Bug#832572: marked as done (krb5: CVE-2016-3120: Fix S4U2Self KDC crash when anon is restricted)

Mon, 28 Aug 2017 14:09:29 -0700 

Your message dated Mon, 28 Aug 2017 16:57:41 -0400
with message-id <[email protected]>
and subject line Fixed in krb5 1.12.1+dfsg-19+deb8u3
has caused the Debian Bug report #832572,
regarding krb5: CVE-2016-3120: Fix S4U2Self KDC crash when anon is restricted
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
832572: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832572
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Source: krb5
Version: 1.10.1+dfsg-5
Severity: important
Tags: security upstream patch

Hi,

the following vulnerability was published for krb5.

CVE-2016-3120[0]:
Fix S4U2Self KDC crash when anon is restricted 

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2016-3120
[1] https://github.com/krb5/krb5/commit/93b4a6306a0026cf1cc31ac4bd8a49ba5d034ba7

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---
--- Begin Message --- 
source: krb5
source-version: 1.12.1+dfsg-19+deb8ku3

Hi.
The following issues were fixed in 1.12.1+dfsg-19+deb8u3 for jessie.
I ended up needing to build a +deb8u4 because of a build/upload issue,
and so the bugs were not automattically closed.
Here's the relevant changelog info:

krb5 (1.12.1+dfsg-19+deb8u4) jessie; urgency=medium

  * New version number; same code as deb8u3 but rebuilt to build arch all
    packages and because dgit doesn't deal well with reusing a version
    number when a package is rejected

 -- Sam Hartman <[email protected]>  Mon, 28 Aug 2017 11:55:49 -0400

krb5 (1.12.1+dfsg-19+deb8u3) jessie; urgency=high

  * CVE-2017-11368: Remote authenticated attackers can crash the KDC,
    Closes: #869260
  *  fix for CVE-2016-3120 (kdc crash on restrict_anon_to_tgt), Closes:
    #832572
  * fix for CVE-2016-3119: remote DOS with ldap for authenticated
    attackers, Closes: #819468
  * Prevent requires_preauth bypass (CVE-2015-2694), Closes: #783557
  
 -- Sam Hartman <[email protected]>  Sun, 13 Aug 2017 18:02:34 -0400

Attachment: signature.asc
Description: PGP signature


--- End Message ---

Reply via email to