Stay Connected:

ELSA-2023-2570

ELSA-2023-2570 - krb5 security, bug fix, and enhancement update

Type:SECURITY
Severity:MODERATE
Release Date:2023-05-15

Description


[1.20.1-8.0.1]
- Fixed race condition in krb5_set_password() [Orabug: 33609767]

[1.20.1-8]
- Fix datetime parsing in kadmin on s390x
- Resolves: rhbz#2169985

[1.20.1-7]
- Fix double free on kdb5_util key creation failure
- Resolves: rhbz#2166603

[1.20.1-6]
- Add support for MS-PAC extended KDC signature (CVE-2022-37967)
- Resolves: rhbz#2165827

[1.20.1-5]
- Bypass FIPS restrictions to use KRB5KDF in case AES SHA-1 HMAC is enabled
- Lazily load MD4/5 from OpenSSL if using RADIUS or RC4 enctype in FIPS mode
- Resolves: rhbz#2162461

[1.20.1-4]
- Set aes256-cts-hmac-sha384-192 as EXAMLE.COM master key in kdc.conf
- Add AES SHA-2 HMAC family as EXAMPLE.COM supported etypes in kdc.conf
- Resolves: rhbz#2068535

[1.20.1-2]
- Strip debugging data from ksu executable file
- Resolves: rhbz#2159643

[1.20.1-1]
- Make tests compatible with sssd-client
- Resolves: rhbz#2151513
- Remove invalid password expiry warning
- Resolves: rhbz#2121099
- Update error checking for OpenSSL CMS_verify
- Resolves: rhbz#2063838
- New upstream version (1.20.1)
- Resolves: rhbz#2016312
- Fix integer overflows in PAC parsing (CVE-2022-42898)
- Resolves: rhbz#2140971

[1.19.1-23]
- Fix kprop for propagating dump files larger than 4GB
- Resolves: rhbz#2133014

[1.19.1-22]
- Restore 'supportedCMSTypes' attribute in PKINIT preauth requests
- Set SHA-512 or SHA-256 with RSA as preferred CMS signature algorithms
- Resolves: rhbz#2068935

[1.19.1-21]
- Fix libkrad client cleanup
- Allow use of larger RADIUS attributes in krad library
- Resolves: rhbz#2100351

[1.19.1-20]
- Fix OpenSSL 3 MD5 encyption in FIPS mode
- Allow libkrad UDP/TCP connection to localhost in FIPS mode
- Resolves: rhbz#2068458

[1.19.1-19]
- Use p11-kit as default PKCS11 module
- Resolves: rhbz#2030981

[1.19.1-18]
- Try harder to avoid password change replay errors
- Resolves: rhbz#2075186

[1.19.1-15]
- Use SHA-256 instead of SHA-1 for PKINIT CMS digest

[1.19.1-14]
- Bypass FIPS restrictions to use KRB5KDF in case AES SHA-1 HMAC is enabled
- Lazily load MD4/5 from OpenSSL if using RADIUS or RC4 enctype in FIPS mode

[1.19.1-13]
- Remove -specs= from krb5-config output
- Resolves #1997021

[1.19.1-12]
- Fix KDC null deref on TGS inner body null server (CVE-2021-37750)
- Resolves: #1997602

[1.19.1-11.1]
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688

[1.19.1-11]
- Fix KDC null deref on bad encrypted challenge (CVE-2021-36222)
- Resolves: #1983733

[1.19.1-10]
- Update OpenSSL 3 provider handling to clean up properly
- Resolves: #1955873

[1.19.1-9]
- Sync openssl3 patches with upstream
- Resolves: #1955873

[1.19.1-8]
- Rebuild for rpminspect and mass rebuild cleanup; no code changes
- Resolves: #1967505

[1.19.1-7]
- Fix several fallback canonicalization problems
- Resolves: #1967505

[1.19.1-6.1]
- Rebuilt for RHEL 9 BETA for openssl 3.0
- Resolves: rhbz#1971065

[1.19.1-6]
- Backport KCM retrieval fixes
- Resolves: #1956403

[1.19.1-5]
- Fix DES3 mention in KDFs
- Resolves: #1955873

[1.19.1-4]
- Port to OpenSSL 3 (alpha 15)
- Resolves: #1955873

[1.19.1-3.1]
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937


Related CVEs


CVE-2020-17049

Updated Packages


Release/ArchitectureFilenameMD5sumSuperseded By Advisory
Oracle Linux 9 (aarch64) krb5-1.20.1-8.0.1.el9.src.rpmedabaf431e51e72bc2fa9c98b55cda23-
krb5-devel-1.20.1-8.0.1.el9.aarch64.rpm8aeac2bd6abcc956f1e0b0b8d9d9d782-
krb5-libs-1.20.1-8.0.1.el9.aarch64.rpm2185db3471d0fb9397ebf6367f9ccc23-
krb5-pkinit-1.20.1-8.0.1.el9.aarch64.rpme392acab8ac3ce8e1deec16d74177e8c-
krb5-server-1.20.1-8.0.1.el9.aarch64.rpmc070f60caa9c07fc9a600653c1c8a540-
krb5-server-ldap-1.20.1-8.0.1.el9.aarch64.rpm35c11f1d2583584cbcfb55bd67e15037-
krb5-workstation-1.20.1-8.0.1.el9.aarch64.rpm6ee65394bf9000257f67d2f8ce28ecc4-
libkadm5-1.20.1-8.0.1.el9.aarch64.rpm23973136534bed74069cc6e10982b3a3-
Oracle Linux 9 (x86_64) krb5-1.20.1-8.0.1.el9.src.rpmedabaf431e51e72bc2fa9c98b55cda23-
krb5-devel-1.20.1-8.0.1.el9.i686.rpmf26819392e6ccff4c2e6eea687369123-
krb5-devel-1.20.1-8.0.1.el9.x86_64.rpm6df82c4cdc16a86f0e3fabb4c516b1c6-
krb5-libs-1.20.1-8.0.1.el9.i686.rpmb1e1a929835879a53cfb2fe7aac48b93-
krb5-libs-1.20.1-8.0.1.el9.x86_64.rpmb56d4624d8a8a0fdab78b06318810427-
krb5-pkinit-1.20.1-8.0.1.el9.i686.rpmfb6d0885a801ff82edf46dfe878440ef-
krb5-pkinit-1.20.1-8.0.1.el9.x86_64.rpm6dca662b9487596f5a53cc83c5076bb8-
krb5-server-1.20.1-8.0.1.el9.i686.rpm1b0af0ceb83a6198776d8b8f37b40a6c-
krb5-server-1.20.1-8.0.1.el9.x86_64.rpm8d6371db47e960a5fd26203891bc4b54-
krb5-server-ldap-1.20.1-8.0.1.el9.i686.rpm161f794495f5772b846a1f9d152daedc-
krb5-server-ldap-1.20.1-8.0.1.el9.x86_64.rpm889e96bd99f56a065a5a4b181e1af99e-
krb5-workstation-1.20.1-8.0.1.el9.x86_64.rpm6a101218f877743abf3bf122cb7d58e8-
libkadm5-1.20.1-8.0.1.el9.i686.rpm8be67f71ca3a23a6ce868d7233b6a97d-
libkadm5-1.20.1-8.0.1.el9.x86_64.rpmae82e75461f068f73584bb0d6d937563-



This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections please contact the Oracle Linux ULN team

software.hardware.complete
Subscribe | Careers | Contact Us | Legal Notices | Terms of Use | Your Privacy Rights