check_weak helper, so that it doesn't
produce an error if there isn't one set in krb5.conf (#1009389)

[1.10.3-19]
- packaging: don't Obsoletes: older versions of krb5-pkinit-openssl and
virtual Provide: krb5-pkinit-openssl on EL6, where we don't need to
bother with any of that (#1001961)

[1.10.3-18]
- pkinit: backport tweaks to avoid trying to call the prompter callback
when one isn't set (part of #965721)
- pkinit: backport the ability to use a prompter callback to prompt for
a password when reading private keys (the rest of #965721)

[1.10.3-17]
- backport fix to not spin on a short read when reading the length of a
response over TCP (RT#7508, #922884)

[1.10.3-16]
- backport fix for trying all compatible keys when not being strict about
acceptor names while reading AP-REQs (RT#7883, #1070244)


Related CVEs


CVE-2013-1418
CVE-2013-6800
CVE-2014-4341
CVE-2014-4344
CVE-2014-4345
CVE-2014-4342
CVE-2014-4343

Updated Packages


Release/ArchitectureFilenameMD5sumSuperseded By Advisory
Oracle Linux 6 (i386) krb5-1.10.3-33.el6.src.rpm4fcbd264a8ad2580cc7ec86fbdfc87caELSA-2016-0493
krb5-devel-1.10.3-33.el6.i686.rpm224a55a41f61e060bb95af4965856678ELSA-2016-0493
krb5-libs-1.10.3-33.el6.i686.rpm31f311da5a2a0a022e37a0e3ccfa679bELSA-2016-0493
krb5-pkinit-openssl-1.10.3-33.el6.i686.rpm21ca47f0254d4d298b5e772d52d6d2e4ELSA-2016-0493
krb5-server-1.10.3-33.el6.i686.rpm768e640a509847a3a54ed7ec412b68ceELSA-2016-0493
krb5-server-ldap-1.10.3-33.el6.i686.rpme2de6135e9e1516a42f0fdee9e6088a8ELSA-2016-0493
krb5-workstation-1.10.3-33.el6.i686.rpm01e866bef48358bbbae130ec9218c0fdELSA-2016-0493
Oracle Linux 6 (x86_64) krb5-1.10.3-33.el6.src.rpm4fcbd264a8ad2580cc7ec86fbdfc87caELSA-2016-0493
krb5-devel-1.10.3-33.el6.i686.rpm224a55a41f61e060bb95af4965856678ELSA-2016-0493
krb5-devel-1.10.3-33.el6.x86_64.rpm88ae024731f05ae79226bc846758199bELSA-2016-0493
krb5-libs-1.10.3-33.el6.i686.rpm31f311da5a2a0a022e37a0e3ccfa679bELSA-2016-0493
krb5-libs-1.10.3-33.el6.x86_64.rpm678b21c1555957950dcd944c59459cabELSA-2016-0493
krb5-pkinit-openssl-1.10.3-33.el6.x86_64.rpm2068dd5cfc482234c3087d47689e0b93ELSA-2016-0493
krb5-server-1.10.3-33.el6.x86_64.rpm6edc826ecfb77a04fe15fb37120b52f3ELSA-2016-0493
krb5-server-ldap-1.10.3-33.el6.i686.rpme2de6135e9e1516a42f0fdee9e6088a8ELSA-2016-0493
krb5-server-ldap-1.10.3-33.el6.x86_64.rpmb9444ff1c661e0ece46f882802f8b16dELSA-2016-0493
krb5-workstation-1.10.3-33.el6.x86_64.rpm15b26b6f73e15392703f4eb604a4f858ELSA-2016-0493



This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections please contact the Oracle Linux ULN team

software.hardware.complete