From: https://rhn.redhat.com/errata/RHSA-2004-350.html Several double-free bugs were found in the Kerberos 5 KDC and libraries. A remote attacker could potentially exploit these flaws to execuate arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2004-0642 and CAN-2004-0643 to these issues. ------- Additional Comments From marcdeslauriers 2004-09-01 15:33:59 ---- RHAS 2.1 advisory: https://rhn.redhat.com/errata/RHSA-2004-448.html ------- Additional Comments From dwb7.edu 2004-09-02 05:49:02 ---- Obsoletes 1726 ------- Additional Comments From marcdeslauriers 2004-09-02 13:44:24 ---- The following was posted in bug 2041 by mistake: From Dave Botsch 2004-09-02 05:49 : -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Built packages for RH7.3: sha1sum -b *.rpm ef5ab48ad356a944c7cc3ba923c9dbb50ef83c5e *krb5-1.2.4-13.legacy.7x.src.rpm 810bb9ffba0ceeffdfe8622077680cd4a27a0152 *krb5-devel-1.2.4-13.legacy.7x.i386.rpm 113cbd9f47f9d141fddb5b6ae9a03deb000a3a35 *krb5-libs-1.2.4-13.legacy.7x.i386.rpm 1a2402efd13a1dff6c5c7935de846c2b3da12595 *krb5-server-1.2.4-13.legacy.7x.i386.rpm 2a7ea85868b70f76f990903a9a8a6223f6ed9e48 *krb5-workstation-1.2.4-13.legacy.7x.i386.rpm download from http://cf.ccmr.cornell.edu/publicdownloads/fedoralegacy-testing/krb5 - -DWB -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFBN0C9SY7s7uPf/IURAmaKAKCyzN/UHhzpTtFiUjI4ds5Z8VGrAACfXKUb nqqbHP2Jd+RAuTAPmPzNKbY= =8qto -----END PGP SIGNATURE----- ------- Additional Comments From marcdeslauriers 2004-09-02 13:46:23 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I did QA on Dave's packages for 7.3: ef5ab48ad356a944c7cc3ba923c9dbb50ef83c5e *krb5-1.2.4-13.legacy.7x.src.rpm - - Source is unchanged from previous - - Patch files are good - - Spec file is good - - Builds, installs and runs OK +PUBLISH -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBN7DkLMAs/0C4zNoRAvCRAJ9dzQgZ4iFFRi8DcXbK9WOoxZzMBgCfcvxJ pU8tKY/tVP+C9ITQFKIuNE8= =/gmt -----END PGP SIGNATURE----- ------- Additional Comments From marcdeslauriers 2004-09-02 14:16:40 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are updated packages to QA for rh9: Changelog: * Thu Sep 02 2004 Marc Deslauriers <marcdeslauriers> 1.2.7-16.legacy - - apply patches for MITKRB5-SA-2004-002 and MITKRB5-SA-2004-003 - - disabled patch32 (Obsoleted by MITKRB5-SA-2004-002 patch) 59d80f0e4ff7ea1f4ba94b5efc3fbd148c6d70d2 krb5-1.2.7-16.legacy.src.rpm c095c4d8c2fa42fc76af78ea95d678561c53ca66 krb5-devel-1.2.7-16.legacy.i386.rpm 8dbd92f9791f02f4aef8e764846e970c4d73077f krb5-libs-1.2.7-16.legacy.i386.rpm 18041a175cb20b9f5ed3dd7caa0f863dfec7bd76 krb5-server-1.2.7-16.legacy.i386.rpm 9fe14d984b453693a236c02d04288d58336a1ae0 krb5-workstation-1.2.7-16.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/9/krb5-1.2.7-16.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/9/krb5-devel-1.2.7-16.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/9/krb5-libs-1.2.7-16.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/9/krb5-server-1.2.7-16.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/9/krb5-workstation-1.2.7-16.legacy.i386.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBN7fcLMAs/0C4zNoRAgfoAKC2eLzj2fq9GTsACGjTpxCs0Uu4iQCfWApE PkEGsEzbLN8iLtY1qw8IrzI= =06SU -----END PGP SIGNATURE----- ------- Additional Comments From mattdm 2004-09-03 09:11:59 ---- Marc's RH9 packages look good to me -- the patches and sources match the upstream, the spec file seems file, and everything seems to work. (How does this work? Do I add the REVIEWED keyword? Remove the QA one? Add PUBLISH?) ------- Additional Comments From michal 2004-09-05 11:27:53 ---- At least for krb5-1.2.4-13.legacy.7x.src.rpm I fail to see patch44, i.e. MITKRB5-SA-2004-001-an_to_ln-1.2.txt, applied anywhere. Moreover that patch file in src.rpm is clearly corrupted by mail and it needs 's/^- --/--/' before it will get accepted by patch program and pushd src/lib/krb5/os %patch44 -p0 -b .anlc_2004-001 popd in a spec file to be applied. I do not see anything in spec comments suggesting that this is not needed anymore. Is this brought from RHSA-2004-448? If yes then Nalin should be told. I did not check how this looks in krb5-1.2.7-16.legacy.src.rpm. ------- Additional Comments From marcdeslauriers 2004-09-05 16:40:03 ---- krb5-1.2.4-13.legacy.7x.src.rpm really is broken. Good catch Michal. I missed that when I QA'd it. ------- Additional Comments From dwb7.edu 2004-09-07 16:20:00 ---- Whups... missed actually applying Patch #44 Patch on rh7.3 seems to like that patch just fine (and it applies w. little fuss). Rebuilding the rpms as I type this. ------- Additional Comments From mattdm 2004-09-07 16:30:02 ---- doh! -- missed that too. sorry. ------- Additional Comments From dwb7.edu 2004-09-07 16:31:10 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Built new packages for RH7.3: sha1sum -b *.rpm 1f0ba7abfab47917f282d7aa08eff2b3caacc620 *krb5-1.2.4-14.legacy.7x.src.rpm d54eab102e8027c7fd92d74d76f127dde0178e6a *krb5-devel-1.2.4-14.legacy.7x.i386.rpm c4cc18dfcbb1bbf2392e05709c348108d9b8763c *krb5-libs-1.2.4-14.legacy.7x.i386.rpm a6e28b798c644f1ec53c255c4a233ec2cb1465a5 *krb5-server-1.2.4-14.legacy.7x.i386.rpm 9b85746f25d0fc730ae6adecb3f61e036bfaba8e *krb5-workstation-1.2.4-14.legacy.7x.i386.rpm download from http://cf.ccmr.cornell.edu/publicdownloads/fedoralegacy-testing/krb5 - -DWB -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFBPm5kSY7s7uPf/IURAhjzAKDg8O4k9Doa76De4dGiI4gUYo0S0gCgpYuG iqHL3Y/Nd+y89kc/rFqQ40Y= =I61w -----END PGP SIGNATURE----- ------- Additional Comments From simon 2004-09-09 10:11:44 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tested on Redhat 7.3 1f0ba7abfab47917f282d7aa08eff2b3caacc620 krb5-1.2.4-14.legacy.7x.src.rpm d54eab102e8027c7fd92d74d76f127dde0178e6a krb5-devel-1.2.4-14.legacy.7x.i386.rpm c4cc18dfcbb1bbf2392e05709c348108d9b8763c krb5-libs-1.2.4-14.legacy.7x.i386.rpm a6e28b798c644f1ec53c255c4a233ec2cb1465a5 krb5-server-1.2.4-14.legacy.7x.i386.rpm 9b85746f25d0fc730ae6adecb3f61e036bfaba8e krb5-workstation-1.2.4-14.legacy.7x.i386.rpm checksums of source package(s) - OK Patches - OK SPEC file - OK BUILD - OK INSTALL - OK I'm using the libs for authentication via PHP, and it seems to work OK I have not installed or tested the server or workstation rpms, but they do build fine. I vote we push this to updates-testing to get some more feedback, or this might end up getting locked up in Bugzilla for a while, as I'm not sure how many people make full use of Kerberos and can QA it completely. +PUBLISH - - Si -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBQLiqMLOCzgCQslsRAvfZAJ4xAc1sRzH3AxJIWeQmKZRfp2IaDACdFMnr zjZSnr8noB0aHQCGCqG4Bp8= =HtDZ -----END PGP SIGNATURE----- ------- Additional Comments From dwb7.edu 2004-09-22 06:35:04 ---- Tom Yu posted about memory leaks intro'ed by the double free patch: http://mailman.mit.edu/pipermail/kerberos/2004-September/006350.html ------- Additional Comments From ckelley 2004-10-21 11:37:20 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 1f0ba7abfab47917f282d7aa08eff2b3caacc620 krb5-1.2.4-14.legacy.7x.src.rpm - SPEC file looks good - MITKRB5-SA-2004-001-an_to_ln-1.2.txt is quite large, but checks with original MIT published patch - 2004-002-k524d_patch_1.2.5.txt is trivial and good - 2004-002-patch_1.2.7.txt matches MIT version - 2004-003-patch_1.2.8.txt matches MIT version - SRPM builds fine - Built rpms fuzzily match redhat's 1.2.4-11 PUBLISH -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBeCwAyQ+yTHz+jJkRAi6qAKCExJo/K/W2MyHVqsNg8O0c4y0/vwCfc7bx wC3Uzp+jmZGOfR0r9lNGx3g= =HaBa -----END PGP SIGNATURE----- ------- Additional Comments From marcdeslauriers 2004-10-21 16:41:29 ---- I think we should release soon, even with the memory leaks...other distro's haven't updated their packages for the memory leak and I don't see a patch anywhere...we can always fix this at another time if a patch crops up. Still need QA for the rh9 packages. ------- Additional Comments From deisenst 2005-02-15 03:44:43 ---- I would QA this if I ran RH9, but I don't. Am wondering if we'll get anyone to QA this? ------- Additional Comments From pekkas 2005-02-15 03:58:48 ---- Well, well, well.. I guess we now have new vulnerabilities to watch out for :) http://rhn.redhat.com/errata/RHSA-2005-012.html CAN-2004-0971 CAN-2004-1189 Maybe the CAN-2004-0772 can also be fixed at the same time (Red Hat apparently didn't); some vendors have done so.. ------- Additional Comments From pekkas 2005-02-26 04:24:34 ---- We need to decide how to go forward here. A suggestion: * FC1: update to 1.3.6, fixing all the vulns * RHL9: just rebuild RHEL3 update (which includes new features etc as well) - alternative: just take the security patches out of that * RHL73: take the RHEL21 patches and apply them to the latest from RHL9; however, don't include "KRB5_AC_ENABLE_DNS" which was added in RHEL21 - alternative: include KRB5_AC_ENABLE_DNS as RHEL21 does. I'll submit the packages for RHL73 and RHL9 for testing -- I don't use krb5 myself.. ------- Additional Comments From pekkas 2005-02-26 06:50:50 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 RPMs for RHL73 and RHL9 - RHL73 based on 1.2.4-11, plus most patches from RHEL21 (no dns patch) - RHL9 just a rebuild of RHEL3 latest with a different version number Available at: http://staff.csc.fi/psavola/fl/ a233d6cef65bbbb5b8622c0aa69260b637759a90 krb5-1.2.4-15.legacy.src.rpm dea93161506fbd9e7230ddcc81243094ceb8f3b3 krb5-devel-1.2.4-15.legacy.i386.rpm f2311e2618911b012ab45a9096890b33b77eed1f krb5-libs-1.2.4-15.legacy.i386.rpm 6e985e637d778c4f0798a19576582409159709f0 krb5-server-1.2.4-15.legacy.i386.rpm 8565678a9ac7c300de724574bfb4be63a5d25e1b krb5-workstation-1.2.4-15.legacy.i386.rpm 564f1f8a00f2d7c55ad288487bd52713ad1dd4f6 krb5-1.2.7-38.1.legacy.src.rpm fcc05a3f2bb11359cd72bd0ed42e41ba19f15b63 krb5-debuginfo-1.2.7-38.1.legacy.i386.rpm be04293c5a198b8701fbf8eb37de2c28aa36db17 krb5-devel-1.2.7-38.1.legacy.i386.rpm 6b4791d330d269bc13963dc827eaad64edae572a krb5-libs-1.2.7-38.1.legacy.i386.rpm 5db2ddfaf3defd18d756e4af0fd07b448f1ba5b8 krb5-server-1.2.7-38.1.legacy.i386.rpm 7a2d3f0af1be5b35685f48f152b3be83a700552f krb5-workstation-1.2.7-38.1.legacy.i386.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFCIKjUGHbTkzxSL7QRAsEOAKCn+TgLA5nWD6ct1rBW9hYSlly+bwCeMQwi 4TFGlvCHJs7XVnyOg7aAwaI= =Nq8P -----END PGP SIGNATURE----- ------- Additional Comments From pekkas 2005-03-01 06:00:22 ---- *** Bug 2267 has been marked as a duplicate of this bug. *** ------- Additional Comments From marcdeslauriers 2005-03-02 18:24:59 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are updated packages for fc1: Changelog: * Wed Mar 02 2005 Marc Deslauriers <marcdeslauriers> 1.3.4-5.1.legacy - - Added security patches for CAN-2004-0971 and CAN-2004-1189 397741c8b7c5781f72446c6469f72c111aa02d76 krb5-1.3.4-5.1.legacy.src.rpm 4c18d2d31fe39fa080b367541828ab275fc298de krb5-devel-1.3.4-5.1.legacy.i386.rpm c4d844011b87060fc77c543e9c76bea742717706 krb5-libs-1.3.4-5.1.legacy.i386.rpm 669ca1bd5dafd901258f1dcc67e3a28f6939272d krb5-server-1.3.4-5.1.legacy.i386.rpm ffc0544369a667fa8b9d062a12e76dd278c00935 krb5-workstation-1.3.4-5.1.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/1/krb5-1.3.4-5.1.legacy.src.rpm http://www.infostrategique.com/linuxrpms/legacy/1/krb5-devel-1.3.4-5.1.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/1/krb5-libs-1.3.4-5.1.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/1/krb5-server-1.3.4-5.1.legacy.i386.rpm http://www.infostrategique.com/linuxrpms/legacy/1/krb5-workstation-1.3.4-5.1.legacy.i386.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFCJpGMLMAs/0C4zNoRAtO2AJoChNn36dvNLcrMsi2UDmO4lfrZQgCfWYSq oiYM/uoI4F7EhdIuLB4+qh8= =1iXW -----END PGP SIGNATURE----- ------- Additional Comments From pekkas 2005-03-02 21:09:10 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA for FC1 w/ rpm-build-compare.sh: - source integrity good - spec file changes OK - patches verified to match upstream +PUBLISH FC1 397741c8b7c5781f72446c6469f72c111aa02d76 krb5-1.3.4-5.1.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFCJrgIGHbTkzxSL7QRAv5cAKDOZz4GDCQQXnlpCy4KH3id/HhQrwCglCR+ LzxcGvOtyHlBE7yO+iwgzXs= =dM6V -----END PGP SIGNATURE----- ------- Additional Comments From marcdeslauriers 2005-03-06 05:06:08 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I did QA on the packages in comment 19: 7.3: a233d6cef65bbbb5b8622c0aa69260b637759a90 krb5-1.2.4-15.legacy.src.rpm - - Source files match previous version - - New patch files match RHEL - - New patch file selection is good - - Spec file changes are good +PUBLISH 9: 564f1f8a00f2d7c55ad288487bd52713ad1dd4f6 krb5-1.2.7-38.1.legacy.src.rpm - - Decision to rebuild RHEL is good, no significant changes - - Source files match RHEL - - Spec file changes are good +PUBLISH -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) iD8DBQFCKxxSLMAs/0C4zNoRAjEhAJ9FZ9qlADf2lONd0Tbx04fihqJcEACeJF9Z Ufx9EpMD2I/XQdMMtFCQ/PY= =6Wc3 -----END PGP SIGNATURE----- ------- Additional Comments From marcdeslauriers 2005-03-06 05:07:35 ---- These are ready to go. ------- Additional Comments From marcdeslauriers 2005-03-06 14:28:39 ---- These packages were pushed to updates-testing ------- Bug moved to this database by dkl 2005-03-30 18:26 ------- This bug previously known as bug 2040 at https://bugzilla.fedora.us/ https://bugzilla.fedora.us/show_bug.cgi?id=2040 Originally filed under the Fedora Legacy product and Package request component. Bug blocks bug(s) 1726. Unknown priority P2. Setting to default priority "normal". Unknown severity major. Setting to default severity "normal". The original reporter of this bug does not have an account here. Reassigning to the person who moved it here, dkl. Previous reporter was deisner. Setting qa contact to the default for this product. This bug either had no qa contact or an invalid one.
*** Bug 152731 has been marked as a duplicate of this bug. ***
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ++VERIFY for RHL 7.3 Packages: krb5-devel-1.2.4-16.legacy.i386.rpm krb5-libs-1.2.4-16.legacy.i386.rpm krb5-server-1.2.4-16.legacy.i386.rpm krb5-workstation-1.2.4-16.legacy.i386.rpm Signatures and checksums all okay. Installed on two RHL 7.3 machines without problems/errors. Ran some very simple tests which all looked good. Saw no obvious problems or issues. Vote for release. ++VERIFY -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFCoLQK4jZRbknHoPIRAhSQAJwOHRZLPYyNHD7GICb2bVQ/iCZduQCgnBuu jVhStL0xFVqcBQSQe0CTTgY= =0KAw -----END PGP SIGNATURE-----
One verify, timeouts in 4 weeks (unless superceded by then).
Newer krb5 packages are pending being built to updates-testing, better continue tracking this in #154276.. *** This bug has been marked as a duplicate of 154276 ***