1203889 – RFE: Rebase krb5 in RHEL7.2 to krb5 1.13 (krb1.13.2) ...

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1203889 - RFE: Rebase krb5 in RHEL7.2 to krb5 1.13 (krb1.13.2) ...

Summary: RFE: Rebase krb5 in RHEL7.2 to krb5 1.13 (krb1.13.2) ...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	krb5
Sub Component:
Version:	7.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Robbie Harwood
QA Contact:	Patrik Kis
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1221215 (view as bug list)
Depends On:	1222903 1247608 1247751 1247761
Blocks:	1181710
TreeView+	depends on / blocked

Reported:	2015-03-19 21:07 UTC by Roland Mainz
Modified:	2015-11-19 05:13 UTC (History)
CC List:	6 users (show)
Fixed In Version:	krb5-1.13.2-0.el7
Doc Type:	Rebase: Bug Fixes and Enhancements
Doc Text:	The krb5 packages have been upgraded to upstream version 1.13.2, which provides a number of bug fixes and enhancements over the previous version.
Clone Of:
Environment:
Last Closed:	2015-11-19 05:13:17 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2015:2154	0	normal	SHIPPED_LIVE	Moderate: krb5 security, bug fix, and enhancement update	2015-11-19 08:16:22 UTC

Description Roland Mainz 2015-03-19 21:07:38 UTC

RFE: Rebase krb5 in RHEL7.2 to krb5 1.13 (currently krb1.13.1, see http://web.mit.edu/kerberos/krb5-1.13/)

Comment 1 Roland Mainz 2015-03-19 21:08:45 UTC

Prototype done but still needs to be tested against the QA testsuite and needs nalin/simo's blessing...

Comment 5 Roland Mainz 2015-05-04 10:40:38 UTC

Fixed in krb5-1.13.1-0.el7

Comment 9 Roland Mainz 2015-05-17 20:45:38 UTC

*** Bug 1221215 has been marked as a duplicate of this bug. ***

Comment 10 Roland Mainz 2015-05-17 20:48:56 UTC

Re-opening for krb5 1.13.1 to 1.13.2 rebase (see DUPlicate bug #1221215 for justification and QA comments) ...

Comment 11 Roland Mainz 2015-05-17 20:50:13 UTC

Accepting bug (again) ...

Comment 12 Roland Mainz 2015-05-17 22:34:46 UTC

Channges checked in, builds completed...

... marking bug as MODIFIED ...

Comment 16 Roland Mainz 2015-07-02 18:11:33 UTC

pkis: Here is the requested information as discussed this and last week:

a) Prioritised list of new features in krb5 1.13.2 which should be tested and/or/xor require new test modules: 
1. Test KDC support for accessing a KDC via an HTTPS proxy server using the MS-KKDCP protocol (question: Does HTTP work, too ? If "yes" we should have runs for HTTP and HTTPS; HTTPS tunnel doesn't make much sense for the already encrypted krb5 traffic so some customers might slip the ssl/tls part and just prefer plain HTTP) [we had this in RHEL7.1 via backport]

2. Test support for hierarchical incremental propagation (where slaves can act as intermediates between an upstream master and other downstream slaves). This basically means to use the existing tests for incremental propagation and add slaves as intermediates, so instead slave-->KDC you should do something like slave-->slave-->slave-->slave-->KDC (add more intermediates if possible... ﷐[U+1F608]﷑)
BTW: See http://svn.nrubsig.org/svn/people/gisburn/code/kdctest/test3.sh for how to run KDCs with non-standard ports, AFAIK this should allow the testcase to run all slaves+master KDC on a single machine

3. Test support to the LDAP KDB module for binding to the LDAP server using SASL (this is likely the most problematic thing to test in this list)

4. Test support for configuring GSS mechanisms using /etc/gss/mech.d/*.conf files in addition to /etc/gss/mech (this is needed for gssproxy; AFAIK there is already a testcase for this in the testsuite).



b) CVEs:
1. Bypass of requires_preauth in KDCs that have PKINIT enabled [CVE-2015-2694] (severity of issue in RHEL is a bit unclear)

2. Vulnerability in |krb5_read_message()| [CVE-2014-5355] (listed here because there are still *MANY* sites which use ksh/klogin/etc. because ssh adds lots of overhead+latency which they do not want)

3. Multiple kadmind vulnerabilities, some of which are based in the gssrpc library [CVE-2014-5352, CVE-2014-5352, CVE-2014-9421, CVE-2014-9422 and  CVE-2014-9423]

4. Multiple vulnerabilities in the LDAP KDC back end [CVE-2014-5354] [CVE-2014-5353] (most of them hard to exploit, so low priority)

5. Minor key disclosure vulnerability where using the "keepold" option to the kadmin randkey operation could return the old keys [CVE-2014-5351] (this one is harmless and just listed for completeness)

Comment 21 Nathaniel McCallum 2015-07-28 20:26:13 UTC

Bug ID for the patch is #1247608.

Comment 34 errata-xmlrpc 2015-11-19 05:13:17 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-2154.html

Note You need to log in before you can comment on or make changes to this bug.