Bug#813296: marked as done (krb5: CVE-2015-8629: xdr_nullstring() doesn't check for terminating null character)

Fri, 05 Feb 2016 02:51:39 -0800 

Your message dated Fri, 05 Feb 2016 10:47:08 +0000
with message-id <[email protected]>
and subject line Bug#813296: fixed in krb5 1.12.1+dfsg-19+deb8u2
has caused the Debian Bug report #813296,
regarding krb5: CVE-2015-8629: xdr_nullstring() doesn't check for terminating 
null character
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
813296: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=813296
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Source: krb5
Version: 1.10.1+dfsg-1
Severity: important
Tags: security upstream patch

Hi,

the following vulnerability was published for krb5.

CVE-2015-8629[0]:
xdr_nullstring() doesn't check for terminating null character

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2015-8629
[1] https://github.com/krb5/krb5/commit/df17a1224a3406f57477bcd372c61e04c0e5a5bb

Regards,
Salvatore

--- End Message ---
--- Begin Message --- 
Source: krb5
Source-Version: 1.12.1+dfsg-19+deb8u2

We believe that the bug you reported is fixed in the latest version of
krb5, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Salvatore Bonaccorso <[email protected]> (supplier of updated krb5 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 31 Jan 2016 11:48:01 +0100
Source: krb5
Binary: krb5-user krb5-kdc krb5-kdc-ldap krb5-admin-server krb5-multidev 
libkrb5-dev libkrb5-dbg krb5-pkinit krb5-otp krb5-doc libkrb5-3 
libgssapi-krb5-2 libgssrpc4 libkadm5srv-mit9 libkadm5clnt-mit9 libk5crypto3 
libkdb5-7 libkrb5support0 libkrad0 krb5-gss-samples krb5-locales libkrad-dev
Architecture: all source
Version: 1.12.1+dfsg-19+deb8u2
Distribution: jessie-security
Urgency: high
Maintainer: Sam Hartman <[email protected]>
Changed-By: Salvatore Bonaccorso <[email protected]>
Closes: 813126 813127 813296
Description: 
 krb5-admin-server - MIT Kerberos master server (kadmind)
 krb5-doc   - Documentation for MIT Kerberos
 krb5-gss-samples - MIT Kerberos GSS Sample applications
 krb5-kdc   - MIT Kerberos key server (KDC)
 krb5-kdc-ldap - MIT Kerberos key server (KDC) LDAP plugin
 krb5-locales - Internationalization support for MIT Kerberos
 krb5-multidev - Development files for MIT Kerberos without Heimdal conflict
 krb5-otp   - OTP plugin for MIT Kerberos
 krb5-pkinit - PKINIT plugin for MIT Kerberos
 krb5-user  - Basic programs to authenticate using MIT Kerberos
 libgssapi-krb5-2 - MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
 libgssrpc4 - MIT Kerberos runtime libraries - GSS enabled ONCRPC
 libk5crypto3 - MIT Kerberos runtime libraries - Crypto Library
 libkadm5clnt-mit9 - MIT Kerberos runtime libraries - Administration Clients
 libkadm5srv-mit9 - MIT Kerberos runtime libraries - KDC and Admin Server
 libkdb5-7  - MIT Kerberos runtime libraries - Kerberos database
 libkrad-dev - MIT Kerberos RADIUS Library Development
 libkrad0   - MIT Kerberos runtime libraries - RADIUS library
 libkrb5-3  - MIT Kerberos runtime libraries
 libkrb5-dbg - Debugging files for MIT Kerberos
 libkrb5-dev - Headers and development libraries for MIT Kerberos
 libkrb5support0 - MIT Kerberos runtime libraries - Support library
Changes:
 krb5 (1.12.1+dfsg-19+deb8u2) jessie-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Verify decoded kadmin C strings [CVE-2015-8629]
     CVE-2015-8629: An authenticated attacker can cause kadmind to read
     beyond the end of allocated memory by sending a string without a
     terminating zero byte. Information leakage may be possible for an
     attacker with permission to modify the database. (Closes: #813296)
   * Check for null kadm5 policy name [CVE-2015-8630]
     CVE-2015-8630: An authenticated attacker with permission to modify a
     principal entry can cause kadmind to dereference a null pointer by
     supplying a null policy value but including KADM5_POLICY in the mask.
     (Closes: #813127)
   * Fix leaks in kadmin server stubs [CVE-2015-8631]
     CVE-2015-8631: An authenticated attacker can cause kadmind to leak
     memory by supplying a null principal name in a request which uses one.
     Repeating these requests will eventually cause kadmind to exhaust all
     available memory. (Closes: #813126)
Checksums-Sha1: 
 fbb19d924d555673d5f55e0179577b45ef39e072 3368 krb5_1.12.1+dfsg-19+deb8u2.dsc
 a0af407148a8b666551a3f40ffc6d4d64e8b8149 123456 
krb5_1.12.1+dfsg-19+deb8u2.debian.tar.xz
 764d9084e0eedc68eacba4884d349a99282a1cbe 4684568 
krb5-doc_1.12.1+dfsg-19+deb8u2_all.deb
 b6bc604719705db2d517a4d8eac72828dfebd41c 2648758 
krb5-locales_1.12.1+dfsg-19+deb8u2_all.deb
Checksums-Sha256: 
 2b10ecb8b8c3015a12a764e4e6eb99fcca45cc1946d211a18db64b46dfa2cb81 3368 
krb5_1.12.1+dfsg-19+deb8u2.dsc
 242155b4ac6add762c1bac60e6eaa73b25abd985fb41bcdd13d4eae022f592ec 123456 
krb5_1.12.1+dfsg-19+deb8u2.debian.tar.xz
 bb535ed54dc9118a2fec9a198e3559c9a9fa78cb810fd2f09d551b4607b17ec2 4684568 
krb5-doc_1.12.1+dfsg-19+deb8u2_all.deb
 de705f49598a62e9952b277912e8f3e2c47f273e7c94bae7d4e993069b326660 2648758 
krb5-locales_1.12.1+dfsg-19+deb8u2_all.deb
Files: 
 0653bb44c0d36a36b7017036e5f155b1 3368 net standard 
krb5_1.12.1+dfsg-19+deb8u2.dsc
 26368c901365db516baca11046049d9e 123456 net standard 
krb5_1.12.1+dfsg-19+deb8u2.debian.tar.xz
 ec5b9502ba068a0361c9cf59c6c57cfb 4684568 doc optional 
krb5-doc_1.12.1+dfsg-19+deb8u2_all.deb
 ce703c0bb37c118c809a675bb31c6fb9 2648758 localization standard 
krb5-locales_1.12.1+dfsg-19+deb8u2_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJWsbCgAAoJEAVMuPMTQ89EutwQAKEiRpLOnKlHVZT8tvGty4LY
6nSs9ElgbiRZsjrRkJ7oJT2KRIRuNY2gWO6cLOR1bKZaNYNZOB/Poh9C6ZeqM+vp
q97SDFVD1x2MuDFd8QN2evfQ7o4zhRpGb7F5JRt1WaEQuNrm5H0heYJAZnm1bN8c
VjuY3ybQxZHRPc5cQA3qfmc4BVd0dgAQlRu9Lx+/TokVyG47mLjofrg9Ipsjmugc
sRrasBedK6JY2bk73El6EjJuP9kq2hh43UkhjIk68E2/pn3o//F9oLhRbgpDyo3R
akQq+peplNg58pcf1mO3O9AE3P4kgkOc3eVBWkvYanyWVMNXFBS4+REBmuKkEeev
qV/uEHKHbhajyXH4fdxbndeqllIb9o8fxUwBxYWZgfBrqSBLA68OHoIUbB1bYtAj
KDN+8MjI96ptefV1ANOkdtXN4cCE/df8GIsZHLETPlyaPqXxETZJtqd1DStvCSFD
65tlrBk6d9Ol9aw4DtzJRQWZXsN5Td0Ds6bjRk8Zz859xtYNLZgdgGhmKEOTu8TQ
Vgj6H4W+vADsd4UmYGgEcyfi0qzmJoBZEXzinIgAdkKXTqPtwADDf+EwjwY1mAmP
t5kyu7OeFgsXi9erSMQJdIh/XXh9Ehs3XjkXUEGeEsGhO0SCEJQEYWbI80Q4n9uN
i6FLfLkIOBwRK8tf4RDU
=/1Tt
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to