[Oraclevm-errata] OVMSA-2016-0039 Moderate: Oracle VM 3.3 krb5 security update
Errata Announcements for Oracle VM
oraclevm-errata at oss.oracle.com
Wed Mar 23 05:10:45 PDT 2016
Oracle VM Security Advisory OVMSA-2016-0039
The following updated rpms for Oracle VM 3.3 have been uploaded to the
Unbreakable Linux Network:
Description of changes:
- Fix CVE-2015-8629 and CVE-2015-8631
- Also fix a spec trigger issue that prevents building
- Resolves: #1306973
- fix for RH bug #1210704 ("Remove stray include in krb5's
localauth_plugin.h"). This unnecessary #include statement
was causing build failures on some systems by making libkrb5
sources depend on gssapi.h (and as result to libcom_err,
- fix for CVE-2014-5353 (#1174543) "Fix LDAP misused policy
- fix for CVE-2014-5355 (#1193939) "krb5: unauthenticated
denial of service in recvauth_common() and others"
- Backout patch #137 for krbdev #7996 ("Simplify and improve
ksu cred verification" - see 1.10.3-36) for now until we
figure out how to get this working.
- Backported krbdev #7868 ("Use preauth options when changing
password") from krb-1.13 to fix RH bug #1075656 ("krb5
client ignores FAST settings for changepw requests"):
If we try to change the password in
|rb5_get_init_creds_password()|, we must use all
application-specified gic options which affect
preauthentication when getting the kadmin/changepw ticket.
Create a helper function |make_chpw_options()| which copies
the application's options, unsets the options we don't want,
and sets options appropriate for a temporary ticket.
More information about the Oraclevm-errata