| Weekly edition | Kernel | Security | Distributions | Search |
| Archives | Calendar | Subscribe | Write for LWN | LWN.net FAQ |
Fedora alert FEDORA-2008-2647 (krb5)
| From: | updates@fedoraproject.org | |
| To: | fedora-package-announce@redhat.com | |
| Subject: | [SECURITY] Fedora 8 Update: krb5-1.6.2-14.fc8 | |
| Date: | Fri, 21 Mar 2008 22:21:37 +0000 | |
| Message-ID: | <200803212226.m2LMPMY8021560@bastion.fedora.phx.redhat.com> |
-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2008-2647 2008-03-21 21:45:06 -------------------------------------------------------------------------------- Name : krb5 Product : Fedora 8 Version : 1.6.2 Release : 14.fc8 URL : http://web.mit.edu/kerberos/www/ Summary : The Kerberos network authentication system. Description : Kerberos V5 is a trusted-third-party network authentication system, which can improve your network's security by eliminating the insecure practice of cleartext passwords. -------------------------------------------------------------------------------- Update Information: This update incorporates fixes included in MITKRB5-SA-2008-001 (use of uninitialized pointer / double-free in the KDC when v4 compatibility is enabled) and MITKRB5-SA-2008-002 (incorrect handling of high-numbered descriptors in the RPC library). This update also incorporates less-critical fixes for a double- free (CVE-2007-5971) and an incorrect attempt to free non-heap memory (CVE-2007-5901) in the GSSAPI library. This update also fixes an incorrect calculation of the length of the absolute path name of a file when the relative path is known and the library needs to look up which SELinux label to apply to the file. -------------------------------------------------------------------------------- ChangeLog: * Tue Mar 18 2008 Nalin Dahyabhai <nalin@redhat.com> 1.6.2-14 - add fixes from MITKRB5-SA-2008-001 for use of null or dangling pointer when v4 compatibility is enabled on the KDC (CVE-2008-0062, CVE-2008-0063, - add fixes from MITKRB5-SA-2008-002 for array out-of-bounds accesses when high-numbered descriptors are used (CVE-2008-0947, #433596) - add backport bug fix for an attempt to free non-heap memory in libgssapi_krb5 (CVE-2007-5901, #415321) - add backport bug fix for a double-free in out-of-memory situations in libgssapi_krb5 (CVE-2007-5971, #415351) - fix calculation of the length of relative filenames when looking up the SELinux labels they should be given (Pawel Salek, #436345) * Tue Feb 26 2008 Nalin Dahyabhai <nalin@redhat.com> 1.6.2-13 - stop adding a redundant but harmless call to initialize the gssapi internals - kdb_ldap: add patch to treat 'nsAccountLock: true' as an indication that the DISALLOW_ALL_TIX flag is set on an entry, for better interop with Fedora, Netscape, Red Hat Directory Server (Simo Sorce) * Mon Feb 25 2008 Nalin Dahyabhai <nalin@redhat.com> - in login, allow PAM to interact with the user when they've been strongly authenticated - in login, signal PAM when we're changing an expired password that it's an expired password, so that when cracklib flags a password as being weak it's treated as an error even if we're running as root * Mon Feb 25 2008 Nalin Dahyabhai <nalin@redhat.com> - remove a patch, to fix problems with interfaces which are "up" but which have no address assigned, which conflicted with a different fix for the same problem in 1.5 (#200979) * Wed Jan 23 2008 Nalin Dahyabhai <nalin@redhat.com> 1.6.2-12 - backport fix from 1.6.3 to get back traditional prompt-for-password-change- on-expired-password behavior back in kinit (and other users of krb5_get_init_creds_opt_alloc()) (#433818) * Fri Nov 16 2007 Nalin Dahyabhai <nalin@redhat.com> 1.6.2-11 - backport a fix to make handling of returned flags during spnego credential delegation more forgiving of apps which don't care about flags but still want a delegated credential handle (#314651, RT#5802) - fix retrieval of krb5 credentials from an spnego delegated handle (#319351, RT#5807) * Wed Oct 17 2007 Nalin Dahyabhai <nalin@redhat.com> 1.6.2-10 - make proper use of pam_loginuid and pam_selinux in rshd and ftpd * Fri Oct 12 2007 Nalin Dahyabhai <nalin@redhat.com> - make krb5.conf %verify(not md5 size mtime) in addition to %config(noreplace), like /etc/nsswitch.conf (#329811) -------------------------------------------------------------------------------- References: [ 1 ] Bug #415321 - CVE-2007-5901 krb5: use-after-free in gssapi lib https://bugzilla.redhat.com/show_bug.cgi?id=415321 [ 2 ] Bug #415351 - CVE-2007-5971 krb5: double free in gssapi lib https://bugzilla.redhat.com/show_bug.cgi?id=415351 [ 3 ] Bug #432620 - CVE-2008-0062 krb5: uninitialized pointer use in krb5kdc https://bugzilla.redhat.com/show_bug.cgi?id=432620 [ 4 ] Bug #432621 - CVE-2008-0063 krb5: possible leak of sensitive data from krb5kdc using krb4 request https://bugzilla.redhat.com/show_bug.cgi?id=432621 [ 5 ] Bug #433596 - CVE-2008-0947 krb5: file descriptor array overflow in RPC library https://bugzilla.redhat.com/show_bug.cgi?id=433596 -------------------------------------------------------------------------------- This update can be installed with the "yum" update program. Use su -c 'yum update krb5' at the command line. For more information, refer to "Managing Software with yum", available at http://docs.fedoraproject.org/yum/. All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at http://fedoraproject.org/keys -------------------------------------------------------------------------------- _______________________________________________ Fedora-package-announce mailing list Fedora-package-announce@redhat.com http://www.redhat.com/mailman/listinfo/fedora-package-ann...
(Log in to post comments)