Your message dated Sun, 22 Dec 2019 10:49:27 +0000
with message-id <[email protected]>
and subject line Bug#946786: fixed in heimdal 7.7.0+dfsg-1
has caused the Debian Bug report #946786,
regarding heimdal: CVE-2019-14870
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
946786: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946786
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: heimdal
Version: 7.5.0+dfsg-3
Severity: important
Tags: security upstream
Hi,
The following vulnerability was published for heimdal.
CVE-2019-14870[0]:
| All Samba versions 4.x.x before 4.9.17, 4.10.x before 4.10.11 and
| 4.11.x before 4.11.3 have an issue, where the S4U (MS-SFU) Kerberos
| delegation model includes a feature allowing for a subset of clients
| to be opted out of constrained delegation in any way, either S4U2Self
| or regular Kerberos authentication, by forcing all tickets for these
| clients to be non-forwardable. In AD this is implemented by a user
| attribute delegation_not_allowed (aka not-delegated), which translates
| to disallow-forwardable. However the Samba AD DC does not do that for
| S4U2Self and does set the forwardable flag even if the impersonated
| client has the not-delegated flag set.
This issue affects as well heimdal itself.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-14870
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14870
[1] https://github.com/heimdal/heimdal/pull/663
[2] https://github.com/heimdal/heimdal/pull/664 (port to 7.1 branch)
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: heimdal
Source-Version: 7.7.0+dfsg-1
We believe that the bug you reported is fixed in the latest version of
heimdal, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Brian May <[email protected]> (supplier of updated heimdal package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 17 Dec 2019 20:23:41 +1100
Source: heimdal
Architecture: source
Version: 7.7.0+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Brian May <[email protected]>
Changed-By: Brian May <[email protected]>
Closes: 946786
Changes:
heimdal (7.7.0+dfsg-1) unstable; urgency=medium
.
* New upstream version.
* Fix CVE-2019-14870: The DelegationNotAllowed Kerberos feature restriction
was not being applied when processing protocol
transition requests (S4U2Self), in the AD DC KDC. Closes: #946786.
Checksums-Sha1:
24e60181ea0a696ec8249a2665e414ff38e6ea51 3579 heimdal_7.7.0+dfsg-1.dsc
2b71fff4c2e4a4c8b2c6ab3e4f5dc40b26b6388f 5945252 heimdal_7.7.0+dfsg.orig.tar.xz
f7c5338f369a67a6e21f60d3c4aa6ad0a2bd3d3e 128316
heimdal_7.7.0+dfsg-1.debian.tar.xz
4de2a8315bf8c051fc3000d370ea693aec11121b 7664
heimdal_7.7.0+dfsg-1_source.buildinfo
Checksums-Sha256:
5df44a05cf68d0190ce7c8ae41387477b6654d540dd4c59f61e0a2c41b4c6162 3579
heimdal_7.7.0+dfsg-1.dsc
6822c9547188b753b6325047fda9255744e4ebbbe02bb0dade78c261061fefac 5945252
heimdal_7.7.0+dfsg.orig.tar.xz
54a11a42d02e4ec2d37d4f759758bd6c2d2436ab6a0bbe5754f507a03934623e 128316
heimdal_7.7.0+dfsg-1.debian.tar.xz
446cc2c1c9767d1f08fd973c80d1008dd378b0ee83fc05f875d957debf9cb6c0 7664
heimdal_7.7.0+dfsg-1_source.buildinfo
Files:
09e9988cd98f1acc2cd7c9e4ca3ac9a4 3579 net optional heimdal_7.7.0+dfsg-1.dsc
4400de10f7a569fe14ecb2641aea341b 5945252 net optional
heimdal_7.7.0+dfsg.orig.tar.xz
c48ca8bc616c4f84f946c76c65c53f27 128316 net optional
heimdal_7.7.0+dfsg-1.debian.tar.xz
f8f6c6dc128bbc69be3da02e6821e0d6 7664 net optional
heimdal_7.7.0+dfsg-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEKpwfR8DOwu5vyB4TKpJZkldkSvoFAl3/RXAACgkQKpJZkldk
SvoR+A//Vw+OlB9bWvui6fSFafjifpydV94kLpakYmLLmpYfy1U5Y/a92HfzM3dc
SrvVR+mlW2gwSkGCcaxPb4ap2ypI43kz40JXs/Py/pH97WJyC1eFGkXMBQJrINIk
e5J+HGalOQ27Ha3T2WtpqmUX2ceVgNs4nTs7z/Mnb3w3bjuLfpe8XBBGuTS9aI+K
9cZt+TT45O0tp7Eap1VdG83oxMa3U6bIbLkndYA/ciLhikoq8M111Vgrilkb4O2m
S29iItgPNRAlq5+Vx+Dv/TtRjbvgQjA84EPGRoP7WcG9bHdsmygZPHPoG9IT9Wmy
7BTxMdhqtzpX6fCtsmBQdUznsx1Dbhzaa5if5Q3+VpM9mqxTS7EOKYidPBBjkYS7
SqvhFIlgdN+zJYlpFyEezMxDSFgtvoTQ6xKcxTJzga5JPjkVDGlYS/xJ7jfs4Lcx
wOi5IRlYUO7/tOBnn8iKN2j1urzj5KzqUtXyT9GKHKpwRj1FBMecsXIuwF3e9P2W
Q1V7QspWKr2EvXH0joXuVpnmYf5okaK7sXfCU7FU7XPRlMfwmToJDwOjvlJ6KmFk
Ly7Z7B/XbG3Mh3ATlY3BSyitDQuuWBPbMol0EDyU7iugzXv5yu12fN3oWMJfoDPb
JRIz0+UXqhdNhUDhO3ZTfowe61FxkthGutf6eFV/UHO15h9FwQw=
=I4fR
-----END PGP SIGNATURE-----
--- End Message ---
