[SECURITY] Fedora 8 Update: krb5-1.6.2-14.fc8

updates at fedoraproject.org updates at fedoraproject.org
Fri Mar 21 22:21:37 UTC 2008

Fedora Update Notification
2008-03-21 21:45:06

Name        : krb5
Product     : Fedora 8
Version     : 1.6.2
Release     : 14.fc8
URL         : http://web.mit.edu/kerberos/www/
Summary     : The Kerberos network authentication system.
Description :
Kerberos V5 is a trusted-third-party network authentication system,
which can improve your network's security by eliminating the insecure
practice of cleartext passwords.

Update Information:

This update incorporates fixes included in MITKRB5-SA-2008-001 (use of
uninitialized pointer / double-free in the KDC when v4 compatibility is enabled)
and MITKRB5-SA-2008-002 (incorrect handling of high-numbered descriptors in the
RPC library).    This update also incorporates less-critical fixes for a double-
free (CVE-2007-5971) and an incorrect attempt to free non-heap memory
(CVE-2007-5901) in the GSSAPI library.    This update also fixes an incorrect
calculation of the length of the absolute path name of a file when the relative
path is known and the library needs to look up which SELinux label to apply to
the file.

* Tue Mar 18 2008 Nalin Dahyabhai <nalin at redhat.com> 1.6.2-14
- add fixes from MITKRB5-SA-2008-001 for use of null or dangling pointer
  when v4 compatibility is enabled on the KDC (CVE-2008-0062, CVE-2008-0063,
  - add fixes from MITKRB5-SA-2008-002 for array out-of-bounds accesses when
  high-numbered descriptors are used (CVE-2008-0947, #433596)
- add backport bug fix for an attempt to free non-heap memory in
  libgssapi_krb5 (CVE-2007-5901, #415321)
- add backport bug fix for a double-free in out-of-memory situations in
  libgssapi_krb5 (CVE-2007-5971, #415351)
- fix calculation of the length of relative filenames when looking up the
  SELinux labels they should be given (Pawel Salek, #436345)
* Tue Feb 26 2008 Nalin Dahyabhai <nalin at redhat.com> 1.6.2-13
- stop adding a redundant but harmless call to initialize the gssapi internals
- kdb_ldap: add patch to treat 'nsAccountLock: true' as an indication that
  the DISALLOW_ALL_TIX flag is set on an entry, for better interop with Fedora,
  Netscape, Red Hat Directory Server (Simo Sorce)
* Mon Feb 25 2008 Nalin Dahyabhai <nalin at redhat.com>
- in login, allow PAM to interact with the user when they've been strongly
- in login, signal PAM when we're changing an expired password that it's an
  expired password, so that when cracklib flags a password as being weak it's
  treated as an error even if we're running as root
* Mon Feb 25 2008 Nalin Dahyabhai <nalin at redhat.com>
- remove a patch, to fix problems with interfaces which are "up" but which
  have no address assigned, which conflicted with a different fix for the same
  problem in 1.5 (#200979)
* Wed Jan 23 2008 Nalin Dahyabhai <nalin at redhat.com> 1.6.2-12
- backport fix from 1.6.3 to get back traditional prompt-for-password-change-
  on-expired-password behavior back in kinit (and other users of
  krb5_get_init_creds_opt_alloc()) (#433818)
* Fri Nov 16 2007 Nalin Dahyabhai <nalin at redhat.com> 1.6.2-11
- backport a fix to make handling of returned flags during spnego credential
  delegation more forgiving of apps which don't care about flags but still
  want a delegated credential handle (#314651, RT#5802)
- fix retrieval of krb5 credentials from an spnego delegated handle (#319351,
* Wed Oct 17 2007 Nalin Dahyabhai <nalin at redhat.com> 1.6.2-10
- make proper use of pam_loginuid and pam_selinux in rshd and ftpd
* Fri Oct 12 2007 Nalin Dahyabhai <nalin at redhat.com>
- make krb5.conf %verify(not md5 size mtime) in addition to
  %config(noreplace), like /etc/nsswitch.conf (#329811)

  [ 1 ] Bug #415321 - CVE-2007-5901 krb5: use-after-free in gssapi lib
  [ 2 ] Bug #415351 - CVE-2007-5971 krb5: double free in gssapi lib
  [ 3 ] Bug #432620 - CVE-2008-0062 krb5: uninitialized pointer use in krb5kdc
  [ 4 ] Bug #432621 - CVE-2008-0063 krb5: possible leak of sensitive data from krb5kdc using krb4 request
  [ 5 ] Bug #433596 - CVE-2008-0947 krb5: file descriptor array overflow in RPC library

This update can be installed with the "yum" update program.  Use 
su -c 'yum update krb5' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at

More information about the Fedora-package-announce mailing list