Your message dated Mon, 28 Aug 2017 16:57:41 -0400 with message-id <[email protected]> and subject line Fixed in krb5 1.12.1+dfsg-19+deb8u3 has caused the Debian Bug report #783557, regarding CVE-2015-2694 in krb5-otp, krb5-pkinit to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 783557: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783557 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Source: krb5 Version: 1.12.1+dfsg-19 Tags: security Two errors in krb5-otp and krb5-pkinit can interact to allow an attacker to get a ciphertext in a long-term (potentially password-derived) key without properly pre-authenticating, allowing for an offline brute-force attack. It is believed that both components must be present to trigger the bug; upstream's commit message for the fix (included below) is written on the assumption that the OTP functionality is part of the base KDC, but in Debian we provide it in a separate package, krb5-otp. -Ben Prevent requires_preauth bypass [CVE-2015-2694] In the OTP kdcpreauth module, don't set the TKT_FLG_PRE_AUTH bit until the request is successfully verified. In the PKINIT kdcpreauth module, don't respond with code 0 on empty input or an unconfigured realm. Together these bugs could cause the KDC preauth framework to erroneously treat a request as pre-authenticated. CVE-2015-2694: In MIT krb5 1.12 and later, when the KDC is configured with PKINIT support, an unauthenticated remote attacker can bypass the requires_preauth flag on a client principal and obtain a ciphertext encrypted in the principal's long-term key. This ciphertext could be used to conduct an off-line dictionary attack against the user's password. CVSSv2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N/E:POC/RL:OF/RC:C
--- End Message ---
--- Begin Message ---source: krb5 source-version: 1.12.1+dfsg-19+deb8ku3 Hi. The following issues were fixed in 1.12.1+dfsg-19+deb8u3 for jessie. I ended up needing to build a +deb8u4 because of a build/upload issue, and so the bugs were not automattically closed. Here's the relevant changelog info: krb5 (1.12.1+dfsg-19+deb8u4) jessie; urgency=medium * New version number; same code as deb8u3 but rebuilt to build arch all packages and because dgit doesn't deal well with reusing a version number when a package is rejected -- Sam Hartman <[email protected]> Mon, 28 Aug 2017 11:55:49 -0400 krb5 (1.12.1+dfsg-19+deb8u3) jessie; urgency=high * CVE-2017-11368: Remote authenticated attackers can crash the KDC, Closes: #869260 * fix for CVE-2016-3120 (kdc crash on restrict_anon_to_tgt), Closes: #832572 * fix for CVE-2016-3119: remote DOS with ldap for authenticated attackers, Closes: #819468 * Prevent requires_preauth bypass (CVE-2015-2694), Closes: #783557 -- Sam Hartman <[email protected]> Sun, 13 Aug 2017 18:02:34 -0400
signature.asc
Description: PGP signature
--- End Message ---
