krb5 security, bug fix, and enhancement update

2015-11-23T00:00:00
ID ELSA-2015-2154
Type oraclelinux
Reporter Oracle
Modified 2015-11-23T00:00:00

Description

[1.13.2-9] - Add patch and test case for 'KDC does not return proper client principal for client referrals' - Resolves: #1259846 [1.13.2-9] - Ammend patch for RedHat bug #1252454 ('testsuite complains 'Lifetime has increased by 32436 sec while 0 sec passed!', while rhel5-libkrb5 passes') to handle the newly introduced valgrind hits. [1.13.2-8] - Add a patch to fix RH Bug #1250154 ('[s390x, ppc64, ppc64le]: kadmind does not accept ACL if kadm5.acl does not end with EOL') The code 'accidently' works on x86/AMD64 because declaring a variable |char| results in an |unsigned char| by default while most other platforms (e.g. { s390x, ppc64, ppc64le, ...}) default to |signed char| (still have to use lint(1) to clean up 38 more instances of this kind of bug). [1.13.2-7] - Obsolete multilib versions of server packages to fix RH bug #1251913 ('krb5 should obsolete the multilib versions of krb5-server and krb5-server-ldap'). The following packages are declared obsolete: - krb5-server-1.11.3-49.el7.i686 - krb5-server-1.11.3-49.el7.ppc - krb5-server-1.11.3-49.el7.s390 - krb5-server-ldap-1.11.3-49.el7.i686 - krb5-server-ldap-1.11.3-49.el7.ppc - krb5-server-ldap-1.11.3-49.el7.s390 [1.13.2-6] - Add a patch to fix RedHat bug #1252454 ('testsuite complains 'Lifetime has increased by 32436 sec while 0 sec passed!', while rhel5-libkrb5 passes') so that krb5 resolves GSS creds if |time_rec| is requested. [1.13.2-5] - Add a patch to fix RedHat bug #1251586 ('KDC sends multiple requests to ipa-otpd for the same authentication') which causes the KDC to send multiple retries to ipa-otpd for TCP transports while it should only be done for UDP. [1.13.2-4] - the rebase to krb5 1.13.2 in vers 1.13.2-0 also fixed: - Redhat Bug #1247761 ('RFE: Minor krb5 spec file cleanup and sync with recent Fedora 22/23 changes') - Redhat Bug #1247751 ('krb5-config returns wrong -specs path') - Redhat Bug #1247608 ('Add support for multi-hop preauth mechs via |KDC_ERR_MORE_PREAUTH_DATA_REQUIRED| for RFC 6113 ('A Generalized Framework for Kerberos Pre-Authentication')') - Removed 'krb5-1.10-kprop-mktemp.patch' and 'krb5-1.3.4-send-pr-tempfile.patch', both are no longer used since the rebase to krb5 1.13.1 [1.13.2-3] - Add patch to fix Redhat Bug #1222903 ('[SELinux] AVC denials may appear when kadmind starts'). The issue was caused by an unneeded |htons()| which triggered SELinux AVC denials due to the 'random' port usage. [1.13.2-2] - Add fix for RedHat Bug #1164304 ('Upstream unit tests loads the installed shared libraries instead the ones from the build') [1.13.2-1] - the rebase to krb5 1.13.1 in vers 1.13.1-0 also fixed: - Bug 1144498 ('Fix the race condition in the libkrb5 replay cache') - Bug 1163402 ('kdb5_ldap_util view_policy does not shows ticket flags on s390x and ppc64') - Bug 1185770 ('Missing upstream test in krb5-1.12.2: src/tests/gssapi/t_invalid.c') - Bug 1204211 ('CVE-2014-5355 krb5: unauthenticated denial of service in recvauth_common() and other') [1.13.2-0] - Update to krb5-1.13.2 - drop patch for krb5-1.13.2-CVE_2015_2694_requires_preauth_bypass_in_PKINIT_enabled_KDC, fixed in krb5-1.13.2 - drop patch for krb5-1.12.1-CVE_2014_5355_fix_krb5_read_message_handling, fixed in krb5-1.13.2 [1.13.1-2] - the rebase to krb5 1.13.1 in vers 1.13.1-0 also fixed RH bug #1156144 ('krb5 upstream test t_kdb.py failure') [1.13.1-1] - fix for CVE-2015-2694 (#1218020) 'requires_preauth bypass in PKINIT-enabled KDC'. In MIT krb5 1.12 and later, when the KDC is configured with PKINIT support, an unauthenticated remote attacker can bypass the requires_preauth flag on a client principal and obtain a ciphertext encrypted in the principal's long-term key. This ciphertext could be used to conduct an off-line dictionary attack against the user's password. [1.13.1-0] - Update to krb5-1.13.1 - patch krb5-1.12-selinux-label was updated and renamed to krb5-1.13-selinux-label - patch krb5-1.11-dirsrv-accountlock was updated and renamed to krb5-1.13-dirsrv-accountlock - drop patch for krb5-1.12-pwdch-fast, fixed in krb5-1.13 - drop patch for krb5-1.12ish-kpasswd_tcp, fixed in krb5-1.13 - drop patch for krb5-master-rcache-internal-const, no longer needed - drop patch for krb5-master-rcache-acquirecred-cleanup, no longer needed - drop patch for krb5-master-rcache-acquirecred-source, no longer needed - drop patch for krb5-master-rcache-acquirecred-test, no longer needed - drop patch for krb5-master-move-otp-sockets, no longer needed - drop patch for krb5-master-mechd, no longer needed - drop patch for krb5-master-strdupcheck, no longer needed - drop patch for krb5-master-compatible-keys, no longer needed - drop patch for krb5-1.12-system-exts, fixed in krb5-1.13 - drop patch for 0001-In-ksu-merge-krb5_ccache_copy-and-_restricted, no longer needed - drop patch for 0002-In-ksu-don-t-stat-not-on-disk-ccache-residuals, no longer needed - drop patch for 0003-Use-an-intermediate-memory-cache-in-ksu, no longer needed - drop patch for 0004-Make-ksu-respect-the-default_ccache_name-setting, no longer needed - drop patch for 0005-Copy-config-entries-to-the-ksu-target-ccache, no longer needed - drop patch for 0006-Use-more-randomness-for-ksu-secondary-cache-names, no longer needed - drop patch for 0007-Make-krb5_cc_new_unique-create-DIR-directories, no longer needed - drop patch for krb5-1.12-kpasswd-skip-address-check, fixed in krb5-1.13 - drop patch for 0000-Refactor-cm-functions-in-sendto_kdc.c, no longer needed - drop patch for 0001-Simplify-sendto_kdc.c, no longer needed - drop patch for 0002-Add-helper-to-determine-if-a-KDC-is-the-master, no longer needed - drop patch for 0003-Use-k5_transport-_strategy-enums-for-k5_sendto, no longer needed - drop patch for 0004-Build-support-for-TLS-used-by-HTTPS-proxy-support, no longer needed - drop patch for 0005-Add-ASN.1-codec-for-KKDCP-s-KDC-PROXY-MESSAGE, no longer needed - drop patch for 0006-Dispatch-style-protocol-switching-for-transport, no longer needed - drop patch for 0007-HTTPS-transport-Microsoft-KKDCPP-implementation, no longer needed - drop patch for 0008-Load-custom-anchors-when-using-KKDCP, no longer needed - drop patch for 0009-Check-names-in-the-server-s-cert-when-using-KKDCP, no longer needed - drop patch for 0010-Add-some-longer-form-docs-for-HTTPS, no longer needed - drop patch for 0011-Have-k5test.py-provide-runenv-to-python-tests, no longer needed - drop patch for 0012-Add-a-simple-KDC-proxy-test-server, no longer needed - drop patch for 0013-Add-tests-for-MS-KKDCP-client-support, no longer needed - drop patch for krb5-1.12ish-tls-plugins, fixed in krb5-1.13.1 - drop patch for krb5-1.12-nodelete-plugins, fixed in krb5-1.13.1 - drop patch for krb5-1.12-ksu-untyped-default-ccache-name, fixed in krb5-1.13.1 - drop patch for krb5-1.12-ksu-no-ccache, fixed in krb5-1.13.1 - drop patch for krb5-ksu_not_working_with_default_principal, fixed in krb5-1.13.1 - drop patch for CVE_2014_5353_fix_LDAP_misused_policy_name_crash, fixed in krb5-1.13.1 - drop patch for CVE_2014_5354_support_keyless_principals_in_ldap, fixed in krb5-1.13.1 - drop patch for kinit -C loops (MIT/krb5 bug #243), fixed in krb5-1.13.1 - drop patch for CVEs { 2014-9421, 2014-9422, 2014-9423, 2014-5352 }, fixed in krb5-1.13.1 - added patch krb5-1.14-Support-KDC_ERR_MORE_PREAUTH_DATA_REQUIRED - added patch krb5-1.12.1-CVE_2014_5355_fix_krb5_read_message_handling - Minor spec cleanup