This bug was fixed in the package pykerberos - 1.1+svn10616-2ubuntu0.1
---
pykerberos (1.1+svn10616-2ubuntu0.1) trusty-security; urgency=medium
* SECURITY UPDATE: The checkPassword function does not authenticate the
KDC it attempts to communicate with (LP: #1716429)
-
Hi Steve,
> When debian fixed this issue [...], they left the default to off, in order to
> not break [...]
> The update for Ubuntu 12.04 LTS included this default.
You're correct about debian, but this is not exactly what is in the 12.04 LTS
update. The patch for precise has two issues:
- The
Hi Mathieu,
When debian fixed this issue for Jessie and Wheezy (their stable
releases), they left the default to off, in order to not break existing
setups that aren't prepared to do validation of the KDC (as it requires
possibly setting up an additional keytab). The update for Ubuntu 12.04
LTS
Here is a new debdiff with the following changes:
- Updated priority in changelog
- Added DEP-3 headers in included patch
- Removed const qualifier
Regards.
** Patch added: "pykerberos_1.1+svn10616-2_1.1+svn10616-2ubuntu0.1.debdiff"
Hrm, the debdiff includes:
++const int verify = 1;
This patch from upstream removed the 'const':
https://github.com/02strich/pykerberos/commit/873fca96cb42ff1c163859a5618dc9983796f438
The commit message includes this "gcc didn't respect the const
qualifiers, however" -- I'm not sure I like
Hello Mathieu,
Please add the DEP-3 header to the included patch (Add-KDC-authenticity-
verification-support-CVE-2015-3206.patch).
Thanks for the triaging, I can get that on the tracker next time I do
some triaging (unless a member of ~ubuntu-security wants to take care of
it).
Thank you!
--
Hello Simon,
On which patch do you expect me to add DEP-3 header? Is it the debdiff
or the included patch (Add-KDC-authenticity-verification-support-
CVE-2015-3206.patch)?
Regarding upstream, the patch has been included in 1.1.6 and updated in
1.1.10 regarding the 'verify' option (should have
Hello Mathieu,
Two things about your debdiff that I would suggest before this is uploaded:
1. Please set the priority to medium in the changelog to match the CVE
priority, and I'm not sure the references to the other releases are needed,
this can be dealt with in the DEP-3 header (see below).
** Changed in: pykerberos (Ubuntu)
Status: Incomplete => Confirmed
** Also affects: pykerberos (Ubuntu Trusty)
Importance: Undecided
Status: New
** Changed in: pykerberos (Ubuntu)
Status: Confirmed => Fix Released
** Changed in: pykerberos (Ubuntu)
Importance:
** Information type changed from Private Security to Public Security
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1716429
Title:
pykerberos for trusty does not include CVE-2015-3206 fix
To manage
10 matches
Mail list logo
