[El-errata] ELSA-2015-2154 Moderate: Oracle Linux 7 krb5 security, bug fix, and enhancement update
Errata Announcements for Oracle Linux
el-errata at oss.oracle.com
Mon Nov 23 18:48:06 PST 2015
Oracle Linux Security Advisory ELSA-2015-2154
http://linux.oracle.com/errata/ELSA-2015-2154.html
The following updated rpms for Oracle Linux 7 have been uploaded to the
Unbreakable Linux Network:
x86_64:
krb5-devel-1.13.2-10.el7.i686.rpm
krb5-devel-1.13.2-10.el7.x86_64.rpm
krb5-libs-1.13.2-10.el7.i686.rpm
krb5-libs-1.13.2-10.el7.x86_64.rpm
krb5-pkinit-1.13.2-10.el7.x86_64.rpm
krb5-server-1.13.2-10.el7.x86_64.rpm
krb5-server-ldap-1.13.2-10.el7.x86_64.rpm
krb5-workstation-1.13.2-10.el7.x86_64.rpm
SRPMS:
http://oss.oracle.com/ol7/SRPMS-updates/krb5-1.13.2-10.el7.src.rpm
Description of changes:
[1.13.2-9]
- Add patch and test case for "KDC does not return proper
client principal for client referrals"
- Resolves: #1259846
[1.13.2-9]
- Ammend patch for RedHat bug #1252454 ('testsuite complains
"Lifetime has increased by 32436 sec while 0 sec passed!",
while rhel5-libkrb5 passes') to handle the newly introduced
valgrind hits.
[1.13.2-8]
- Add a patch to fix RH Bug #1250154 ("[s390x, ppc64, ppc64le]:
kadmind does not accept ACL if kadm5.acl does not end with EOL")
The code "accidently" works on x86/AMD64 because declaring a
variable |char| results in an |unsigned char| by default while
most other platforms (e.g. { s390x, ppc64, ppc64le, ...})
default to |signed char| (still have to use lint(1) to clean
up 38 more instances of this kind of bug).
[1.13.2-7]
- Obsolete multilib versions of server packages to fix RH
bug #1251913 ("krb5 should obsolete the multilib versions
of krb5-server and krb5-server-ldap").
The following packages are declared obsolete:
- krb5-server-1.11.3-49.el7.i686
- krb5-server-1.11.3-49.el7.ppc
- krb5-server-1.11.3-49.el7.s390
- krb5-server-ldap-1.11.3-49.el7.i686
- krb5-server-ldap-1.11.3-49.el7.ppc
- krb5-server-ldap-1.11.3-49.el7.s390
[1.13.2-6]
- Add a patch to fix RedHat bug #1252454 ('testsuite complains
"Lifetime has increased by 32436 sec while 0 sec passed!",
while rhel5-libkrb5 passes') so that krb5 resolves GSS creds
if |time_rec| is requested.
[1.13.2-5]
- Add a patch to fix RedHat bug #1251586 ("KDC sends multiple
requests to ipa-otpd for the same authentication") which causes
the KDC to send multiple retries to ipa-otpd for TCP transports
while it should only be done for UDP.
[1.13.2-4]
- the rebase to krb5 1.13.2 in vers 1.13.2-0 also fixed:
- Redhat Bug #1247761 ("RFE: Minor krb5 spec file cleanup and sync
with recent Fedora 22/23 changes")
- Redhat Bug #1247751 ("krb5-config returns wrong -specs path")
- Redhat Bug #1247608 ('Add support for multi-hop preauth mechs
via |KDC_ERR_MORE_PREAUTH_DATA_REQUIRED| for RFC 6113 ("A
Generalized Framework for Kerberos Pre-Authentication")')
- Removed "krb5-1.10-kprop-mktemp.patch" and
"krb5-1.3.4-send-pr-tempfile.patch", both are no longer used since
the rebase to krb5 1.13.1
[1.13.2-3]
- Add patch to fix Redhat Bug #1222903 ("[SELinux] AVC denials may appear
when kadmind starts"). The issue was caused by an unneeded |htons()|
which triggered SELinux AVC denials due to the "random" port usage.
[1.13.2-2]
- Add fix for RedHat Bug #1164304 ("Upstream unit tests loads
the installed shared libraries instead the ones from the build")
[1.13.2-1]
- the rebase to krb5 1.13.1 in vers 1.13.1-0 also fixed:
- Bug 1144498 ("Fix the race condition in the libkrb5 replay cache")
- Bug 1163402 ("kdb5_ldap_util view_policy does not shows ticket
flags on s390x and ppc64")
- Bug 1185770 ("Missing upstream test in krb5-1.12.2:
src/tests/gssapi/t_invalid.c")
- Bug 1204211 ("CVE-2014-5355 krb5: unauthenticated denial of service
in recvauth_common() and other")
[1.13.2-0]
- Update to krb5-1.13.2
- drop patch for
krb5-1.13.2-CVE_2015_2694_requires_preauth_bypass_in_PKINIT_enabled_KDC,
fixed in krb5-1.13.2
- drop patch for
krb5-1.12.1-CVE_2014_5355_fix_krb5_read_message_handling, fixed in
krb5-1.13.2
[1.13.1-2]
- the rebase to krb5 1.13.1 in vers 1.13.1-0 also fixed RH
bug #1156144 ("krb5 upstream test t_kdb.py failure")
[1.13.1-1]
- fix for CVE-2015-2694 (#1218020) "requires_preauth bypass
in PKINIT-enabled KDC".
In MIT krb5 1.12 and later, when the KDC is configured with
PKINIT support, an unauthenticated remote attacker can
bypass the requires_preauth flag on a client principal and
obtain a ciphertext encrypted in the principal's long-term
key. This ciphertext could be used to conduct an off-line
dictionary attack against the user's password.
[1.13.1-0]
- Update to krb5-1.13.1
- patch krb5-1.12-selinux-label was updated and renamed to
krb5-1.13-selinux-label
- patch krb5-1.11-dirsrv-accountlock was updated and renamed to
krb5-1.13-dirsrv-accountlock
- drop patch for krb5-1.12-pwdch-fast, fixed in krb5-1.13
- drop patch for krb5-1.12ish-kpasswd_tcp, fixed in krb5-1.13
- drop patch for krb5-master-rcache-internal-const, no longer needed
- drop patch for krb5-master-rcache-acquirecred-cleanup, no longer needed
- drop patch for krb5-master-rcache-acquirecred-source, no longer needed
- drop patch for krb5-master-rcache-acquirecred-test, no longer needed
- drop patch for krb5-master-move-otp-sockets, no longer needed
- drop patch for krb5-master-mechd, no longer needed
- drop patch for krb5-master-strdupcheck, no longer needed
- drop patch for krb5-master-compatible-keys, no longer needed
- drop patch for krb5-1.12-system-exts, fixed in krb5-1.13
- drop patch for 0001-In-ksu-merge-krb5_ccache_copy-and-_restricted,
no longer needed
- drop patch for 0002-In-ksu-don-t-stat-not-on-disk-ccache-residuals,
no longer needed
- drop patch for 0003-Use-an-intermediate-memory-cache-in-ksu, no
longer needed
- drop patch for
0004-Make-ksu-respect-the-default_ccache_name-setting, no longer needed
- drop patch for 0005-Copy-config-entries-to-the-ksu-target-ccache,
no longer needed
- drop patch for
0006-Use-more-randomness-for-ksu-secondary-cache-names, no longer needed
- drop patch for 0007-Make-krb5_cc_new_unique-create-DIR-directories,
no longer needed
- drop patch for krb5-1.12-kpasswd-skip-address-check, fixed in krb5-1.13
- drop patch for 0000-Refactor-cm-functions-in-sendto_kdc.c, no
longer needed
- drop patch for 0001-Simplify-sendto_kdc.c, no longer needed
- drop patch for 0002-Add-helper-to-determine-if-a-KDC-is-the-master,
no longer needed
- drop patch for 0003-Use-k5_transport-_strategy-enums-for-k5_sendto,
no longer needed
- drop patch for
0004-Build-support-for-TLS-used-by-HTTPS-proxy-support, no longer needed
- drop patch for 0005-Add-ASN.1-codec-for-KKDCP-s-KDC-PROXY-MESSAGE,
no longer needed
- drop patch for
0006-Dispatch-style-protocol-switching-for-transport, no longer needed
- drop patch for
0007-HTTPS-transport-Microsoft-KKDCPP-implementation, no longer needed
- drop patch for 0008-Load-custom-anchors-when-using-KKDCP, no longer
needed
- drop patch for
0009-Check-names-in-the-server-s-cert-when-using-KKDCP, no longer needed
- drop patch for 0010-Add-some-longer-form-docs-for-HTTPS, no longer
needed
- drop patch for 0011-Have-k5test.py-provide-runenv-to-python-tests,
no longer needed
- drop patch for 0012-Add-a-simple-KDC-proxy-test-server, no longer
needed
- drop patch for 0013-Add-tests-for-MS-KKDCP-client-support, no
longer needed
- drop patch for krb5-1.12ish-tls-plugins, fixed in krb5-1.13.1
- drop patch for krb5-1.12-nodelete-plugins, fixed in krb5-1.13.1
- drop patch for krb5-1.12-ksu-untyped-default-ccache-name, fixed in
krb5-1.13.1
- drop patch for krb5-1.12-ksu-no-ccache, fixed in krb5-1.13.1
- drop patch for krb5-ksu_not_working_with_default_principal, fixed
in krb5-1.13.1
- drop patch for CVE_2014_5353_fix_LDAP_misused_policy_name_crash,
fixed in krb5-1.13.1
- drop patch for CVE_2014_5354_support_keyless_principals_in_ldap,
fixed in krb5-1.13.1
- drop patch for kinit -C loops (MIT/krb5 bug #243), fixed in krb5-1.13.1
- drop patch for CVEs { 2014-9421, 2014-9422, 2014-9423, 2014-5352 },
fixed in krb5-1.13.1
- added patch krb5-1.14-Support-KDC_ERR_MORE_PREAUTH_DATA_REQUIRED
- added patch krb5-1.12.1-CVE_2014_5355_fix_krb5_read_message_handling
- Minor spec cleanup
More information about the El-errata
mailing list