Login
Newsletter
Werbung

Sicherheit: Denial of Service in krb5
Aktuelle Meldungen Distributionen
Name: Denial of Service in krb5
ID: FEDORA-2011-16284
Distribution: Fedora
Plattformen: Fedora 15
Datum: Mi, 1. Februar 2012, 07:33
Referenzen: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1530
Applikationen: MIT Kerberos

Originalnachricht

Name        : krb5
Product : Fedora 15
Version : 1.9.2
Release : 4.fc15
URL : http://web.mit.edu/kerberos/www/
Summary : The Kerberos network authentication system
Description :
Kerberos V5 is a trusted-third-party network authentication system,
which can improve your network's security by eliminating the insecure
practice of cleartext passwords.

-------------------------------------------------------------------------------
-
Update Information:

This update rebases Fedora 15 and 16 from version 1.9.1 to version 1.9.2,
incorporating a recent security update and some of the fixes we were previously backporting, among others. It also incorporates fixes for null pointer dereferences which the KDC could make while processing TGS requests (CVE-2011-1530).
-------------------------------------------------------------------------------
-
ChangeLog:

* Tue Dec 6 2011 Nalin Dahyabhai <nalin@redhat.com> 1.9.2-4
- apply upstream patch to fix a null pointer dereference when processing
TGS requests (CVE-2011-1530, #753748)
* Wed Nov 30 2011 Nalin Dahyabhai <nalin@redhat.com> 1.9.2-3
- correct a bug in the fix for #754001 so that the file creation context is
consistently reset
* Tue Nov 22 2011 Nalin Dahyabhai <nalin@redhat.com> 1.9.2-2
- pull patch from trunk so that when computing an HMAC, we don't assume
that
the HMAC output size is the same as the input key length (RT#6994, #756139)
* Tue Nov 15 2011 Nalin Dahyabhai <nalin@redhat.com> 1.9.2-1
- update to 1.9.2, incorporating the recent security update and some of the
things we were previously backporting, among other fixes
* Tue Oct 18 2011 Nalin Dahyabhai <nalin@redhat.com> 1.9.1-14
- apply upstream patch to fix a null pointer dereference with the LDAP kdb
backend (CVE-2011-1527, #744125), an assertion failure with multiple kdb
backends (CVE-2011-1528), and a null pointer dereference with multiple kdb
backends (CVE-2011-1529) (#737711)
* Wed Oct 12 2011 Nalin Dahyabhai <nalin@redhat.com> 1.9.1-13
- handle a harder-to-trigger assertion failure that starts cropping up when we
exit the transmit loop on time (#739853)
* Tue Sep 6 2011 Nalin Dahyabhai <nalin@redhat.com> 1.9.1-12
- pull in upstream patch for RT#6952, confusion following referrals for
cross-realm auth (#734341)
- pull in build-time deps for the tests
* Thu Sep 1 2011 Nalin Dahyabhai <nalin@redhat.com> 1.9.1-11
- switch to the upstream patch for #727829
* Wed Aug 31 2011 Nalin Dahyabhai <nalin@redhat.com> 1.9.1-10
- handle an assertion failure that starts cropping up when the patch for
using poll (#701446) meets servers that aren't running KDCs or against
which the connection fails for other reasons (#727829, #734172)
* Mon Aug 8 2011 Nalin Dahyabhai <nalin@redhat.com> 1.9.1-9
- override the default build rules to not delete temporary y.tab.c files,
so that they can be packaged, allowing debuginfo files which point to them
do so usefully (#729044)
* Fri Jul 22 2011 Nalin Dahyabhai <nalin@redhat.com> 1.9.1-8
- build shared libraries with partial RELRO support (#723995)
- filter out potentially multiple instances of -Wl,-z,relro from krb5-config
output, now that it's in the buildroot's default LDFLAGS
- pull in a patch to fix losing track of the replay cache FD, from SVN by
way of Kevin Coffman
* Wed Jul 20 2011 Nalin Dahyabhai <nalin@redhat.com> 1.9.1-7
- kadmind.init: drop the attempt to detect no-database-present errors (#723723)
* Tue Jul 19 2011 Nalin Dahyabhai <nalin@redhat.com> 1.9.1-6
- backport fixes to teach libkrb5 to use descriptors higher than FD_SETSIZE
to talk to a KDC by using poll() if it's detected at compile-time
(#701446,
RT#6905)
* Thu Jun 23 2011 Nalin Dahyabhai <nalin@redhat.com> 1.9.1-5
- pull a fix from SVN to try to avoid triggering a PTR lookup in getaddrinfo()
during krb5_sname_to_principal(), and to let getaddrinfo() decide whether or
not to ask for an IPv6 address based on the set of configured interfaces
(#717378, RT#6922)
- pull a fix from SVN to use AI_ADDRCONFIG more often (RT#6923)
* Mon Jun 20 2011 Nalin Dahyabhai <nalin@redhat.com> 1.9.1-4
- apply upstream patch by way of Burt Holzman to fall back to a non-referral
method in cases where we might be derailed by a KDC that rejects the
canonicalize option (for example, those from the RHEL 2.1 or 3 era) (#715074)
* Tue Jun 14 2011 Nalin Dahyabhai <nalin@redhat.com> 1.9.1-3
- pull a fix from SVN to get libgssrpc clients (e.g. kadmin) authenticating
using the old protocol over IPv4 again (RT#6920)
* Tue Jun 14 2011 Nalin Dahyabhai <nalin@redhat.com>
- incorporate a fix to teach the file labeling bits about when replay caches
are expunged (#576093)
* Thu May 26 2011 Nalin Dahyabhai <nalin@redhat.com>
- switch to the upstream patch for #707145
* Wed May 25 2011 Nalin Dahyabhai <nalin@redhat.com> 1.9.1-2
- klist: don't trip over referral entries when invoked with -s (#707145,
RT#6915)
* Fri May 6 2011 Nalin Dahyabhai <nalin@redhat.com>
- fixup URL in a comment
- when built with NSS, require 3.12.10 rather than 3.12.9
* Thu May 5 2011 Nalin Dahyabhai <nalin@redhat.com> 1.9.1-1
- update to 1.9.1:
- drop no-longer-needed patches for CVE-2010-4022, CVE-2011-0281,
CVE-2011-0282, CVE-2011-0283, CVE-2011-0284, CVE-2011-0285
-------------------------------------------------------------------------------
-
References:

[ 1 ] Bug #754001 - ssh_selinux_change_context: setcon failed with Invalid
argument (openssh, krb5)
https://bugzilla.redhat.com/show_bug.cgi?id=754001
[ 2 ] Bug #756139 - krb5_pac_verify() fail with AES keys
https://bugzilla.redhat.com/show_bug.cgi?id=756139
-------------------------------------------------------------------------------
-

This update can be installed with the "yum" update program. Use
su -c 'yum update krb5' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
-------------------------------------------------------------------------------
-
_______________________________________________
package-announce mailing list
package-announce@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/package-announce
Pro-Linux
Pro-Linux @Facebook
Neue Nachrichten
Werbung