Your message dated Tue, 23 Feb 2016 16:24:26 +0000
with message-id <[email protected]>
and subject line Bug#813296: fixed in krb5 1.13.2+dfsg-5
has caused the Debian Bug report #813296,
regarding krb5: CVE-2015-8629: xdr_nullstring() doesn't check for terminating
null character
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
813296: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=813296
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: krb5
Version: 1.10.1+dfsg-1
Severity: important
Tags: security upstream patch
Hi,
the following vulnerability was published for krb5.
CVE-2015-8629[0]:
xdr_nullstring() doesn't check for terminating null character
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2015-8629
[1] https://github.com/krb5/krb5/commit/df17a1224a3406f57477bcd372c61e04c0e5a5bb
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: krb5
Source-Version: 1.13.2+dfsg-5
We believe that the bug you reported is fixed in the latest version of
krb5, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sam Hartman <[email protected]> (supplier of updated krb5 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 23 Feb 2016 08:54:09 -0500
Source: krb5
Binary: krb5-user krb5-kdc krb5-kdc-ldap krb5-admin-server krb5-multidev
libkrb5-dev libkrb5-dbg krb5-pkinit krb5-otp krb5-k5tls krb5-doc libkrb5-3
libgssapi-krb5-2 libgssrpc4 libkadm5srv-mit9 libkadm5clnt-mit9 libk5crypto3
libkdb5-8 libkrb5support0 libkrad0 krb5-gss-samples krb5-locales libkrad-dev
Architecture: source
Version: 1.13.2+dfsg-5
Distribution: unstable
Urgency: high
Maintainer: Sam Hartman <[email protected]>
Changed-By: Sam Hartman <[email protected]>
Description:
krb5-admin-server - MIT Kerberos master server (kadmind)
krb5-doc - Documentation for MIT Kerberos
krb5-gss-samples - MIT Kerberos GSS Sample applications
krb5-k5tls - TLS plugin for MIT Kerberos
krb5-kdc - MIT Kerberos key server (KDC)
krb5-kdc-ldap - MIT Kerberos key server (KDC) LDAP plugin
krb5-locales - Internationalization support for MIT Kerberos
krb5-multidev - Development files for MIT Kerberos without Heimdal conflict
krb5-otp - OTP plugin for MIT Kerberos
krb5-pkinit - PKINIT plugin for MIT Kerberos
krb5-user - Basic programs to authenticate using MIT Kerberos
libgssapi-krb5-2 - MIT Kerberos runtime libraries - krb5 GSS-API Mechanism
libgssrpc4 - MIT Kerberos runtime libraries - GSS enabled ONCRPC
libk5crypto3 - MIT Kerberos runtime libraries - Crypto Library
libkadm5clnt-mit9 - MIT Kerberos runtime libraries - Administration Clients
libkadm5srv-mit9 - MIT Kerberos runtime libraries - KDC and Admin Server
libkdb5-8 - MIT Kerberos runtime libraries - Kerberos database
libkrad-dev - MIT Kerberos RADIUS Library Development
libkrad0 - MIT Kerberos runtime libraries - RADIUS library
libkrb5-3 - MIT Kerberos runtime libraries
libkrb5-dbg - Debugging files for MIT Kerberos
libkrb5-dev - Headers and development libraries for MIT Kerberos
libkrb5support0 - MIT Kerberos runtime libraries - Support library
Closes: 813126 813127 813296
Changes:
krb5 (1.13.2+dfsg-5) unstable; urgency=high
.
* Security Update
* Verify decoded kadmin C strings [CVE-2015-8629]
CVE-2015-8629: An authenticated attacker can cause kadmind to read
beyond the end of allocated memory by sending a string without a
terminating zero byte. Information leakage may be possible for an
attacker with permission to modify the database. (Closes: #813296)
* Check for null kadm5 policy name [CVE-2015-8630]
CVE-2015-8630: An authenticated attacker with permission to modify a
principal entry can cause kadmind to dereference a null pointer by
supplying a null policy value but including KADM5_POLICY in the mask.
(Closes: #813127)
* Fix leaks in kadmin server stubs [CVE-2015-8631]
CVE-2015-8631: An authenticated attacker can cause kadmind to leak
memory by supplying a null principal name in a request which uses one.
Repeating these requests will eventually cause kadmind to exhaust all
available memory. (Closes: #813126)
Checksums-Sha1:
1ba079eedfbc4e0aa7f5a6209ca18b807f255306 3192 krb5_1.13.2+dfsg-5.dsc
ba403e658d93aa9fa1d0f06af8e1ff3578d1644d 101968
krb5_1.13.2+dfsg-5.debian.tar.xz
Checksums-Sha256:
b52caa3fd7211250987f2f0319579992a7f2bc24c47c766fdfc0403945dbfbdb 3192
krb5_1.13.2+dfsg-5.dsc
8f8c951a524af50b300f524cd14bd946ea802e81eddbc719f9b71719158b9c1d 101968
krb5_1.13.2+dfsg-5.debian.tar.xz
Files:
26291c211f242483c683f33fbec4318c 3192 net standard krb5_1.13.2+dfsg-5.dsc
e43b4ba1ea32fa6a1f00b301d643fa63 101968 net standard
krb5_1.13.2+dfsg-5.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQGIBAEBCAAGBQJWzGVyAAoJEHyaUfYmslafxxULXiZCYFyE1zSoSj6jF/unDV0u
FAkLQvQmVKa84VZ9nLETGGSBBSXGuEuu/donK2RttGjZGobNaBIJeNkRDLchnqco
NKTT8OhX0kyseaLX/upp84oMq+ouoM5PkxzfqlF/QcLzDRDEttzXmI9jTFnjyM0Y
6CB9WgrW0XP03IjJ0iKWU4c+tD5j9nNYvTbBuUowlorFLbFCw0cIlBZ/ldYH1/M+
XJyXr9EX7eq8p5jtaK6OXvkkyJRx0BwTSZ+oJTSzBu/kOpMd5xIBPn+alMmeE86k
ralA/q600tnU41oBMw3DCQk2XxA3b3JMoxs1Jzc8y3rzdaunJm8MpJnB1BPE8u9+
rIqiIfUZwhURQs9pBxrfJ9TGVDnEj0hBHuPIH+2PlSBVcBlG78IWKYeWQFzjztYH
V6L0Wpo7d1JkLEoZlIe4td7gh6F7nXevFTXnM/whooa/ecTsW70EtgsFwIJBaJin
GfKwq47dsx3ulhY=
=fCK3
-----END PGP SIGNATURE-----
--- End Message ---
