[Oraclevm-errata] OVMSA-2011-0015 Critical: Oracle VM 2.2 krb5 security update

Errata Announcements for Oracle VM oraclevm-errata at oss.oracle.com
Wed Jan 4 09:09:32 PST 2012 

Oracle VM Security Advisory OVMSA-2011-0015

The following updated rpms for Oracle VM 2.2 have been uploaded to the 
Unbreakable Linux Network:

i386:
krb5-libs-1.6.1-63.el5_7.i386.rpm
krb5-workstation-1.6.1-63.el5_7.i386.rpm


SRPMS:
http://oss.oracle.com/oraclevm/server/2.2/SRPMS-updates/krb5-1.6.1-63.el5_7.src.rpm


Description of changes:

[1.6.1-63.el5_7]
- Fix for CVE-2011-4862

[1.6.1-62.el5_7]
- incorporate a fix to teach the file labeling bits about when replay caches
are expunged (#712453)

[1.6.1-61.el5_7]
- rebuild
- ftp: handle larger command inputs (#665833)

[1.6.1-60.el5_7]
- dont bail halfway through an unlock operation when the result will
be discarded and the end-result not cleaned up (Martin Osvald, #586032)
- add a versioned dependency between krb5-server-ldap and krb5-libs 
(internal
tooling)

[1.6.1-59.el5_7]
- dont discard the error code from an error message received in response
to a change-password request (#658871, RT#6893)

[1.6.1-58.el5_7]
- ftpd: add patch from Jatin Nansi to correctly match restrict
lines in /etc/ftpusers (#644215, RT#6889)

[1.6.1-57.el5_7]
- ftp: add modified patch from Rogan Kyuseok Lee to report the number of
bytes transferred correctly when transferring large files on 32-bit
systems (#648404)

[1.6.1-56.el5_7]
- backport fix for RT#6514: memory leak freeing rcache type none (#678205)
- add upstream patch to fix hang or crash in the KDC when using the LDAP kdb
backend (CVE-2011-0281, CVE-2011-0282, #671097)

[1.6.1-55.el5_7]
- incorporate upstream patch for checksum acceptance issues from
MITKRB5-SA-2010-007 (CVE-2010-1323, #652308)

[1.6.1-54.el5_7]
- backport a fix to the previous change (#539423)

[1.6.1-53.el5_7]
- backport the k5login_directory and k5login_authoritative settings 
(#539423)

[1.6.1-52.el5_7]
- krshd: dont limit user names to 16 chars when utmp can handle names
at least a bit longer than that (#611713)

[1.6.1-51.el5_7]
- fix a logic bug in computing key expiration times (RT#6762, #627038)

[1.6.1-50.el5_7]
- correct the post-rotate scriptlet in the kadmind logrotate config (more
of #462658)

[1.6.1-49.el5_7]
- ftpd: backport changes to modify behavior to match 
telnetd,rshd,rlogind and
accept GSSAPI auth to any service for which we have a matching key (#538075)

[1.6.1-47.el5_7]
- pull in fix for RT#5551 to treat the referral realm when seen in a ticket
as though it were the local realm (#498554, also very likely #450122)

[1.6.1-46.el5_7]
- add aes256-cts:normal and aes128-cts:normal to the list of keysalts
in the default kdc.conf (part of #565941)
- add a note to kdc.conf(5) pointing to the admin guide for the list of
recognized key and salt types (the rest of #565941)

[1.6.1-45.el5_7]
- add logrotate configuration files for krb5kdc and kadmind (#462658)

[1.6.1-44.el5_7]
- libgssapi: backport patch from svn to stop returning context-expired 
errors
when the ticket which was used to set up the context expires (#605367,
upstream #6739)

[1.6.1-43.el5_7]
- enable building the -server-ldap subpackage (#514362)

[1.6.1-42.el5_7]
- stop caring about the endianness of stash files (#514741), which will be
replaced by proper keytab files in later releases
- dont crash in krb5_get_init_creds_password() if the passed-in options
struct is NULL and the clients keys have expired (#555875)

[1.6.1-41.el5_7]
- ksu: perform PAM account and session management before dropping privileges
to those of the target user (#540769 and #596887, respectively)
- add candidate patch to correct libgssapi null pointer dereference which
could be triggered by malformed client requests (CVE-2010-1321, #583704)

[1.6.1-40.el5_7]
- fix a null pointer dereference and crash introduced in our PAM patch that
would happen if ftpd was given the name of a user who wasnt known to the
local system, limited to being triggerable by gssapi-authenticated 
clients by
the default xinetd config (Olivier Fourdan, #569472)

[1.6.1-39.el5_7]
- add upstream patch to fix a few use-after-free bugs, including one in
kadmind (CVE-2010-0629, #578186)

[1.6.1-38.el5_7]
- merge patch to correct KDC integer overflows which could be triggered by
malformed RC4 and AES ciphertexts (CVE-2009-4212, #546348)

[1.6.1-37.el5_7]
- pull changes to libkrb5 to properly handle and chase off-path referrals
back from 1.7 (#546538)

[1.6.1-36.el5_7]
- add an auth stack to ksus PAM configuration so that it can successfully
pam_setcred()

[1.6.1-35.el5_7]
- also set PAM_RUSER in ksu for completeness (#479071+#477033)

[1.6.1-34.el5_7]
- fix various typos, except for bits pertaining to licensing (#499190)

[1.6.1-33.el5_7]
- kdb5_util: when renaming a database, if the new names associated lock
files dont exist, go ahead and create them (#442879)
- ksu: perform PAM account and session management for the target user;
authentication is still performed as before (#477033)
- fix typo in ksus reporting of errors getting credentials (#462890)
- kadmind.init: stop setting up a keytab, as kadminds been able to use
the database directly for a while now (#473151)
- pull up patch to set PAM_RHOST (James Leddy, #479071)

More information about the Oraclevm-errata mailing list