Red Hat Bugzilla – Bug 1203889
RFE: Rebase krb5 in RHEL7.2 to krb5 1.13 (krb1.13.2) ...
Last modified: 2015-11-19 00:13:17 EST
RFE: Rebase krb5 in RHEL7.2 to krb5 1.13 (currently krb1.13.1, see http://web.mit.edu/kerberos/krb5-1.13/)
Prototype done but still needs to be tested against the QA testsuite and needs nalin/simo's blessing...
Fixed in krb5-1.13.1-0.el7
*** Bug 1221215 has been marked as a duplicate of this bug. ***
Re-opening for krb5 1.13.1 to 1.13.2 rebase (see DUPlicate bug #1221215 for justification and QA comments) ...
Accepting bug (again) ...
Channges checked in, builds completed... ... marking bug as MODIFIED ...
pkis: Here is the requested information as discussed this and last week: a) Prioritised list of new features in krb5 1.13.2 which should be tested and/or/xor require new test modules: 1. Test KDC support for accessing a KDC via an HTTPS proxy server using the MS-KKDCP protocol (question: Does HTTP work, too ? If "yes" we should have runs for HTTP and HTTPS; HTTPS tunnel doesn't make much sense for the already encrypted krb5 traffic so some customers might slip the ssl/tls part and just prefer plain HTTP) [we had this in RHEL7.1 via backport] 2. Test support for hierarchical incremental propagation (where slaves can act as intermediates between an upstream master and other downstream slaves). This basically means to use the existing tests for incremental propagation and add slaves as intermediates, so instead slave-->KDC you should do something like slave-->slave-->slave-->slave-->KDC (add more intermediates if possible... [U+1F608]) BTW: See http://svn.nrubsig.org/svn/people/gisburn/code/kdctest/test3.sh for how to run KDCs with non-standard ports, AFAIK this should allow the testcase to run all slaves+master KDC on a single machine 3. Test support to the LDAP KDB module for binding to the LDAP server using SASL (this is likely the most problematic thing to test in this list) 4. Test support for configuring GSS mechanisms using /etc/gss/mech.d/*.conf files in addition to /etc/gss/mech (this is needed for gssproxy; AFAIK there is already a testcase for this in the testsuite). b) CVEs: 1. Bypass of requires_preauth in KDCs that have PKINIT enabled [CVE-2015-2694] (severity of issue in RHEL is a bit unclear) 2. Vulnerability in |krb5_read_message()| [CVE-2014-5355] (listed here because there are still *MANY* sites which use ksh/klogin/etc. because ssh adds lots of overhead+latency which they do not want) 3. Multiple kadmind vulnerabilities, some of which are based in the gssrpc library [CVE-2014-5352, CVE-2014-5352, CVE-2014-9421, CVE-2014-9422 and CVE-2014-9423] 4. Multiple vulnerabilities in the LDAP KDC back end [CVE-2014-5354] [CVE-2014-5353] (most of them hard to exploit, so low priority) 5. Minor key disclosure vulnerability where using the "keepold" option to the kadmin randkey operation could return the old keys [CVE-2014-5351] (this one is harmless and just listed for completeness)
Bug ID for the patch is #1247608.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-2154.html