[Oraclevm-errata] OVMSA-2011-0015 Critical: Oracle VM 2.2 krb5 security update

Errata Announcements for Oracle VM oraclevm-errata at oss.oracle.com
Wed Jan 4 09:09:32 PST 2012

Oracle VM Security Advisory OVMSA-2011-0015

The following updated rpms for Oracle VM 2.2 have been uploaded to the 
Unbreakable Linux Network:



Description of changes:

- Fix for CVE-2011-4862

- incorporate a fix to teach the file labeling bits about when replay caches
are expunged (#712453)

- rebuild
- ftp: handle larger command inputs (#665833)

- dont bail halfway through an unlock operation when the result will
be discarded and the end-result not cleaned up (Martin Osvald, #586032)
- add a versioned dependency between krb5-server-ldap and krb5-libs 

- dont discard the error code from an error message received in response
to a change-password request (#658871, RT#6893)

- ftpd: add patch from Jatin Nansi to correctly match restrict
lines in /etc/ftpusers (#644215, RT#6889)

- ftp: add modified patch from Rogan Kyuseok Lee to report the number of
bytes transferred correctly when transferring large files on 32-bit
systems (#648404)

- backport fix for RT#6514: memory leak freeing rcache type none (#678205)
- add upstream patch to fix hang or crash in the KDC when using the LDAP kdb
backend (CVE-2011-0281, CVE-2011-0282, #671097)

- incorporate upstream patch for checksum acceptance issues from
MITKRB5-SA-2010-007 (CVE-2010-1323, #652308)

- backport a fix to the previous change (#539423)

- backport the k5login_directory and k5login_authoritative settings 

- krshd: dont limit user names to 16 chars when utmp can handle names
at least a bit longer than that (#611713)

- fix a logic bug in computing key expiration times (RT#6762, #627038)

- correct the post-rotate scriptlet in the kadmind logrotate config (more
of #462658)

- ftpd: backport changes to modify behavior to match 
telnetd,rshd,rlogind and
accept GSSAPI auth to any service for which we have a matching key (#538075)

- pull in fix for RT#5551 to treat the referral realm when seen in a ticket
as though it were the local realm (#498554, also very likely #450122)

- add aes256-cts:normal and aes128-cts:normal to the list of keysalts
in the default kdc.conf (part of #565941)
- add a note to kdc.conf(5) pointing to the admin guide for the list of
recognized key and salt types (the rest of #565941)

- add logrotate configuration files for krb5kdc and kadmind (#462658)

- libgssapi: backport patch from svn to stop returning context-expired 
when the ticket which was used to set up the context expires (#605367,
upstream #6739)

- enable building the -server-ldap subpackage (#514362)

- stop caring about the endianness of stash files (#514741), which will be
replaced by proper keytab files in later releases
- dont crash in krb5_get_init_creds_password() if the passed-in options
struct is NULL and the clients keys have expired (#555875)

- ksu: perform PAM account and session management before dropping privileges
to those of the target user (#540769 and #596887, respectively)
- add candidate patch to correct libgssapi null pointer dereference which
could be triggered by malformed client requests (CVE-2010-1321, #583704)

- fix a null pointer dereference and crash introduced in our PAM patch that
would happen if ftpd was given the name of a user who wasnt known to the
local system, limited to being triggerable by gssapi-authenticated 
clients by
the default xinetd config (Olivier Fourdan, #569472)

- add upstream patch to fix a few use-after-free bugs, including one in
kadmind (CVE-2010-0629, #578186)

- merge patch to correct KDC integer overflows which could be triggered by
malformed RC4 and AES ciphertexts (CVE-2009-4212, #546348)

- pull changes to libkrb5 to properly handle and chase off-path referrals
back from 1.7 (#546538)

- add an auth stack to ksus PAM configuration so that it can successfully

- also set PAM_RUSER in ksu for completeness (#479071+#477033)

- fix various typos, except for bits pertaining to licensing (#499190)

- kdb5_util: when renaming a database, if the new names associated lock
files dont exist, go ahead and create them (#442879)
- ksu: perform PAM account and session management for the target user;
authentication is still performed as before (#477033)
- fix typo in ksus reporting of errors getting credentials (#462890)
- kadmind.init: stop setting up a keytab, as kadminds been able to use
the database directly for a while now (#473151)
- pull up patch to set PAM_RHOST (James Leddy, #479071)

More information about the Oraclevm-errata mailing list