—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1
Liebe Kolleginnen und Kollegen,
soeben erreichte uns nachfolgendes Fedora Security Advisory. Wir geben
diese Informationen unveraendert an Sie weiter.
RedHat Bug ID 569472 – Schwachstelle in der PAM Unterstuetzung des
Kerberos FTP-Servers
Der Patch zur PAM Unterstuetzung fuer den mitgelieferten FTP Server ruft
in der Standardkonfiguration den FTP Server (/usr/kerberos/sbin/ftpd)
ohne den Parameter “-a” auf, wodurch ein Authentifizierungsversuch
eines nicht-existierenden Benutzers einen Segmentation Fault
herbeifuehrt. Ein lokaler Angreifer kann diese Schwachstelle ausnutzen
einen Denial of Service auszuloesen.
CVE-2010-0628 – Schwachstelle im GSSAPI SPNEGO Mechanismus
In MIT Kerberos 5 kann in der Funktion spnego_gss_accept_sec_context()
des GSSAPI SPNEGO Mechanismus (aus: lib/gssapi/spnego/spnego_mech.c) gegen
eine Zusicherung verstossen werden (assertion failure). Bei geeigneter
Auswahl ungueltiger ContextFlags im reqFlags Feld von NegTokenInit koennen
damit Anwendungen, die den GSSAPI SPNEGO verwenden zum Absturz
gebracht werden. Dies betrifft u.a. den Kerberos Administrationsdaemon
(kadmind) und den FTP-Daemon. Ein lokaler Angreifer kann diese
Schwachstelle ausnutzen einen Denial of Service auszuloesen.
Betroffen sind die folgenden Software Pakete und Plattformen:
Paket krb5
Fedora 12
Vom Hersteller werden ueberarbeitete Pakete zur Verfuegung gestellt.
Hersteller Advisory:
http://lists.fedoraproject.org/pipermail/package-announce/2010-March/038129.html
(c) der deutschen Zusammenfassung bei DFN-CERT Services GmbH; die
Verbreitung, auch auszugsweise, ist nur unter Hinweis auf den Urheber,
DFN-CERT Services GmbH, und nur zu nicht kommerziellen Zwecken
gestattet.
Mit freundlichen Gruessen,
Detlev O. Matthies
– —
Detlev O. Matthies, M.Sc. (Incident Response Team)
DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-590
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
Sachsenstrasse 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski
Automatische Warnmeldungen https://www.cert.dfn.de/autowarn
– ——————————————————————————–
Fedora Update Notification
FEDORA-2010-4677
2010-03-16 23:03:30
– ——————————————————————————–
Name : krb5
Product : Fedora 12
Version : 1.7.1
Release : 6.fc12
URL : http://web.mit.edu/kerberos/www/
Summary : The Kerberos network authentication system
Description :
Kerberos V5 is a trusted-third-party network authentication system,
which can improve your network’s security by eliminating the insecure
practice of cleartext passwords.
– ——————————————————————————–
Update Information:
A GSSAPI-authenticated service could be remotely forced to trigger an assertion
failure by sending it certain invalid messages (MITKRB5-SA-2010-002,
CVE-2010-0628). The included patch for adding PAM support to the bundled FTP
server contained a bug which would cause the service to crash if a client
attempted to authenticate as a user who was not known to the server system. In
the default xinetd configuration, the service would be invoked with the -a flag,
and this would therefore only be possible if the client authenticated using
GSSAPI beforehand.
– ——————————————————————————–
ChangeLog:
* Tue Mar 23 2010 Nalin Dahyabhai
– – add fix for denial-of-service in SPNEGO (CVE-2010-0628)
* Mon Mar 8 2010 Nalin Dahyabhai
– – pull up patch to get the client libraries to correctly perform password
changes over IPv6 (Sumit Bose, RT#6661)
* Wed Mar 3 2010 Nalin Dahyabhai
– – fix a null pointer dereference and crash introduced in our PAM patch that
would happen if ftpd was given the name of a user who wasn’t known to the
local system, limited to being triggerable by gssapi-authenticated clients by
the default xinetd config (Olivier Fourdan, #569472)
* Tue Mar 2 2010 Nalin Dahyabhai
– – fix a regression (not labeling a kdb database lock file correctly, #569902)
* Tue Feb 16 2010 Nalin Dahyabhai
– – apply patch from upstream to fix KDC denial of service (CVE-2010-0283,
* Wed Feb 3 2010 Nalin Dahyabhai
– – update to 1.7.1
– don’t trip AD lockout on wrong password (#542687, #554351)
– incorporates fixes for CVE-2009-4212 and CVE-2009-3295
– fixes gss_krb5_copy_ccache() when SPNEGO is used
– – move sim_client/sim_server, gss-client/gss-server, uuclient/uuserver to
the devel subpackage, better lining up with the expected krb5/krb5-appl
split in 1.8
– – drop kvno,kadmin,k5srvutil,ktutil from -workstation-servers, as it already
depends on -workstation which also includes them
* Mon Jan 25 2010 Nalin Dahyabhai
– – tighten up default permissions on kdc.conf and kadm5.acl (#558343)
* Fri Jan 22 2010 Nalin Dahyabhai
– – use portreserve correctly — portrelease takes the basename of the file
whose entries should be released, so we need three files, not one
* Mon Jan 18 2010 Nalin Dahyabhai
– – suppress warnings of impending password expiration if expiration is more than
seven days away when the KDC reports it via the last-req field, just as we
already do when it reports expiration via the key-expiration field (#556495)
– – link with libtinfo rather than libncurses, when we can, in future RHEL
* Fri Jan 15 2010 Nalin Dahyabhai
– – krb5_get_init_creds_password: check opte->flags instead of options->flags
when checking whether or not we get to use the prompter callback (#555875)
* Thu Jan 14 2010 Nalin Dahyabhai
– – use portreserve to make sure the KDC can always bind to the kerberos-iv
port, kpropd can always bind to the krb5_prop port, and that kadmind can
always bind to the kerberos-adm port (#555279)
– – correct inadvertent use of macros in the changelog (rpmlint)
* Tue Jan 12 2010 Nalin Dahyabhai
– – add upstream patch for integer underflow during AES and RC4 decryption
(CVE-2009-4212), via Tom Yu (#545015)
* Wed Jan 6 2010 Nalin Dahyabhai
– – put the conditional back for the -devel subpackage
– – back down to the earlier version of the patch for #551764; the backported
alternate version was incomplete
* Tue Jan 5 2010 Nalin Dahyabhai
– – use %global instead of %define
– – pull up proposed patch for creating previously-not-there lock files for
kdb databases when ‘kdb5_util’ is called to ‘load’ (#551764)
* Mon Jan 4 2010 Dennis Gregorovic
– – fix conditional for future RHEL
* Mon Jan 4 2010 Nalin Dahyabhai
– – add upstream patch for KDC crash during referral processing (CVE-2009-3295),
via Tom Yu (#545002)
* Mon Dec 21 2009 Nalin Dahyabhai
– – refresh patch for #542868 from trunk
* Thu Dec 10 2009 Nalin Dahyabhai
– – move man pages that live in the -libs subpackage into the regular
%{_mandir} tree where they’ll still be found if that package is the
only one installed (#529319)
* Wed Dec 9 2009 Nalin Dahyabhai
– – and put it back in
* Tue Dec 8 2009 Nalin Dahyabhai
– – back that last change out
* Tue Dec 8 2009 Nalin Dahyabhai
– – try to make gss_krb5_copy_ccache() work correctly for spnego (#542868)
* Fri Dec 4 2009 Nalin Dahyabhai
– – make krb5-config suppress CFLAGS output when called with –libs (#544391)
* Thu Dec 3 2009 Nalin Dahyabhai
– – ksu: move account management checks to before we drop privileges, like
su does (#540769)
– – selinux: set the user part of file creation contexts to match the current
context instead of what we looked up
– – configure with –enable-dns-for-realm instead of –enable-dns, which isn’t
recognized any more
* Fri Nov 20 2009 Nalin Dahyabhai
– – move /etc/pam.d/ksu from krb5-workstation-servers to krb5-workstation,
where it’s actually needed (#538703)
* Fri Oct 23 2009 Nalin Dahyabhai
– – add some conditional logic to simplify building on older Fedora releases
* Tue Oct 13 2009 Nalin Dahyabhai
– – don’t forget the README
– ——————————————————————————–
References:
[ 1 ] Bug #566258 – CVE-2010-0628 krb5: Assertion failure in GSSAPI SPNEGO mechanism (MITKRB5-SA-2010-002)
https://bugzilla.redhat.com/show_bug.cgi?id=566258
– ——————————————————————————–
This update can be installed with the “yum” update program. Use
su -c ‘yum update krb5’ at the command line.
For more information, refer to “Managing Software with yum”,
available at http://docs.fedoraproject.org/yum/.
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
– ——————————————————————————–
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFLsMXkWmhIvjFb90URAucyAJ4yfQ+PvWc3XukUXMXoCmVE9dG/YQCfS4c9
G811x4WyTfGDnkTgZyIDQdw=
=olsc
—–END PGP SIGNATURE—–
