[SECURITY] Fedora 7 Update: krb5-1.6.1-9.fc7

updates at fedoraproject.org updates at fedoraproject.org
Fri Mar 21 22:18:10 UTC 2008


--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2008-2637
2008-03-21 21:43:57
--------------------------------------------------------------------------------

Name        : krb5
Product     : Fedora 7
Version     : 1.6.1
Release     : 9.fc7
URL         : http://web.mit.edu/kerberos/www/
Summary     : The Kerberos network authentication system.
Description :
Kerberos V5 is a trusted-third-party network authentication system,
which can improve your network's security by eliminating the insecure
practice of cleartext passwords.

--------------------------------------------------------------------------------
Update Information:

This update incorporates fixes included in MITKRB5-SA-2008-001 (use of
uninitialized pointer / double-free in the KDC when v4 compatibility is enabled)
and MITKRB5-SA-2008-002 (incorrect handling of high-numbered descriptors in the
RPC library).    This update also incorporates less-critical fixes for a double-
free (CVE-2007-5971) and an incorrect attempt to free non-heap memory
(CVE-2007-5901) in the GSSAPI library.
--------------------------------------------------------------------------------
ChangeLog:

* Tue Mar 18 2008 Nalin Dahyabhai <nalin at redhat.com> 1.6.1-9
- add fixes from MITKRB5-SA-2008-001 for use of null or dangling pointer
  when v4 compatibility is enabled on the KDC (CVE-2008-0062, CVE-2008-0063,
  - add fixes from MITKRB5-SA-2008-002 for array out-of-bounds accesses when
  high-numbered descriptors are used (CVE-2008-0947, #433596)
- add backport bug fix for an attempt to free non-heap memory in
  libgssapi_krb5 (CVE-2007-5901, #415321)
- add backport bug fix for a double-free in out-of-memory situations in
  libgssapi_krb5 (CVE-2007-5971, #415351)
* Tue Feb 26 2008 Nalin Dahyabhai <nalin at redhat.com> 1.6.1-8
- stop adding a redundant but harmless call to initialize the gssapi internals
- kdb_ldap: add patch to treat 'nsAccountLock: true' as an indication that
  the DISALLOW_ALL_TIX flag is set on an entry, for better interop with Fedora,
  Netscape, Red Hat Directory Server (Simo Sorce)
* Mon Feb 25 2008 Nalin Dahyabhai <nalin at redhat.com>
- remove a patch, to fix problems with interfaces which are "up" but which
  have no address assigned, which conflicted with a different fix for the same
  problem in 1.5 (#200979)
* Wed Jan 23 2008 Nalin Dahyabhai <nalin at redhat.com> 1.6.1-7
- backport fix from 1.6.3 to get back traditional prompt-for-password-change-
  on-expired-password behavior back in kinit (and other users of
  krb5_get_init_creds_opt_alloc()) (#429918)
* Fri Nov 16 2007 Nalin Dahyabhai <nalin at redhat.com> 1.6.1-6
- backport a fix to make handling of returned flags during spnego credential
  delegation more forgiving of apps which don't care about flags but still
  want a delegated credential handle (#314651, RT#5802)
- fix retrieval of krb5 credentials from an spnego delegated handle (#319351,
  RT#5807)
* Mon Sep 17 2007 Nalin Dahyabhai <nalin at redhat.com> 1.6.1-5
- fix incorrect call to "test" in the kadmin init script (Fran Taylor, #287291)
* Thu Sep  6 2007 Nalin Dahyabhai <nalin at redhat.com> 1.6.1-4
- incorporate updated fix for CVE-2007-3999 (CVE-2007-4743)
* Tue Sep  4 2007 Nalin Dahyabhai <nalin at redhat.com> 1.6.1-3
- incorporate fixes for MITKRB5-SA-2007-006 (CVE-2007-3999, CVE-2007-4000)
* Wed Jun 27 2007 Nalin Dahyabhai <nalin at redhat.com> 1.6.1-2.1
- incorporate fixes for MITKRB5-SA-2007-004 (CVE-2007-2442,CVE-2007-2443)
  and MITKRB5-SA-2007-005 (CVE-2007-2798)
* Wed Jun 27 2007 Nalin Dahyabhai <nalin at redhat.com>
- preprocess kerberos.ldif into a format FDS will like better, and include
  that as a doc file as well (from 1.6.1-4)
- drop old, incomplete SELinux patch (from 1.6.1-4)
- add patch from Greg Hudson to make srvtab routines report missing-file errors
  at same point that "file" keytab routines do (from 1.6.1-4, #241805)
* Wed Jun 27 2007 Nalin Dahyabhai <nalin at redhat.com> 1.6.1-2.0
- pull up from devel HEAD's 1.6.1-2
* Thu May 24 2007 Nalin Dahyabhai <nalin at redhat.com> 1.6.1-2
- pull patch from svn to undo unintentional chattiness in ftp
- pull patch from svn to handle NULL krb5_get_init_creds_opt structures
  better in a couple of places where they're expected
* Wed May 23 2007 Nalin Dahyabhai <nalin at redhat.com> 1.6.1-1
- update to 1.6.1
  - drop no-longer-needed patches for CVE-2007-0956,CVE-2007-0957,CVE-2007-1216
  - drop patch for sendto bug in 1.6, fixed in 1.6.1
* Fri May 18 2007 Nalin Dahyabhai <nalin at redhat.com>
- kadmind.init: don't fail outright if the default principal database
  isn't there if it looks like we might be using the kldap plugin
- kadmind.init: attempt to extract the key for the host-specific kadmin
  service when we try to create the keytab
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #415321 - CVE-2007-5901 krb5: use-after-free in gssapi lib
        https://bugzilla.redhat.com/show_bug.cgi?id=415321
  [ 2 ] Bug #415351 - CVE-2007-5971 krb5: double free in gssapi lib
        https://bugzilla.redhat.com/show_bug.cgi?id=415351
  [ 3 ] Bug #432620 - CVE-2008-0062 krb5: uninitialized pointer use in krb5kdc
        https://bugzilla.redhat.com/show_bug.cgi?id=432620
  [ 4 ] Bug #432621 - CVE-2008-0063 krb5: possible leak of sensitive data from krb5kdc using krb4 request
        https://bugzilla.redhat.com/show_bug.cgi?id=432621
  [ 5 ] Bug #433596 - CVE-2008-0947 krb5: file descriptor array overflow in RPC library
        https://bugzilla.redhat.com/show_bug.cgi?id=433596
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update krb5' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
http://fedoraproject.org/keys
--------------------------------------------------------------------------------




More information about the package-announce mailing list