[Oraclevm-errata] OVMSA-2016-0039 Moderate: Oracle VM 3.3 krb5 security update

Errata Announcements for Oracle VM oraclevm-errata at oss.oracle.com
Wed Mar 23 05:10:45 PDT 2016

Oracle VM Security Advisory OVMSA-2016-0039

The following updated rpms for Oracle VM 3.3 have been uploaded to the 
Unbreakable Linux Network:



Description of changes:

- Fix CVE-2015-8629 and CVE-2015-8631
- Also fix a spec trigger issue that prevents building
- Resolves: #1306973

- fix for RH bug #1210704 ("Remove stray include in krb5's
   localauth_plugin.h"). This unnecessary #include statement
   was causing build failures on some systems by making libkrb5
   sources depend on gssapi.h (and as result to libcom_err,

- fix for CVE-2014-5353 (#1174543) "Fix LDAP misused policy
   name crash"

- fix for CVE-2014-5355 (#1193939) "krb5: unauthenticated
   denial of service in recvauth_common() and others"

- Backout patch #137 for krbdev #7996 ("Simplify and improve
   ksu cred verification" - see 1.10.3-36) for now until we
   figure out how to get this working.

- Backported krbdev #7868 ("Use preauth options when changing
   password") from krb-1.13 to fix RH bug #1075656 ("krb5
   client ignores FAST settings for changepw requests"):
   If we try to change the password in
   |rb5_get_init_creds_password()|, we must use all
   application-specified gic options which affect
   preauthentication when getting the kadmin/changepw ticket.
   Create a helper function |make_chpw_options()| which copies
   the application's options, unsets the options we don't want,
   and sets options appropriate for a temporary ticket.

More information about the Oraclevm-errata mailing list