[Touch-packages] [Bug 2054916] Re: CVE-2022-44640 affects the version of heimdal on ubuntu 22.04 - could it be updated?
** Also affects: heimdal (Ubuntu Focal) Importance: Undecided Status: New ** Also affects: heimdal (Ubuntu Jammy) Importance: Undecided Status: New ** Changed in: heimdal (Ubuntu Focal) Status: New => Fix Released ** Changed in: heimdal (Ubuntu Jammy) Status: New => Triaged ** Changed in: heimdal (Ubuntu) Status: Triaged => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to heimdal in Ubuntu. https://bugs.launchpad.net/bugs/2054916 Title: CVE-2022-44640 affects the version of heimdal on ubuntu 22.04 - could it be updated? Status in heimdal package in Ubuntu: Fix Released Status in heimdal source package in Focal: Fix Released Status in heimdal source package in Jammy: Triaged Bug description: I am running ubuntu 22.04. The version of heimdal installed (7.7.0) is vunerable to CVE-2022-44640, which is categorised as critical by some (crowdstrike falcon at least). Is is possible to upgrade it to some non-vulnerable version? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/heimdal/+bug/2054916/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2054916] Re: CVE-2022-44640 affects the version of heimdal on ubuntu 22.04 - could it be updated?
Unfortunately, I am completely new to ubuntu packaging. The documentation on update procedures in the post above points to https://canonical-ubuntu-packaging-guide.readthedocs- hosted.com/en/latest/ , which is under work, and seems to recommend only experienced packagers to make packages at the moment. Also I do not have a running kerberos server so testing would not really be possible. Sorry about this. If you can point me in the direction of documentation on packaging, and it is ok for someone else to test the setup, then I can give it a shot. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to heimdal in Ubuntu. https://bugs.launchpad.net/bugs/2054916 Title: CVE-2022-44640 affects the version of heimdal on ubuntu 22.04 - could it be updated? Status in heimdal package in Ubuntu: Triaged Bug description: I am running ubuntu 22.04. The version of heimdal installed (7.7.0) is vunerable to CVE-2022-44640, which is categorised as critical by some (crowdstrike falcon at least). Is is possible to upgrade it to some non-vulnerable version? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/heimdal/+bug/2054916/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2054916] Re: CVE-2022-44640 affects the version of heimdal on ubuntu 22.04 - could it be updated?
In Debian, this was fixed in 7.7.0+dfsg-2+deb11u1 in bullseye(-security) - i.e., 7.7.0+dfsg-2 was still affeected. 7.7.0+dfsg-3 includes a fix for a different CVE: heimdal (7.7.0+dfsg-3) unstable; urgency=high * Fix CVE-2021-3671: A null pointer de-reference was found in the way samba kerberos server handled missing sname in TGS-REQ. Closes: #996586. * Fix autoconf 2.7 issues In focal, this was fixed in 7.7.0+dfsg-1ubuntu1.3 on Wed, 11 Jan 2023 * SECURITY UPDATE: invalid free - debian/patches/CVE-2022-44640.patch: relocates a call to fprintf and parameters when calling it in decode_type() in lib/asn1/gen_decode.c and add a call to fprintf in free_type() in lib/asn1/gen_free.c. - CVE-2022-44640 In jammy, we have 7.7.0+dfsg-3ubuntu1. As mentioned above, 7.7.0+dfsg-3 does not include the fix for the mentioned CVE. Moreover, our delta in this release is just former delta being carried by the merge: heimdal (7.7.0+dfsg-3ubuntu1) jammy; urgency=medium * Merge with Debian unstable (LP: #1946860). Remaining changes: - Disable lto, to regain dep on roken, otherwise dependencies on amd64 are different to i386 resulting in different files on amd64 and i386. LP #1934936 - Remove symbol rk_closefrom@HEIMDAL_ROKEN_1.0 1.4.0+git20110226 (LP #1945787) Therefore, this does seem to still be affected by the CVE, as reported. ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-3671 ** Changed in: heimdal (Ubuntu) Status: New => Triaged -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to heimdal in Ubuntu. https://bugs.launchpad.net/bugs/2054916 Title: CVE-2022-44640 affects the version of heimdal on ubuntu 22.04 - could it be updated? Status in heimdal package in Ubuntu: Triaged Bug description: I am running ubuntu 22.04. The version of heimdal installed (7.7.0) is vunerable to CVE-2022-44640, which is categorised as critical by some (crowdstrike falcon at least). Is is possible to upgrade it to some non-vulnerable version? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/heimdal/+bug/2054916/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 2054916] Re: CVE-2022-44640 affects the version of heimdal on ubuntu 22.04 - could it be updated?
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2022-44640 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to heimdal in Ubuntu. https://bugs.launchpad.net/bugs/2054916 Title: CVE-2022-44640 affects the version of heimdal on ubuntu 22.04 - could it be updated? Status in heimdal package in Ubuntu: New Bug description: I am running ubuntu 22.04. The version of heimdal installed (7.7.0) is vunerable to CVE-2022-44640, which is categorised as critical by some (crowdstrike falcon at least). Is is possible to upgrade it to some non-vulnerable version? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/heimdal/+bug/2054916/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
