[linux-sparc-announce] LFSSA-2016-0076 Linux for SPARC 1.0 krb5 security update

Announcements for Linux for SPARC linux-sparc-announce at oss.oracle.com
Wed Mar 23 15:51:56 PDT 2016 

Linux for SPARC Security Advisory LFSSA-2016-0076

The following updated rpms for Linux for SPARC 1.0 have been uploaded to 
the yum.oracle.com:

sparc64:
krb5-devel-1.10.3-42z1.el6_7.sparc64.rpm
krb5-libs-1.10.3-42z1.el6_7.sparc64.rpm
krb5-pkinit-openssl-1.10.3-42z1.el6_7.sparc64.rpm
krb5-server-1.10.3-42z1.el6_7.sparc64.rpm
krb5-server-ldap-1.10.3-42z1.el6_7.sparc64.rpm
krb5-workstation-1.10.3-42z1.el6_7.sparc64.rpm


SRPMS:
http://yum.oracle.com/repo/linux_sparc64/latest/krb5-1.10.3-42z1.el6_7.src.rpm



Description of changes:

[1.10.3-42z1]
- Fix CVE-2015-8629 and CVE-2015-8631
- Also fix a spec trigger issue that prevents building
- Resolves: #1306973

[1.10.3-42]
- fix for RH bug #1210704 ("Remove stray include in krb5's
   localauth_plugin.h"). This unnecessary #include statement
   was causing build failures on some systems by making libkrb5
   sources depend on gssapi.h (and as result to libcom_err,
   too).

[1.10.3-41]
- fix for CVE-2014-5353 (#1174543) "Fix LDAP misused policy
   name crash"

[1.10.3-40]
- fix for CVE-2014-5355 (#1193939) "krb5: unauthenticated
   denial of service in recvauth_common() and others"

[1.10.3-39]
- Backout patch #137 for krbdev #7996 ("Simplify and improve
   ksu cred verification" - see 1.10.3-36) for now until we
   figure out how to get this working.

[1.10.3-38]
- Backported krbdev #7868 ("Use preauth options when changing
   password") from krb-1.13 to fix RH bug #1075656 ("krb5
   client ignores FAST settings for changepw requests"):
   If we try to change the password in
   |rb5_get_init_creds_password()|, we must use all
   application-specified gic options which affect
   preauthentication when getting the kadmin/changepw ticket.
   Create a helper function |make_chpw_options()| which copies
   the application's options, unsets the options we don't want,
   and sets options appropriate for a temporary ticket.

[1.10.3-37]
- Backported krb5-1.12.2 changes for |getclhoststr()|
   to fix RH bug #1154130 ("kadmind (Error): iprop_full_resync_1:
   getclhoststr failed").

[1.10.3-36]
- Backported krbdev #7996 ("Simplify and improve ksu cred
   verification"; cherry-picked from upstream
   bbfe19f03bdeca7b05b542dbae4c1692c9800c70) to fix RH bug
     less than 5 mins"): When verifying the user's initial
   credentials, don't compute a server name and preemptively
   obtain creds for it. This change allows
   |krb5_verify_init_creds()| to use any host key in the
   keytab, and not just the one for the canonicalized local
   hostname.

[1.10.3-35]
- fix for CVE-2014-5352 (#1179856) "gss_process_context_token()
   incorrectly frees context (MITKRB5-SA-2015-001)"
- fix for CVE-2014-9421 (#1179857) "kadmind doubly frees partial
   deserialization results (MITKRB5-SA-2015-001)"
- fix for CVE-2014-9422 (#1179861) "kadmind incorrectly
   validates server principal name (MITKRB5-SA-2015-001)"

[1.10.3-34]
- Backport of krb1.12 localauth plugin support
   See krb5-1.10-localauth_backport.patch for porting comments.

[1.10.3-33]
- actually apply that last patch

[1.10.3-32]
- incorporate fix for MITKRB5-SA-2014-001 (CVE-2014-4345, #1128157)

[1.10.3-31]
- ksu: when evaluating .k5users, don't throw away data from .k5users 
when we're
   not passed a command to run, which implicitly means we're attempting 
to run
   the target user's shell (#1026721, revised)

[1.10.3-30]
- ksu: when evaluating .k5users, treat lines with just a principal name 
as if
   they contained the principal name followed by '*', and don't throw 
away data
   from .k5users when we're not passed a command to run, which 
implicitly means
   we're attempting to run the target user's shell (#1026721, revised)

[1.10.3-29]
- gssapi: pull in upstream fix for a possible NULL dereference in spnego
   (CVE-2014-4344, #1121510)
- gssapi: pull in proposed-and-accepted fix for a double free in initiators
   (David Woodhouse, CVE-2014-4343, #1121510)

[1.10.3-28]
- correct a type mistake in the backported fix for 
CVE-2013-1418/CVE-2013-6800

[1.10.3-27]
- pull in backported fix for denial of service by injection of malformed
   GSSAPI tokens (CVE-2014-4341, CVE-2014-4342, #1121510)
- incorporate backported patch for remote crash of KDCs which serve multiple
   realms simultaneously (RT#7756, CVE-2013-1418/CVE-2013-6800, more of

[1.10.3-26]
- pull in backport of patch to not subsequently always require that 
responses
   come from master KDCs if we get one from a master somewhere along the way
   while chasing referrals (RT#7650, #1113652)

[1.10.3-25]
- ksu: if the -e flag isn't used, use the target user's shell when checking
   for authorization via the target user's .k5users file (#1026721)

[1.10.3-24]
- define _GNU_SOURCE in files where we use EAI_NODATA, to make sure that
   it's declared (#1059730)

[1.10.3-23]
- spnego: pull in patch from master to restore preserving the OID of the
   mechanism the initiator requested when we have multiple OIDs for the same
   mechanism, so that we reply using the same mechanism OID and the 
initiator
   doesn't get confused (#1087068, RT#7858)

[1.10.3-22]
- add patch from Jatin Nansi to avoid attempting to clear memory at the
   NULL address if krb5_encrypt_helper() returns an error when called
   from encrypt_credencpart() (#1055329, pull #158)

[1.10.3-21]
- drop patch to add additional access() checks to ksu - they shouldn't be
   resulting in any benefit

[1.10.3-20]
- apply patch from Nikolai Kondrashov to pass a default realm set in
   /etc/sysconfig/krb5kdc to the kdb_check_weak helper, so that it doesn't
   produce an error if there isn't one set in krb5.conf (#1009389)

[1.10.3-19]
- packaging: don't Obsoletes: older versions of krb5-pkinit-openssl and
   virtual Provide: krb5-pkinit-openssl on EL6, where we don't need to
   bother with any of that (#1001961)

[1.10.3-18]
- pkinit: backport tweaks to avoid trying to call the prompter callback
   when one isn't set (part of #965721)
- pkinit: backport the ability to use a prompter callback to prompt for
   a password when reading private keys (the rest of #965721)

[1.10.3-17]
- backport fix to not spin on a short read when reading the length of a
   response over TCP (RT#7508, #922884)

[1.10.3-16]
- backport fix for trying all compatible keys when not being strict about
   acceptor names while reading AP-REQs (RT#7883, #1070244)

More information about the linux-sparc-announce mailing list