** Attachment added: "Test build" https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/988520/+attachment/3146880/+files/krb5_1.10%2Bdfsg%7Ebeta1-2ubuntu0.1_amd64.build.xz
** Description changed: + SRU Justification + + [Impact] + + If an authentication fails after preauth was requested, all subsequent + preauth-required authentications in the same Kerberos context will also + fail. This breaks password change when credentials have expired, and + also breaks try_first_pass functionality in Kerberos PAM modules. + + [Development Fix] + + New upstream release. Updated in Debian. Pending sync in Ubuntu. + Verified in Ubuntu manually. + + [Stable Fix] + + Upstream patch cherry-picked. Debdiff attached. + + [Test Case] + + testcase.sh attached. + + [Regression Potential] + + Low: one line patch for missing initialisation written by upstream. + + + Original report by Russ Allbery: + MIT Kerberos 1.10 (including pre-releases and betas) exposed a bug in the tracking of preauth mechanisms such that, if an authentication fails after preauth was requested, all subsequent preauth-required authentications in the same Kerberos context will also fail. This breaks password change when credentials have expired, and also breaks try_first_pass functionality in Kerberos PAM modules. Upstream has fixed this problem in their mainline with commit 25822. ** Changed in: krb5 (Ubuntu) Status: Incomplete => Triaged -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in Ubuntu. https://bugs.launchpad.net/bugs/988520 Title: After failed auth, subsequent auths in same context fail To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/988520/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs