[Bug 1716429] Re: pykerberos for trusty does not include CVE-2015-3206 fix
This bug was fixed in the package pykerberos - 1.1+svn10616-2ubuntu0.1 --- pykerberos (1.1+svn10616-2ubuntu0.1) trusty-security; urgency=medium * SECURITY UPDATE: The checkPassword function does not authenticate the KDC it attempts to communicate with (LP: #1716429) - Add-KDC-authenticity-verification-support-CVE-2015-3206.patch retrieved from xenial version (1.1.5-2build1). - CVE-2015-3206 - debian/NEWS: add explanation of issue and default chosen -- Mathieu LafonThu, 05 Oct 2017 09:32:55 +0200 ** Changed in: pykerberos (Ubuntu Trusty) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1716429 Title: pykerberos for trusty does not include CVE-2015-3206 fix To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pykerberos/+bug/1716429/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1716429] Re: pykerberos for trusty does not include CVE-2015-3206 fix
Hi Steve, > When debian fixed this issue [...], they left the default to off, in order to > not break [...] > The update for Ubuntu 12.04 LTS included this default. You're correct about debian, but this is not exactly what is in the 12.04 LTS update. The patch for precise has two issues: - The default value for 'verify' in the source code (src/kerberos.c) is 1 (enabled) although pysrc/kerberos.py (only used for documentation) has 'verify=False' - The 'verify' argument was not made optional in the PyArg_ParseTuple() call so whatever default value was specified, the call would fail if there was not 5 parameters. So 12.04 LTS already broke existing setups (and I was personally impacted at that time). The patch included in xenial has then fixes these issues: pykerberos (1.1.5-2): * [d3133b6] Set verify=True in docs too. This makes the docs consistent with the default behaviour of the function. * [792f3b6] Make verify option really optional. So far it correctly defaulted to true but couldn't be skipped. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1716429 Title: pykerberos for trusty does not include CVE-2015-3206 fix To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pykerberos/+bug/1716429/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1716429] Re: pykerberos for trusty does not include CVE-2015-3206 fix
Hi Mathieu, When debian fixed this issue for Jessie and Wheezy (their stable releases), they left the default to off, in order to not break existing setups that aren't prepared to do validation of the KDC (as it requires possibly setting up an additional keytab). The update for Ubuntu 12.04 LTS included this default. I think this is the sensible thing to do for Ubuntu 14.04 LTS. (See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=796195 and in particular, the added NEWS entry in http://launchpadlibrarian.net/211063096/pykerberos_1.1+svn4895-1build2_1.1+svn4895-1+deb6u1build0.12.04.1.diff.gz for explanation.) I'm touching up your debdiff to do this (and include a similar NEWS entry), and will push this to trusty-security next week. Thanks. ** Bug watch added: Debian Bug tracker #796195 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=796195 ** Changed in: pykerberos (Ubuntu Trusty) Assignee: (unassigned) => Steve Beattie (sbeattie) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1716429 Title: pykerberos for trusty does not include CVE-2015-3206 fix To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pykerberos/+bug/1716429/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1716429] Re: pykerberos for trusty does not include CVE-2015-3206 fix
Here is a new debdiff with the following changes: - Updated priority in changelog - Added DEP-3 headers in included patch - Removed const qualifier Regards. ** Patch added: "pykerberos_1.1+svn10616-2_1.1+svn10616-2ubuntu0.1.debdiff" https://bugs.launchpad.net/ubuntu/+source/pykerberos/+bug/1716429/+attachment/4962596/+files/pykerberos_1.1+svn10616-2_1.1+svn10616-2ubuntu0.1.debdiff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1716429 Title: pykerberos for trusty does not include CVE-2015-3206 fix To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pykerberos/+bug/1716429/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1716429] Re: pykerberos for trusty does not include CVE-2015-3206 fix
Hrm, the debdiff includes: ++const int verify = 1; This patch from upstream removed the 'const': https://github.com/02strich/pykerberos/commit/873fca96cb42ff1c163859a5618dc9983796f438 The commit message includes this "gcc didn't respect the const qualifiers, however" -- I'm not sure I like relying upon a whim of gcc for this. This debdiff does grab the |b vs b change though. Does anything ever want verify = false? Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1716429 Title: pykerberos for trusty does not include CVE-2015-3206 fix To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pykerberos/+bug/1716429/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1716429] Re: pykerberos for trusty does not include CVE-2015-3206 fix
Hello Mathieu, Please add the DEP-3 header to the included patch (Add-KDC-authenticity- verification-support-CVE-2015-3206.patch). Thanks for the triaging, I can get that on the tracker next time I do some triaging (unless a member of ~ubuntu-security wants to take care of it). Thank you! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1716429 Title: pykerberos for trusty does not include CVE-2015-3206 fix To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pykerberos/+bug/1716429/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1716429] Re: pykerberos for trusty does not include CVE-2015-3206 fix
Hello Simon, On which patch do you expect me to add DEP-3 header? Is it the debdiff or the included patch (Add-KDC-authenticity-verification-support- CVE-2015-3206.patch)? Regarding upstream, the patch has been included in 1.1.6 and updated in 1.1.10 regarding the 'verify' option (should have been optional but it was not the case in the first patch). Ref: * https://github.com/02strich/pykerberos/commit/02d13860b25fab58e739f0e000bed0067b7c6f9c * https://github.com/02strich/pykerberos/commit/5867201f1b9c682402aa9b495a654b8f346c8784 Regarding the ubuntu versions: * precise: based on 1.1+svn4895, patch included * trusty: based on 1.1+svn10616, patch *not* included * vivid: based on 1.1.5, patch *not* included * xenial: based on 1.1.5, patch included (updated with second fix) * zesty: based on 1.1.5, patch included (updated with second fix) * artful: based on 1.1.5, patch included (updated with second fix) So only trusty and vivid lack the security patch. I don't know if there's a need to patch vivid as it has already reached EOL. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1716429 Title: pykerberos for trusty does not include CVE-2015-3206 fix To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pykerberos/+bug/1716429/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1716429] Re: pykerberos for trusty does not include CVE-2015-3206 fix
Hello Mathieu, Two things about your debdiff that I would suggest before this is uploaded: 1. Please set the priority to medium in the changelog to match the CVE priority, and I'm not sure the references to the other releases are needed, this can be dealt with in the DEP-3 header (see below). 2. Adding a DEP-3 header helps parse your patch in a machine-readable format, please update your patch to use it: http://dep.debian.net/deps/dep3/ Lastly, in order to properly do the triaging on the tracker[1], could you please tell us if Zesty and Artful are applicable, or if it is fixed in Xenial and on, and also which upstream release it was fixed in? After the above is taken care of, it should be good to upload, unless anyone else has feedback. Thank you for your contribution to Ubuntu and your willingness to get this fixed! [1] https://people.canonical.com/~ubuntu- security/cve/2015/CVE-2015-3206.html -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1716429 Title: pykerberos for trusty does not include CVE-2015-3206 fix To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pykerberos/+bug/1716429/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1716429] Re: pykerberos for trusty does not include CVE-2015-3206 fix
** Changed in: pykerberos (Ubuntu) Status: Incomplete => Confirmed ** Also affects: pykerberos (Ubuntu Trusty) Importance: Undecided Status: New ** Changed in: pykerberos (Ubuntu) Status: Confirmed => Fix Released ** Changed in: pykerberos (Ubuntu) Importance: Undecided => Medium ** Changed in: pykerberos (Ubuntu Trusty) Importance: Undecided => Medium ** Changed in: pykerberos (Ubuntu Trusty) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1716429 Title: pykerberos for trusty does not include CVE-2015-3206 fix To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pykerberos/+bug/1716429/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1716429] Re: pykerberos for trusty does not include CVE-2015-3206 fix
** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1716429 Title: pykerberos for trusty does not include CVE-2015-3206 fix To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pykerberos/+bug/1716429/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs