[SECURITY] Fedora 20 Update: krb5-1.11.5-18.fc20

updates at fedoraproject.org updates at fedoraproject.org
Mon Mar 9 08:18:34 UTC 2015 

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2015-2382
2015-02-21 01:17:08
--------------------------------------------------------------------------------

Name        : krb5
Product     : Fedora 20
Version     : 1.11.5
Release     : 18.fc20
URL         : http://web.mit.edu/kerberos/www/
Summary     : The Kerberos network authentication system
Description :
Kerberos V5 is a trusted-third-party network authentication system,
which can improve your network's security by eliminating the insecure
practice of sending passwords over the network in unencrypted form.

--------------------------------------------------------------------------------
Update Information:

Security fix for CVE-2014-5352, CVE-2014-9421, CVE-2014-9422, CVE-2014-9423
Security fix for CVE-2014-5351
--------------------------------------------------------------------------------
ChangeLog:

* Wed Feb  4 2015 Roland Mainz <rmainz at redhat.com> - 1.11.5-18
- fix for CVE-2014-5352 (#1179856) "gss_process_context_token()
  incorrectly frees context (MITKRB5-SA-2015-001)"
- fix for CVE-2014-9421 (#1179857) "kadmind doubly frees partial
  deserialization results (MITKRB5-SA-2015-001)"
- fix for CVE-2014-9422 (#1179861) "kadmind incorrectly
  validates server principal name (MITKRB5-SA-2015-001)"
- fix for CVE-2014-9423 (#1179863) "libgssrpc server applications
  leak uninitialized bytes (MITKRB5-SA-2015-001)"
* Wed Dec 17 2014 Roland Mainz <rmainz at redhat.com> - 1.11.5-17
- fix for CVE-2014-5353 (#1174543) "Fix LDAP misused policy
  name crash"
* Tue Sep 30 2014 Roland Mainz <rmainz at redhat.com> - 1.11.5-16
- fix for CVE-2014-5351 (#1145425) "krb5: current keys returned when
  randomizing the keys for a service principal"
* Sat Sep  6 2014 Nalin Dahyabhai <nalin at redhat.com> - 1.11.5-15
- replace older proposed changes for ksu with backports of the changes
  after review and merging upstream (#1015559, #1026099, #1118347)
* Thu Aug 28 2014 Nalin Dahyabhai <nalin at redhat.com> - 1.11.5-14
- backport fix for trying all compatible keys when not being strict about
  acceptor names while reading AP-REQs (RT#7883, #1078888)
* Tue Aug 26 2014 Nalin Dahyabhai <nalin at redhat.com> - 1.11.5-13
- kpropd hasn't bothered with -S since 1.11; stop trying to use that flag
  in the systemd unit file
* Wed Aug 20 2014 Nalin Dahyabhai <nalin at redhat.com> - 1.11.5-12
- pull in upstream fix for an incorrect check on the value returned by a
  strdup() call (#1132062)
- pull in upstream fix for a possible null dereference in a db2 btree error
  case (#1132063)
- pull in upstream rewrite of getclhoststr() in the iprop service, to
  correctly detect wnen a client principal name is malformed (#1132067)
* Thu Aug  7 2014 Nalin Dahyabhai <nalin at redhat.com> - 1.11.5-11
- incorporate fix for MITKRB5-SA-2014-001 (CVE-2014-4345)
* Mon Jul 21 2014 Nalin Dahyabhai <nalin at redhat.com> - 1.11.5-10
- gssapi: pull in upstream fix for a possible NULL dereference
  in spnego (CVE-2014-4344)
* Wed Jul 16 2014 Nalin Dahyabhai <nalin at redhat.com> - 1.11.5-9
- gssapi: pull in proposed fix for a double free in initiators (David
  Woodhouse, CVE-2014-4343, #1117963)
* Mon Jul  7 2014 Nalin Dahyabhai <nalin at redhat.com> - 1.11.5-8
- pull in fix for denial of service by injection of malformed GSSAPI tokens
  (CVE-2014-4341, CVE-2014-4342, #1116181)
* Tue Jun 24 2014 Nalin Dahyabhai <nalin at redhat.com> - 1.11.5-7
- pull in changes from upstream which add processing of the contents of
  /etc/gss/mech.d/*.conf when loading GSS modules (#1102839)
- pull in fix for building against tcl 8.6 (#1107061)
* Tue May 27 2014 Nalin Dahyabhai <nalin at redhat.com> - 1.11.5-6
- back out currently-proposed changes to teach ksu about credential cache
  collections and the default_ccache_name setting (#1089035) for now
* Tue Mar  4 2014 Nathaniel McCallum <npmccallum at redhat.com> - 1.11.5-5
- Backport fix for change password requests when using FAST (RT#7868)
* Mon Feb 17 2014 Nalin Dahyabhai <nalin at redhat.com> - 1.11.5-4
- spnego: pull in patch from master to restore preserving the OID of the
  mechanism the initiator requested when we have multiple OIDs for the same
  mechanism, so that we reply using the same mechanism OID and the initiator
  doesn't get confused (#1066000, RT#7858)
* Mon Feb 10 2014 Nalin Dahyabhai <nalin at redhat.com> - 1.11.5-3
- pull in patch from master to move the default directory which the KDC uses
  when computing the socket path for a local OTP daemon from the database
  directory (/var/kerberos/krb5kdc) to the newly-added run directory
  (/run/krb5kdc), in line with what we're expecting in 1.13 (RT#7859, more
  of #1040056 as #1063905)
- add a tmpfiles.d configuration file to have /run/krb5kdc created at
  boot-time
- own /var/run/krb5kdc
* Fri Jan 31 2014 Nalin Dahyabhai <nalin at redhat.com> - 1.11.5-2
- rebuild because I tagged the previous package wrong
* Fri Jan 31 2014 Nalin Dahyabhai <nalin at redhat.com> - 1.11.5-1
- update to 1.11.5
  - remove patch for RT#7650, obsoleted in 1.11.4
  - remove patch for RT#7706, obsoleted in 1.11.4
  - remove patch for RT#7756 (CVE-2013-1418), obsoleted in 1.11.4
  - remove patch for RT#7668 (CVE-2013-1417), obsoleted in 1.11.4
  - remove patch for RT#7508, obsoleted in 1.11.4
  - remove patch for RT#7794, obsoleted in 1.11.4 as RT#7825
  - remove patch for RT#7797, obsoleted in 1.11.4 as RT#7827
  - remove patch for RT#7803, obsoleted in 1.11.4 as RT#7828
  - remove patch for RT#7805, obsoleted in 1.11.4 as RT#7829
  - remove patch for RT#7807, obsoleted in 1.11.4 as RT#7826
  - remove patch for RT#7045, obsoleted in 1.11.4 as RT#7823
* Fri Jan 31 2014 Nalin Dahyabhai <nalin at redhat.com> - 1.11.3-40
- add currently-proposed changes to teach ksu about credential cache
  collections and the default_ccache_name setting (#1015559,#1026099)
* Tue Jan 21 2014 Nalin Dahyabhai <nalin at redhat.com> - 1.11.3-39
- pull in upstream patch to fix the GSSAPI library's checks for expired
  client creds in gss_init_sec_context() so that they work with keyring
  caches (RT#7820, #1030607)
* Tue Jan 21 2014 Nalin Dahyabhai <nalin at redhat.com>
- pull in and backport multiple changes to allow replay caches to be added to
  a GSS credential store as "rcache"-type credentials (RT#7818/#7819/#7836,
* Thu Dec 19 2013 Nalin Dahyabhai <nalin at redhat.com> - 1.11.3-38
- pull in fix from master to make reporting of errors encountered by the SPNEGO
  mechanism work better (RT#7045, part of #1043962)
* Thu Dec 19 2013 Nalin Dahyabhai <nalin at redhat.com>
- update a test wrapper to properly handle things that the new libkrad does,
  and add python-pyrad as a build requirement so that we can run its tests
* Wed Dec 18 2013 Nalin Dahyabhai <nalin at redhat.com> - 1.11.3-37
- backport fixes to krb5_copy_context (RT#7807, #1044735/#1044739)
* Wed Dec 18 2013 Nalin Dahyabhai <nalin at redhat.com> - 1.11.3-36
- backport fix to avoid double-freeing in the client when we're configured
  to use a clpreauth module that isn't actually a clpreauth module (#1035203)
* Wed Dec 18 2013 Nalin Dahyabhai <nalin at redhat.com> - 1.11.3-35
- pull in fix from master to return a NULL pointer rather than allocating
  zero bytes of memory if we read a zero-length input token (RT#7794, part of
  - pull in fix from master to ignore an empty token from an acceptor if
  we've already finished authenticating (RT#7797, part of #1043962)
- pull in fix from master to avoid a memory leak when a mechanism's
  init_sec_context function fails (RT#7803, part of #1043962)
- pull in fix from master to avoid a memory leak in a couple of error
  cases which could occur while obtaining acceptor credentials (RT#7805, part
  of #1043962)
* Tue Dec 17 2013 Nalin Dahyabhai <nalin at redhat.com> - 1.11.3-34
- backport additional changes to libkrad to make it function more like
  the version in upstream 1.12, and a few things in the OTP plugin as well
  (most visibly, that the secret that's shared with the RADIUS server is read
  from a file rather than used directly) (#1040056)
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #1179856 - CVE-2014-5352 krb5: gss_process_context_token() incorrectly frees context (MITKRB5-SA-2015-001)
        https://bugzilla.redhat.com/show_bug.cgi?id=1179856
  [ 2 ] Bug #1179857 - CVE-2014-9421 krb5: kadmind doubly frees partial deserialization results (MITKRB5-SA-2015-001)
        https://bugzilla.redhat.com/show_bug.cgi?id=1179857
  [ 3 ] Bug #1179861 - CVE-2014-9422 krb5: kadmind incorrectly validates server principal name (MITKRB5-SA-2015-001)
        https://bugzilla.redhat.com/show_bug.cgi?id=1179861
  [ 4 ] Bug #1179863 - CVE-2014-9423 krb5: libgssrpc server applications leak uninitialized bytes (MITKRB5-SA-2015-001)
        https://bugzilla.redhat.com/show_bug.cgi?id=1179863
  [ 5 ] Bug #1145425 - CVE-2014-5351 krb5: current keys returned when randomizing the keys for a service principal
        https://bugzilla.redhat.com/show_bug.cgi?id=1145425
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use
su -c 'yum update krb5' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

More information about the package-announce mailing list