Your message dated Mon, 09 Dec 2024 13:49:21 +0000
with message-id <[email protected]>
and subject line Bug#1077683: fixed in freeipa 4.12.2-1
has caused the Debian Bug report #1077683,
regarding freeipa: CVE-2024-3183
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1077683: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1077683
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: freeipa
X-Debbugs-CC: [email protected]
Severity: important
Tags: security
Hi,
The following vulnerability was published for freeipa.
CVE-2024-3183[0]:
| A vulnerability was found in FreeIPA in a way when a Kerberos TGS-
| REQ is encrypted using the client’s session key. This key is
| different for each new session, which protects it from brute force
| attacks. However, the ticket it contains is encrypted using the
| target principal key directly. For user principals, this key is a
| hash of a public per-principal randomly-generated salt and the
| user’s password. If a principal is compromised it means the
| attacker would be able to retrieve tickets encrypted to any
| principal, all of them being encrypted by their own key directly. By
| taking these tickets and salts offline, the attacker could run brute
| force attacks to find character strings able to decrypt tickets when
| combined to a principal salt (i.e. find the principal’s password).
https://bugzilla.redhat.com/show_bug.cgi?id=2270685
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-3183
https://www.cve.org/CVERecord?id=CVE-2024-3183
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: freeipa
Source-Version: 4.12.2-1
Done: Timo Aaltonen <[email protected]>
We believe that the bug you reported is fixed in the latest version of
freeipa, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Timo Aaltonen <[email protected]> (supplier of updated freeipa package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 09 Dec 2024 15:34:56 +0200
Source: freeipa
Built-For-Profiles: noudeb
Architecture: source
Version: 4.12.2-1
Distribution: unstable
Urgency: medium
Maintainer: Debian FreeIPA Team <[email protected]>
Changed-By: Timo Aaltonen <[email protected]>
Closes: 1018359 1072168 1077682 1077683 1089329
Changes:
freeipa (4.12.2-1) unstable; urgency=medium
.
* New upstream release.
- CVE-2024-2698 (Closes: #1077682)
- CVE-2024-3183 (Closes: #1077683)
* control: Drop conflicts on systemd-timesyncd as upstream recognizes
it now. (Closes: #1072168)
* use-raw-strings.diff: Dropped, upstream.
* rules: Fix installing bash-completions. (Closes: #1089329)
* control: Drop python3-nose from build-depends, unused. (Closes:
#1018359)
Checksums-Sha1:
38dd1bef61a09a834a6c4c5ac4e79fddb53c74ca 3030 freeipa_4.12.2-1.dsc
e06782e6f1d33fdbdc27011d10737c8d2fb815a8 5699673 freeipa_4.12.2.orig.tar.gz
9f14dd9a3f5ea25cc9a95e2173abc310303b4a07 281644 freeipa_4.12.2-1.debian.tar.xz
e0276534aec1e76b0008f32191f75a3c454bba4d 10167
freeipa_4.12.2-1_source.buildinfo
Checksums-Sha256:
af53e10987bed85a012eb408e3c3bbe32c05674dd3ff9449ad24303c0a21391b 3030
freeipa_4.12.2-1.dsc
dc88f5404e7613eb6530d71142ef43a9f89019d59cdc6ec25b778413258c317f 5699673
freeipa_4.12.2.orig.tar.gz
d97139eb7f091b09bee2c1b78dd2981276194b0c25db1b0e4ece8d3a60c755cd 281644
freeipa_4.12.2-1.debian.tar.xz
90b383148064daf96b7eb7314cd54b39dc32e79aed6278754054766292375cb9 10167
freeipa_4.12.2-1_source.buildinfo
Files:
064f5aabbae55cb2bd19120188ca8e5b 3030 net optional freeipa_4.12.2-1.dsc
cebe456f255488fc9a6a82184ffc51fb 5699673 net optional
freeipa_4.12.2.orig.tar.gz
4778a5d25dd5854d3a4c04acc390cba4 281644 net optional
freeipa_4.12.2-1.debian.tar.xz
b119126d2e26bd5e4034a4fa8741e80b 10167 net optional
freeipa_4.12.2-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEdS3ifE3rFwGbS2Yjy3AxZaiJhNwFAmdW8g4ACgkQy3AxZaiJ
hNyiqg/8DfVYRTAndSzKJhSzuEmtijwreLxmAS6Jr2X6rogdBT9mZeJOqUPzRqgJ
bzEFcJuApHBhI0tg8wD982PLJohGWGkZpIl+gNaOgCJ2WCX2SFbJPeZ9d2IQa6GP
RUizSfm4znOwl1PVI8IszEsLnvuV+oa4Q6Kr95VVYrFgL3Hv0mzPK4YZak0iKqDt
PNbCGTWRAUS6z0WMBFZqZ0wYMwDptdNGEez0myWnaXAulqA5MPDZII7QNdzmrls5
MpHg1o5EA1y3fhZqu6jvZRsqg9w7MTvHU+L/V6RxsoeCfoP4lEyYkZuyPEKN5Rpd
65yI26uXOyBV4Xct5Ygte+qv/psv1HF3t+klxJwdBj6+aWcgQKCxZOE0TNuMGhtE
UcoE6QZ3myUPPSghIXKQV9WsNsGVAXZunjLx7sW6aLXEQZe+UACaB0e6tPxkgf6U
0IEuFjLwFVPxx+ACW3mR/Ip1WBkaHciog4dk15ryhymG6O980ZKeqIR7DDzW0lfV
HrHA8B7WLUwXmwHcZZfFmOoQYRB+1qrjWk1CHpRsDAxWX1wksrLm8ouwNt+0DUZb
tIJpAZp60X/sk72RjyK9Y9M044RPC7gCMnyNqfqIHHsMW/0CZYF15Eut9O7zs/jV
KjucI+0ofTbyfrcCJTjqg9V/JTND+40oLMi7CckRniDVKgPdF24=
=ERrL
-----END PGP SIGNATURE-----
pgpAawFR5wG7o.pgp
Description: PGP signature
--- End Message ---
