date:20170914

[Freeipa] [Bug 1717356] [NEW] CVE-2016-6298

2017-09-14 Thread Brian Morton

*** This bug is a security vulnerability ***

Public security bug reported:

The _Rsa15 class in the RSA 1.5 algorithm implementation in jwa.py in
jwcrypto before 0.3.2 lacks the Random Filling protection mechanism,
which makes it easier for remote attackers to obtain cleartext data via
a Million Message Attack (MMA).

https://people.canonical.com/~ubuntu-
security/cve/2016/CVE-2016-6298.html

** Affects: python-jwcrypto (Ubuntu)
 Importance: Undecided
 Assignee: Brian Morton (rokclimb15)
 Status: In Progress

** Information type changed from Private Security to Public Security

** Changed in: python-jwcrypto (Ubuntu)
 Assignee: (unassigned) => Brian Morton (rokclimb15)

** Changed in: python-jwcrypto (Ubuntu)
   Status: New => In Progress

** Description changed:

  The _Rsa15 class in the RSA 1.5 algorithm implementation in jwa.py in
  jwcrypto before 0.3.2 lacks the Random Filling protection mechanism, which
- makes it easier for remote attackers to obtain cleartext data via a Million
- Message Attack (MMA).
+ makes it easier for remote attackers to obtain cleartext data via a Million 
Message Attack (MMA).
  
  https://people.canonical.com/~ubuntu-
  security/cve/2016/CVE-2016-6298.html

** Description changed:

  The _Rsa15 class in the RSA 1.5 algorithm implementation in jwa.py in
- jwcrypto before 0.3.2 lacks the Random Filling protection mechanism, which
- makes it easier for remote attackers to obtain cleartext data via a Million 
Message Attack (MMA).
+ jwcrypto before 0.3.2 lacks the Random Filling protection mechanism,
+ which makes it easier for remote attackers to obtain cleartext data via
+ a Million Message Attack (MMA).
  
  https://people.canonical.com/~ubuntu-
  security/cve/2016/CVE-2016-6298.html

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-6298

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to python-jwcrypto in Ubuntu.
https://bugs.launchpad.net/bugs/1717356

Title:
  CVE-2016-6298

Status in python-jwcrypto package in Ubuntu:
  In Progress

Bug description:
  The _Rsa15 class in the RSA 1.5 algorithm implementation in jwa.py in
  jwcrypto before 0.3.2 lacks the Random Filling protection mechanism,
  which makes it easier for remote attackers to obtain cleartext data
  via a Million Message Attack (MMA).

  https://people.canonical.com/~ubuntu-
  security/cve/2016/CVE-2016-6298.html

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-jwcrypto/+bug/1717356/+subscriptions

___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help   : https://help.launchpad.net/ListHelp

[Freeipa] [Bug 1693154] Update Released

2017-09-14 Thread Brian Murray

The verification of the Stable Release Update for freeipa has completed
successfully and the package has now been released to -updates.
Subsequently, the Ubuntu Stable Release Updates Team is being
unsubscribed and will not receive messages about this bug report.  In
the event that you encounter a regression using the package from
-updates please report a new bug using ubuntu-bug and tag the bug report
regression-update so we can easily find any regressions.

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1693154

Title:
  ipa-client-install fails: kinit: Included profile directory could not
  be read while initializing Kerberos 5 library

Status in freeipa package in Ubuntu:
  Fix Released
Status in freeipa source package in Zesty:
  Fix Released
Status in kerberos-configs package in Debian:
  New

Bug description:
  [Impact]
  ipa-client-install fails because it modifies /etc/krb5.conf to include 
/etc/krb5.conf.d which doesn't exist, so kinit fails.

  The (temporary) fix is to add /etc/krb5.conf.d directory to freeipa-
  client.

  [Test case]
  Enroll an IPA client with ipa-client-install, it should pass.

  [Regression potential]
  None, this is a safe addition.

  
  [original description]
  Ubuntu 17.04's freeipa-client has a regression (compared to 16.04 LTS) wrt. 
joining a FreeIPA kerberos server. I am running a server on 10.111.112.100 with 
a COCKPIT.LAN domain (from the "ipa-*" image on 
https://fedorapeople.org/groups/cockpit/images/), and realmd.service fails. 
Running ipa-client-install manually shows why:

  $ sudo DEBIAN_FRONTEND=noninteractive apt -y install freeipa-client realmd 
sssd-tools packagekit
  $ echo 'nameserver 10.111.112.100' | sudo tee -a /etc/resolv.conf

  $ sudo ipa-client-install --domain cockpit.lan --realm COCKPIT.LAN 
--mkhomedir --enable-dns-updates --unattended --force-join --principal admin -W 
--force-ntpd -w foobarfoo
  Discovery was successful!
  Client hostname: autopkgtest
  Realm: COCKPIT.LAN
  DNS Domain: cockpit.lan
  IPA Server: f0.cockpit.lan
  BaseDN: dc=cockpit,dc=lan

  Synchronizing time with KDC...
  Attempting to sync time using ntpd.  Will timeout after 15 seconds
  Attempting to sync time using ntpd.  Will timeout after 15 seconds
  Unable to sync time with NTP server, assuming the time is in sync. Please 
check that 123 UDP port is opened.
  Please make sure the following ports are opened in the firewall settings:
   TCP: 80, 88, 389
   UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
  Also note that following ports are necessary for ipa-client working properly 
after enrollment:
   TCP: 464
   UDP: 464, 123 (if NTP enabled)
  Kerberos authentication failed: kinit: Included profile directory could not 
be read while initializing Kerberos 5 library

  Installation failed. Rolling back changes.
  IPA client is not configured on this system.

  stracing shows that it tries to access /etc/krb5.conf.d/ which does
  not exist. mkdir'ing this is sufficient to fix it.

  I'm not entirely sure if this is really in freeipa-client or krb5-user
  (kinit), but running "kinit -f ad...@cockpit.lan" directly succeeds.

  ProblemType: Bug
  DistroRelease: Ubuntu 17.04
  Package: freeipa-client 4.4.3-3ubuntu2
  ProcVersionSignature: User Name 4.10.0-21.23-generic 4.10.11
  Uname: Linux 4.10.0-21-generic x86_64
  ApportVersion: 2.20.4-0ubuntu4.1
  Architecture: amd64
  Date: Wed May 24 09:30:57 2017
  ProcEnviron:
   TERM=xterm
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  SourcePackage: freeipa
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1693154/+subscriptions

___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help   : https://help.launchpad.net/ListHelp

[Freeipa] [Bug 1693154] Re: ipa-client-install fails: kinit: Included profile directory could not be read while initializing Kerberos 5 library

2017-09-14 Thread Launchpad Bug Tracker

This bug was fixed in the package freeipa - 4.4.3-3ubuntu2.1

---
freeipa (4.4.3-3ubuntu2.1) zesty; urgency=medium

  * client.dirs: Ship /etc/krb5.conf.d, because not having that breaks
the installer when krb5.conf tries to include it. (LP: #1693154)

 -- Timo Aaltonen   Wed, 14 Jun 2017 13:56:03 +0300

** Changed in: freeipa (Ubuntu Zesty)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1693154

Title:
  ipa-client-install fails: kinit: Included profile directory could not
  be read while initializing Kerberos 5 library

Status in freeipa package in Ubuntu:
  Fix Released
Status in freeipa source package in Zesty:
  Fix Released
Status in kerberos-configs package in Debian:
  New

Bug description:
  [Impact]
  ipa-client-install fails because it modifies /etc/krb5.conf to include 
/etc/krb5.conf.d which doesn't exist, so kinit fails.

  The (temporary) fix is to add /etc/krb5.conf.d directory to freeipa-
  client.

  [Test case]
  Enroll an IPA client with ipa-client-install, it should pass.

  [Regression potential]
  None, this is a safe addition.

  
  [original description]
  Ubuntu 17.04's freeipa-client has a regression (compared to 16.04 LTS) wrt. 
joining a FreeIPA kerberos server. I am running a server on 10.111.112.100 with 
a COCKPIT.LAN domain (from the "ipa-*" image on 
https://fedorapeople.org/groups/cockpit/images/), and realmd.service fails. 
Running ipa-client-install manually shows why:

  $ sudo DEBIAN_FRONTEND=noninteractive apt -y install freeipa-client realmd 
sssd-tools packagekit
  $ echo 'nameserver 10.111.112.100' | sudo tee -a /etc/resolv.conf

  $ sudo ipa-client-install --domain cockpit.lan --realm COCKPIT.LAN 
--mkhomedir --enable-dns-updates --unattended --force-join --principal admin -W 
--force-ntpd -w foobarfoo
  Discovery was successful!
  Client hostname: autopkgtest
  Realm: COCKPIT.LAN
  DNS Domain: cockpit.lan
  IPA Server: f0.cockpit.lan
  BaseDN: dc=cockpit,dc=lan

  Synchronizing time with KDC...
  Attempting to sync time using ntpd.  Will timeout after 15 seconds
  Attempting to sync time using ntpd.  Will timeout after 15 seconds
  Unable to sync time with NTP server, assuming the time is in sync. Please 
check that 123 UDP port is opened.
  Please make sure the following ports are opened in the firewall settings:
   TCP: 80, 88, 389
   UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
  Also note that following ports are necessary for ipa-client working properly 
after enrollment:
   TCP: 464
   UDP: 464, 123 (if NTP enabled)
  Kerberos authentication failed: kinit: Included profile directory could not 
be read while initializing Kerberos 5 library

  Installation failed. Rolling back changes.
  IPA client is not configured on this system.

  stracing shows that it tries to access /etc/krb5.conf.d/ which does
  not exist. mkdir'ing this is sufficient to fix it.

  I'm not entirely sure if this is really in freeipa-client or krb5-user
  (kinit), but running "kinit -f ad...@cockpit.lan" directly succeeds.

  ProblemType: Bug
  DistroRelease: Ubuntu 17.04
  Package: freeipa-client 4.4.3-3ubuntu2
  ProcVersionSignature: User Name 4.10.0-21.23-generic 4.10.11
  Uname: Linux 4.10.0-21-generic x86_64
  ApportVersion: 2.20.4-0ubuntu4.1
  Architecture: amd64
  Date: Wed May 24 09:30:57 2017
  ProcEnviron:
   TERM=xterm
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  SourcePackage: freeipa
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1693154/+subscriptions

___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help   : https://help.launchpad.net/ListHelp

[Freeipa] [Bug 1693154] Re: ipa-client-install fails: kinit: Included profile directory could not be read while initializing Kerberos 5 library

2017-09-14 Thread Martin Pitt

Using the reproduction steps in the description, I re-confirmed that
with the current zesty version joining the domain fails because of that
missing directory. After installing freeipa-{client,common} from
-proposed, joining the domain now succeeds.

** Tags removed: verification-needed-zesty
** Tags added: verification-done-zesty

** Tags removed: verification-needed

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1693154

Title:
  ipa-client-install fails: kinit: Included profile directory could not
  be read while initializing Kerberos 5 library

Status in freeipa package in Ubuntu:
  Fix Released
Status in freeipa source package in Zesty:
  Fix Committed
Status in kerberos-configs package in Debian:
  New

Bug description:
  [Impact]
  ipa-client-install fails because it modifies /etc/krb5.conf to include 
/etc/krb5.conf.d which doesn't exist, so kinit fails.

  The (temporary) fix is to add /etc/krb5.conf.d directory to freeipa-
  client.

  [Test case]
  Enroll an IPA client with ipa-client-install, it should pass.

  [Regression potential]
  None, this is a safe addition.

  
  [original description]
  Ubuntu 17.04's freeipa-client has a regression (compared to 16.04 LTS) wrt. 
joining a FreeIPA kerberos server. I am running a server on 10.111.112.100 with 
a COCKPIT.LAN domain (from the "ipa-*" image on 
https://fedorapeople.org/groups/cockpit/images/), and realmd.service fails. 
Running ipa-client-install manually shows why:

  $ sudo DEBIAN_FRONTEND=noninteractive apt -y install freeipa-client realmd 
sssd-tools packagekit
  $ echo 'nameserver 10.111.112.100' | sudo tee -a /etc/resolv.conf

  $ sudo ipa-client-install --domain cockpit.lan --realm COCKPIT.LAN 
--mkhomedir --enable-dns-updates --unattended --force-join --principal admin -W 
--force-ntpd -w foobarfoo
  Discovery was successful!
  Client hostname: autopkgtest
  Realm: COCKPIT.LAN
  DNS Domain: cockpit.lan
  IPA Server: f0.cockpit.lan
  BaseDN: dc=cockpit,dc=lan

  Synchronizing time with KDC...
  Attempting to sync time using ntpd.  Will timeout after 15 seconds
  Attempting to sync time using ntpd.  Will timeout after 15 seconds
  Unable to sync time with NTP server, assuming the time is in sync. Please 
check that 123 UDP port is opened.
  Please make sure the following ports are opened in the firewall settings:
   TCP: 80, 88, 389
   UDP: 88 (at least one of TCP/UDP ports 88 has to be open)
  Also note that following ports are necessary for ipa-client working properly 
after enrollment:
   TCP: 464
   UDP: 464, 123 (if NTP enabled)
  Kerberos authentication failed: kinit: Included profile directory could not 
be read while initializing Kerberos 5 library

  Installation failed. Rolling back changes.
  IPA client is not configured on this system.

  stracing shows that it tries to access /etc/krb5.conf.d/ which does
  not exist. mkdir'ing this is sufficient to fix it.

  I'm not entirely sure if this is really in freeipa-client or krb5-user
  (kinit), but running "kinit -f ad...@cockpit.lan" directly succeeds.

  ProblemType: Bug
  DistroRelease: Ubuntu 17.04
  Package: freeipa-client 4.4.3-3ubuntu2
  ProcVersionSignature: User Name 4.10.0-21.23-generic 4.10.11
  Uname: Linux 4.10.0-21-generic x86_64
  ApportVersion: 2.20.4-0ubuntu4.1
  Architecture: amd64
  Date: Wed May 24 09:30:57 2017
  ProcEnviron:
   TERM=xterm
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  SourcePackage: freeipa
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1693154/+subscriptions

___
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help   : https://help.launchpad.net/ListHelp

[Freeipa] [Bug 1717356] [NEW] CVE-2016-6298

[Freeipa] [Bug 1693154] Update Released

[Freeipa] [Bug 1693154] Re: ipa-client-install fails: kinit: Included profile directory could not be read while initializing Kerberos 5 library

[Freeipa] [Bug 1693154] Re: ipa-client-install fails: kinit: Included profile directory could not be read while initializing Kerberos 5 library

4 matches

Site Navigation

Mail list logo

Footer information