-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2010-7130 2010-04-21 21:42:17 --------------------------------------------------------------------------------
Name : krb5 Product : Fedora 12 Version : 1.7.1 Release : 7.fc12 URL : http://web.mit.edu/kerberos/www/ Summary : The Kerberos network authentication system Description : Kerberos V5 is a trusted-third-party network authentication system, which can improve your network's security by eliminating the insecure practice of cleartext passwords. -------------------------------------------------------------------------------- Update Information: Joel Johnson reported a possible double-free in the Kerberos KDC (MITKRB5-SA-2010-004, CVE-2010-1320). This update adds the upstream fix for this bug. -------------------------------------------------------------------------------- ChangeLog: * Tue Apr 20 2010 Nalin Dahyabhai <[email protected]> 1.7.1-7 - incorporate patch to fix double-free in the KDC (CVE-2010-1320, #581922) * Thu Apr 8 2010 Nalin Dahyabhai <[email protected]> - drop patch to suppress key expiration warnings sent from the KDC in the last-req field, as the KDC is expected to just be configured to either send them or not as a particular key approaches expiration (#556495) * Tue Mar 23 2010 Nalin Dahyabhai <[email protected]> - 1.7.1-6 - add fix for denial-of-service in SPNEGO (CVE-2010-0628, #576324) * Mon Mar 8 2010 Nalin Dahyabhai <[email protected]> - 1.7.1-5 - pull up patch to get the client libraries to correctly perform password changes over IPv6 (Sumit Bose, RT#6661) * Wed Mar 3 2010 Nalin Dahyabhai <[email protected]> - 1.7.1-4 - fix a null pointer dereference and crash introduced in our PAM patch that would happen if ftpd was given the name of a user who wasn't known to the local system, limited to being triggerable by gssapi-authenticated clients by the default xinetd config (Olivier Fourdan, #569472) * Tue Mar 2 2010 Nalin Dahyabhai <[email protected]> - 1.7.1-3 - fix a regression (not labeling a kdb database lock file correctly, #569902) * Tue Feb 16 2010 Nalin Dahyabhai <[email protected]> - 1.7.1-2 - apply patch from upstream to fix KDC denial of service (CVE-2010-0283, * Wed Feb 3 2010 Nalin Dahyabhai <[email protected]> - 1.7.1-1 - update to 1.7.1 - don't trip AD lockout on wrong password (#542687, #554351) - incorporates fixes for CVE-2009-4212 and CVE-2009-3295 - fixes gss_krb5_copy_ccache() when SPNEGO is used - move sim_client/sim_server, gss-client/gss-server, uuclient/uuserver to the devel subpackage, better lining up with the expected krb5/krb5-appl split in 1.8 - drop kvno,kadmin,k5srvutil,ktutil from -workstation-servers, as it already depends on -workstation which also includes them * Mon Jan 25 2010 Nalin Dahyabhai <[email protected]> - 1.7-23 - tighten up default permissions on kdc.conf and kadm5.acl (#558343) * Fri Jan 22 2010 Nalin Dahyabhai <[email protected]> - 1.7-22 - use portreserve correctly -- portrelease takes the basename of the file whose entries should be released, so we need three files, not one * Mon Jan 18 2010 Nalin Dahyabhai <[email protected]> - 1.7-21 - suppress warnings of impending password expiration if expiration is more than seven days away when the KDC reports it via the last-req field, just as we already do when it reports expiration via the key-expiration field (#556495) - link with libtinfo rather than libncurses, when we can, in future RHEL * Fri Jan 15 2010 Nalin Dahyabhai <[email protected]> - 1.7-20 - krb5_get_init_creds_password: check opte->flags instead of options->flags when checking whether or not we get to use the prompter callback (#555875) * Thu Jan 14 2010 Nalin Dahyabhai <[email protected]> - 1.7-19 - use portreserve to make sure the KDC can always bind to the kerberos-iv port, kpropd can always bind to the krb5_prop port, and that kadmind can always bind to the kerberos-adm port (#555279) - correct inadvertent use of macros in the changelog (rpmlint) * Tue Jan 12 2010 Nalin Dahyabhai <[email protected]> - 1.7-18 - add upstream patch for integer underflow during AES and RC4 decryption (CVE-2009-4212), via Tom Yu (#545015) * Wed Jan 6 2010 Nalin Dahyabhai <[email protected]> - 1.7-17 - put the conditional back for the -devel subpackage - back down to the earlier version of the patch for #551764; the backported alternate version was incomplete * Tue Jan 5 2010 Nalin Dahyabhai <[email protected]> - 1.7-16 - use %global instead of %define - pull up proposed patch for creating previously-not-there lock files for kdb databases when 'kdb5_util' is called to 'load' (#551764) * Mon Jan 4 2010 Dennis Gregorovic <[email protected]> - fix conditional for future RHEL * Mon Jan 4 2010 Nalin Dahyabhai <[email protected]> - 1.7-15 - add upstream patch for KDC crash during referral processing (CVE-2009-3295), via Tom Yu (#545002) * Mon Dec 21 2009 Nalin Dahyabhai <[email protected]> - 1.7-14 - refresh patch for #542868 from trunk * Thu Dec 10 2009 Nalin Dahyabhai <[email protected]> - move man pages that live in the -libs subpackage into the regular %{_mandir} tree where they'll still be found if that package is the only one installed (#529319) * Wed Dec 9 2009 Nalin Dahyabhai <[email protected]> - 1.7-13 - and put it back in * Tue Dec 8 2009 Nalin Dahyabhai <[email protected]> - back that last change out * Tue Dec 8 2009 Nalin Dahyabhai <[email protected]> - 1.7-12 - try to make gss_krb5_copy_ccache() work correctly for spnego (#542868) * Fri Dec 4 2009 Nalin Dahyabhai <[email protected]> - make krb5-config suppress CFLAGS output when called with --libs (#544391) * Thu Dec 3 2009 Nalin Dahyabhai <[email protected]> - 1.7-11 - ksu: move account management checks to before we drop privileges, like su does (#540769) - selinux: set the user part of file creation contexts to match the current context instead of what we looked up - configure with --enable-dns-for-realm instead of --enable-dns, which isn't recognized any more * Fri Nov 20 2009 Nalin Dahyabhai <[email protected]> - 1.7-10 - move /etc/pam.d/ksu from krb5-workstation-servers to krb5-workstation, where it's actually needed (#538703) * Fri Oct 23 2009 Nalin Dahyabhai <[email protected]> - 1.7-9 - add some conditional logic to simplify building on older Fedora releases * Tue Oct 13 2009 Nalin Dahyabhai <[email protected]> - don't forget the README -------------------------------------------------------------------------------- References: [ 1 ] Bug #581922 - CVE-2010-1320 krb5: double-free vulnerability in 1.7+ https://bugzilla.redhat.com/show_bug.cgi?id=581922 -------------------------------------------------------------------------------- This update can be installed with the "yum" update program. Use su -c 'yum update krb5' at the command line. For more information, refer to "Managing Software with yum", available at http://docs.fedoraproject.org/yum/. All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- _______________________________________________ package-announce mailing list [email protected] https://admin.fedoraproject.org/mailman/listinfo/package-announce
