Bug#755520: marked as done (CVE-2014-4343 in krb5: double-free in SPNEGO initiators)

[Debian Bug Tracking System]

Your message dated Mon, 18 Aug 2014 17:19:23 +0000
with message-id <e1xjqaz-0004r9...@franck.debian.org>
and subject line Bug#755520: fixed in krb5 1.8.3+dfsg-4squeeze8
has caused the Debian Bug report #755520,
regarding CVE-2014-4343 in krb5: double-free in SPNEGO initiators
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
755520: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=755520
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: libgssapi-krb5-2
Version: 1.10.1+dfsg-5+deb7u1

Upstream has committed a fix for CVE-2014-4343 to their git repo; we should take it as well, and probably push it back into the -security repos for stable.

It's a double-free in clients, but not the default configuration.

I should be able to get the patch into git later today.

Sam, are you going to be too busy with IETF to do the upload?

-Ben

--- End Message ---

--- Begin Message ---

Source: krb5
Source-Version: 1.8.3+dfsg-4squeeze8

We believe that the bug you reported is fixed in the latest version of
krb5, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 755...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thorsten Alteholz <deb...@alteholz.de> (supplier of updated krb5 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 18 Jul 2014 18:00:24 +0200
Source: krb5
Binary: krb5-user krb5-kdc krb5-kdc-ldap krb5-admin-server krb5-multidev 
libkrb5-dev libkrb5-dbg krb5-pkinit krb5-doc libkrb5-3 libgssapi-krb5-2 
libgssrpc4 libkadm5srv-mit7 libkadm5clnt-mit7 libk5crypto3 libkdb5-4 
libkrb5support0 libkrb53
Architecture: source all i386
Version: 1.8.3+dfsg-4squeeze8
Distribution: squeeze-lts
Urgency: medium
Maintainer: Sam Hartman <hartm...@debian.org>
Changed-By: Thorsten Alteholz <deb...@alteholz.de>
Description: 
 krb5-admin-server - MIT Kerberos master server (kadmind)
 krb5-doc   - Documentation for MIT Kerberos
 krb5-kdc   - MIT Kerberos key server (KDC)
 krb5-kdc-ldap - MIT Kerberos key server (KDC) LDAP plugin
 krb5-multidev - Development files for MIT Kerberos without Heimdal conflict
 krb5-pkinit - PKINIT plugin for MIT Kerberos
 krb5-user  - Basic programs to authenticate using MIT Kerberos
 libgssapi-krb5-2 - MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
 libgssrpc4 - MIT Kerberos runtime libraries - GSS enabled ONCRPC
 libk5crypto3 - MIT Kerberos runtime libraries - Crypto Library
 libkadm5clnt-mit7 - MIT Kerberos runtime libraries - Administration Clients
 libkadm5srv-mit7 - MIT Kerberos runtime libraries - KDC and Admin Server
 libkdb5-4  - MIT Kerberos runtime libraries - Kerberos database
 libkrb5-3  - MIT Kerberos runtime libraries
 libkrb5-dbg - Debugging files for MIT Kerberos
 libkrb5-dev - Headers and development libraries for MIT Kerberos
 libkrb53   - transitional package for MIT Kerberos libraries
 libkrb5support0 - MIT Kerberos runtime libraries - Support library
Closes: 755520
Changes: 
 krb5 (1.8.3+dfsg-4squeeze8) squeeze-lts; urgency=medium
 .
   * Non-maintainer upload by the Squeeze LTS Team.
   * Apply upstream patches for several issues:
     - CVE-2014-4341: denial of service due to improper GSSAPI message
       validation, Bug: #753624
     - CVE-2014-4342: denial of service due to improper GSSAPI message
       validation, Bug: #753625
     - CVE-2014-4343: double-free in SPNEGO initiator during renegotiation,
       Closes: #755520
     - CVE-2014-4344: NULL dereference in SPNEGO acceptor, Bug: #755521
     - CVE-2014-4345 [MITKRB5-SA-2014-001]: buffer overrun in kadmind with
       LDAP backend, Bug: #757416
   * put patches into debian/patches (0026-* .. 0029-*)
Checksums-Sha1: 
 9672ee92d0033fec6ccd0085eef4af94f00f3675 1593 krb5_1.8.3+dfsg-4squeeze8.dsc
 58ebe5245c9bb07d170d84aca534a88c17ffd199 11564633 krb5_1.8.3+dfsg.orig.tar.gz
 22956057029081b6c5012bce37354cac4960b1d0 111253 
krb5_1.8.3+dfsg-4squeeze8.diff.gz
 fe9627d3f6c48009e6ddd3846dc83a63ea536e4f 2254692 
krb5-doc_1.8.3+dfsg-4squeeze8_all.deb
 20fefd74aa70cf3cdff0cbc338d057f5fea84b15 1374092 
libkrb53_1.8.3+dfsg-4squeeze8_all.deb
 eb018be6f6b4d46ccd44907d90945e3059c4eb08 130588 
krb5-user_1.8.3+dfsg-4squeeze8_i386.deb
 df1a7b8f73b69fedc191983b56ad2724727421d8 203424 
krb5-kdc_1.8.3+dfsg-4squeeze8_i386.deb
 90111d06501e835af674f65d5e25d45b769e8cfe 113068 
krb5-kdc-ldap_1.8.3+dfsg-4squeeze8_i386.deb
 94a18b0bdde7353865f954128fd7aeb447cf9ea3 107012 
krb5-admin-server_1.8.3+dfsg-4squeeze8_i386.deb
 2155062b997f1668f73189fb34b739b81d177e9c 104122 
krb5-multidev_1.8.3+dfsg-4squeeze8_i386.deb
 7672d4915015d19e6bff503f77b3c272c60bcc40 37892 
libkrb5-dev_1.8.3+dfsg-4squeeze8_i386.deb
 f4455232a6ce55a0e0549eaff09197c47ca69ceb 1611116 
libkrb5-dbg_1.8.3+dfsg-4squeeze8_i386.deb
 252c80d9ca56cf65c34dd58d08e0daede97160da 75076 
krb5-pkinit_1.8.3+dfsg-4squeeze8_i386.deb
 06274ca13c573a48dbc8ebd4c963f732dbdb5cfa 357136 
libkrb5-3_1.8.3+dfsg-4squeeze8_i386.deb
 a3ad084c9e182d857813056ae4f65601dab322c3 123114 
libgssapi-krb5-2_1.8.3+dfsg-4squeeze8_i386.deb
 23df95d5f9b9fb8757afb7bbde179086aed63298 77590 
libgssrpc4_1.8.3+dfsg-4squeeze8_i386.deb
 f93b861b9926683ce82a4715924421ae7d30e88c 74456 
libkadm5srv-mit7_1.8.3+dfsg-4squeeze8_i386.deb
 6a40548d0a664616631c1a39bf35203429db4bd6 61246 
libkadm5clnt-mit7_1.8.3+dfsg-4squeeze8_i386.deb
 ada7eb309d32fadb42c8cfb0280a52ac75b6e8f7 98544 
libk5crypto3_1.8.3+dfsg-4squeeze8_i386.deb
 8cc89888cf08fd564d652c6859c989d1fdc61e6b 61318 
libkdb5-4_1.8.3+dfsg-4squeeze8_i386.deb
 d04e6e3adfa1db753049a0e253d5ecab296873fc 44496 
libkrb5support0_1.8.3+dfsg-4squeeze8_i386.deb
Checksums-Sha256: 
 5d086b2f04b93202cb90e2165d51fe86bd7eedceed8aad786abedf0d887b49e4 1593 
krb5_1.8.3+dfsg-4squeeze8.dsc
 ed8b74faedee22ab961c6acaea17e5801aa89dc904a44457ef13bb5a297c83eb 11564633 
krb5_1.8.3+dfsg.orig.tar.gz
 8d5324bbb0335b955dbc488cd48b5e67cc23c3dc9ddacd08823efdd77cb43069 111253 
krb5_1.8.3+dfsg-4squeeze8.diff.gz
 7309d7a23b2bb321c889205992fc217453ffc8c9b011ad62b42fe382c30ec40a 2254692 
krb5-doc_1.8.3+dfsg-4squeeze8_all.deb
 710300e82160542278cc91fc7fb6b23814804683b743358affd5d0b9f8951aa5 1374092 
libkrb53_1.8.3+dfsg-4squeeze8_all.deb
 02cf5978ae8cfbca5dbe0fd205c1fdbf416c59b8c42c057f0731b4d194337e5b 130588 
krb5-user_1.8.3+dfsg-4squeeze8_i386.deb
 c7b4c85fbdc9a352c3978d5f39ef820a749718dc3828cdf14efbd3cb6fd0bec9 203424 
krb5-kdc_1.8.3+dfsg-4squeeze8_i386.deb
 fdeaf0baf3ff1bc05479314547eefe3dddaac6d82d9ee405f1680309d5c0a5ec 113068 
krb5-kdc-ldap_1.8.3+dfsg-4squeeze8_i386.deb
 fee2f1ad6f5b26ad9c858e890b4b8b3144d7f09f5631e45f8ba517626fecd93f 107012 
krb5-admin-server_1.8.3+dfsg-4squeeze8_i386.deb
 32ef398b8aeb40713f8c51675ecb7518d35482f185ca5268d11f7967a9cc77bf 104122 
krb5-multidev_1.8.3+dfsg-4squeeze8_i386.deb
 4ea803d9c1fa38fc08a95f289ec47d246c7af4c190040beec76e72bf17b506e3 37892 
libkrb5-dev_1.8.3+dfsg-4squeeze8_i386.deb
 18102ce185218333ba4d7447eaa075a966fd1304e395549c4dc82ace99c9f80e 1611116 
libkrb5-dbg_1.8.3+dfsg-4squeeze8_i386.deb
 152b4bd6435f0c09afb918f83ca53e2c2500d76dfa7427062f7f968a7ed5de61 75076 
krb5-pkinit_1.8.3+dfsg-4squeeze8_i386.deb
 da545475bc96ececf6a9345f68d399d4c75f9271a6774a9ea128bca87412eb91 357136 
libkrb5-3_1.8.3+dfsg-4squeeze8_i386.deb
 510094c5cacc8dc09aa2964c98a412d331bfd20759b3a5537c3780594f5caf31 123114 
libgssapi-krb5-2_1.8.3+dfsg-4squeeze8_i386.deb
 334ed4bc59dd7659567701cf6ce8f5660ddb8badfb5d830f26477bda21895ad0 77590 
libgssrpc4_1.8.3+dfsg-4squeeze8_i386.deb
 fe72001ce62127775089a7b705e4d47ae3fa705ead0a762e1eaae4a7832bab2e 74456 
libkadm5srv-mit7_1.8.3+dfsg-4squeeze8_i386.deb
 81b422102ecad5024c25135d10a4eb9004f5fe24628b910f56dc5d52b28fc9cb 61246 
libkadm5clnt-mit7_1.8.3+dfsg-4squeeze8_i386.deb
 552e18e02f95fd51721a949bc8d5aba4cf7971e2510024820629063db030b960 98544 
libk5crypto3_1.8.3+dfsg-4squeeze8_i386.deb
 7cb982dd09ec4d66fc00764a82b6982758c5985c084c9c7bb90cc306e5b76aff 61318 
libkdb5-4_1.8.3+dfsg-4squeeze8_i386.deb
 edd6130796e738027b81c32c1eaf7be60166a32919bf10ae08ebd3e4a4bcad36 44496 
libkrb5support0_1.8.3+dfsg-4squeeze8_i386.deb
Files: 
 c35189c17007fa85e9acc30603c35221 1593 net standard 
krb5_1.8.3+dfsg-4squeeze8.dsc
 a8bba2ef00a4afb18a2bdeec1deb6462 11564633 net standard 
krb5_1.8.3+dfsg.orig.tar.gz
 a9f44da105568d35ea7edcc0aaf7f24c 111253 net standard 
krb5_1.8.3+dfsg-4squeeze8.diff.gz
 2baa51856b53e6707839861861ace718 2254692 doc optional 
krb5-doc_1.8.3+dfsg-4squeeze8_all.deb
 81bcf0fded5b5be5a3a7e6b957d24982 1374092 oldlibs extra 
libkrb53_1.8.3+dfsg-4squeeze8_all.deb
 10ab505b959b6e0198a612f201c530ad 130588 net optional 
krb5-user_1.8.3+dfsg-4squeeze8_i386.deb
 fdb2df9503d8dc0d29a02b2fea6c57ab 203424 net optional 
krb5-kdc_1.8.3+dfsg-4squeeze8_i386.deb
 8c72b5a29fbc255d0dad3c3264eadc1d 113068 net extra 
krb5-kdc-ldap_1.8.3+dfsg-4squeeze8_i386.deb
 9661679a84307c636be8f4d69e7f7eab 107012 net optional 
krb5-admin-server_1.8.3+dfsg-4squeeze8_i386.deb
 1a7562e151ae673a8f88cbd0702ea9f4 104122 libdevel optional 
krb5-multidev_1.8.3+dfsg-4squeeze8_i386.deb
 48b170d68aced3d1091b911f020a8fca 37892 libdevel extra 
libkrb5-dev_1.8.3+dfsg-4squeeze8_i386.deb
 0b61c9f22ae15440bcd5e560851fd7ed 1611116 debug extra 
libkrb5-dbg_1.8.3+dfsg-4squeeze8_i386.deb
 15d770f2a1a26aac199ffaed88324dba 75076 net extra 
krb5-pkinit_1.8.3+dfsg-4squeeze8_i386.deb
 b7ac33e8ab8444860b2a55dfb22ddd85 357136 libs standard 
libkrb5-3_1.8.3+dfsg-4squeeze8_i386.deb
 eb7a6ad9a76a5b3d7f61777d2571d5aa 123114 libs standard 
libgssapi-krb5-2_1.8.3+dfsg-4squeeze8_i386.deb
 2c79f201d44005186140ade901c9b847 77590 libs standard 
libgssrpc4_1.8.3+dfsg-4squeeze8_i386.deb
 0474c9133939e84cb196272372e4912f 74456 libs standard 
libkadm5srv-mit7_1.8.3+dfsg-4squeeze8_i386.deb
 544bb9cc8c610173af2c5235e485f89d 61246 libs standard 
libkadm5clnt-mit7_1.8.3+dfsg-4squeeze8_i386.deb
 1873fd788b0fab8de61ee83645c7d432 98544 libs standard 
libk5crypto3_1.8.3+dfsg-4squeeze8_i386.deb
 81c30ca7b976ba383661273d3e3e1fd7 61318 libs standard 
libkdb5-4_1.8.3+dfsg-4squeeze8_i386.deb
 7eb77de7ac8b5aeb42b30549bf2e7ed6 44496 libs standard 
libkrb5support0_1.8.3+dfsg-4squeeze8_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAlPyM1gACgkQ02K2KlS5mJAsAQCfWqBVuBFw56Vp2dqQwQ3G9ZMH
B1MAoIl4nY/xWCkyWG3sx3E2JGXKneDZ
=ueHj
-----END PGP SIGNATURE-----

--- End Message ---