[SECURITY] Fedora 7 Update: krb5-1.6.1-9.fc7
updates at fedoraproject.org
updates at fedoraproject.org
Fri Mar 21 22:18:10 UTC 2008
--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2008-2637
2008-03-21 21:43:57
--------------------------------------------------------------------------------
Name : krb5
Product : Fedora 7
Version : 1.6.1
Release : 9.fc7
URL : http://web.mit.edu/kerberos/www/
Summary : The Kerberos network authentication system.
Description :
Kerberos V5 is a trusted-third-party network authentication system,
which can improve your network's security by eliminating the insecure
practice of cleartext passwords.
--------------------------------------------------------------------------------
Update Information:
This update incorporates fixes included in MITKRB5-SA-2008-001 (use of
uninitialized pointer / double-free in the KDC when v4 compatibility is enabled)
and MITKRB5-SA-2008-002 (incorrect handling of high-numbered descriptors in the
RPC library). This update also incorporates less-critical fixes for a double-
free (CVE-2007-5971) and an incorrect attempt to free non-heap memory
(CVE-2007-5901) in the GSSAPI library.
--------------------------------------------------------------------------------
ChangeLog:
* Tue Mar 18 2008 Nalin Dahyabhai <nalin at redhat.com> 1.6.1-9
- add fixes from MITKRB5-SA-2008-001 for use of null or dangling pointer
when v4 compatibility is enabled on the KDC (CVE-2008-0062, CVE-2008-0063,
- add fixes from MITKRB5-SA-2008-002 for array out-of-bounds accesses when
high-numbered descriptors are used (CVE-2008-0947, #433596)
- add backport bug fix for an attempt to free non-heap memory in
libgssapi_krb5 (CVE-2007-5901, #415321)
- add backport bug fix for a double-free in out-of-memory situations in
libgssapi_krb5 (CVE-2007-5971, #415351)
* Tue Feb 26 2008 Nalin Dahyabhai <nalin at redhat.com> 1.6.1-8
- stop adding a redundant but harmless call to initialize the gssapi internals
- kdb_ldap: add patch to treat 'nsAccountLock: true' as an indication that
the DISALLOW_ALL_TIX flag is set on an entry, for better interop with Fedora,
Netscape, Red Hat Directory Server (Simo Sorce)
* Mon Feb 25 2008 Nalin Dahyabhai <nalin at redhat.com>
- remove a patch, to fix problems with interfaces which are "up" but which
have no address assigned, which conflicted with a different fix for the same
problem in 1.5 (#200979)
* Wed Jan 23 2008 Nalin Dahyabhai <nalin at redhat.com> 1.6.1-7
- backport fix from 1.6.3 to get back traditional prompt-for-password-change-
on-expired-password behavior back in kinit (and other users of
krb5_get_init_creds_opt_alloc()) (#429918)
* Fri Nov 16 2007 Nalin Dahyabhai <nalin at redhat.com> 1.6.1-6
- backport a fix to make handling of returned flags during spnego credential
delegation more forgiving of apps which don't care about flags but still
want a delegated credential handle (#314651, RT#5802)
- fix retrieval of krb5 credentials from an spnego delegated handle (#319351,
RT#5807)
* Mon Sep 17 2007 Nalin Dahyabhai <nalin at redhat.com> 1.6.1-5
- fix incorrect call to "test" in the kadmin init script (Fran Taylor, #287291)
* Thu Sep 6 2007 Nalin Dahyabhai <nalin at redhat.com> 1.6.1-4
- incorporate updated fix for CVE-2007-3999 (CVE-2007-4743)
* Tue Sep 4 2007 Nalin Dahyabhai <nalin at redhat.com> 1.6.1-3
- incorporate fixes for MITKRB5-SA-2007-006 (CVE-2007-3999, CVE-2007-4000)
* Wed Jun 27 2007 Nalin Dahyabhai <nalin at redhat.com> 1.6.1-2.1
- incorporate fixes for MITKRB5-SA-2007-004 (CVE-2007-2442,CVE-2007-2443)
and MITKRB5-SA-2007-005 (CVE-2007-2798)
* Wed Jun 27 2007 Nalin Dahyabhai <nalin at redhat.com>
- preprocess kerberos.ldif into a format FDS will like better, and include
that as a doc file as well (from 1.6.1-4)
- drop old, incomplete SELinux patch (from 1.6.1-4)
- add patch from Greg Hudson to make srvtab routines report missing-file errors
at same point that "file" keytab routines do (from 1.6.1-4, #241805)
* Wed Jun 27 2007 Nalin Dahyabhai <nalin at redhat.com> 1.6.1-2.0
- pull up from devel HEAD's 1.6.1-2
* Thu May 24 2007 Nalin Dahyabhai <nalin at redhat.com> 1.6.1-2
- pull patch from svn to undo unintentional chattiness in ftp
- pull patch from svn to handle NULL krb5_get_init_creds_opt structures
better in a couple of places where they're expected
* Wed May 23 2007 Nalin Dahyabhai <nalin at redhat.com> 1.6.1-1
- update to 1.6.1
- drop no-longer-needed patches for CVE-2007-0956,CVE-2007-0957,CVE-2007-1216
- drop patch for sendto bug in 1.6, fixed in 1.6.1
* Fri May 18 2007 Nalin Dahyabhai <nalin at redhat.com>
- kadmind.init: don't fail outright if the default principal database
isn't there if it looks like we might be using the kldap plugin
- kadmind.init: attempt to extract the key for the host-specific kadmin
service when we try to create the keytab
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #415321 - CVE-2007-5901 krb5: use-after-free in gssapi lib
https://bugzilla.redhat.com/show_bug.cgi?id=415321
[ 2 ] Bug #415351 - CVE-2007-5971 krb5: double free in gssapi lib
https://bugzilla.redhat.com/show_bug.cgi?id=415351
[ 3 ] Bug #432620 - CVE-2008-0062 krb5: uninitialized pointer use in krb5kdc
https://bugzilla.redhat.com/show_bug.cgi?id=432620
[ 4 ] Bug #432621 - CVE-2008-0063 krb5: possible leak of sensitive data from krb5kdc using krb4 request
https://bugzilla.redhat.com/show_bug.cgi?id=432621
[ 5 ] Bug #433596 - CVE-2008-0947 krb5: file descriptor array overflow in RPC library
https://bugzilla.redhat.com/show_bug.cgi?id=433596
--------------------------------------------------------------------------------
This update can be installed with the "yum" update program. Use
su -c 'yum update krb5' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
http://fedoraproject.org/keys
--------------------------------------------------------------------------------
More information about the Fedora-package-announce
mailing list