Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian....@packages.debian.org
Usertags: pu
I'd like to propose an update for a couple of bugs in krb5. There's
one security DOS that DSA and I decided is not worth an advisory.
The other bugs are regressions over the krb5 in Jessie. They were fixed before
stretch released, but I wanted to get a bit more experience with the patch.
The patches have been in an Ubuntu SRU and unstable/buster for a while and so I
think we have confidence in them now.
Improved v6 support broke some v4-only configurations.
Also, OTP support broke if you were using KDC location via SRV
records. Since that's basically how everyone locates KDCs these days,
that meant OTP was fairly close to completely broken.
Diff attached produced by
git diff debian/1.15-1..debian/1.15-1+deb9u1 debian
I'm using a DPM work flow, and that diff seems to be the cleanest diff
for actually reviewing the changes of a debdiff or a diff of the full
git trees.
Even so, it appears that git has changed how much data it includes in
index lines in diffs and so there's a bit of churn in the existing patches.
I've reviewed the entire diff and the churn is just in indexb lines.
diff --git a/debian/.git-dpm b/debian/.git-dpm
index c6910273e0..ac1df21a22 100644
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@ -1,6 +1,6 @@
# see git-dpm(1) from git-dpm package
-7f866a47894f28f3065936d45de17e3e2df9ab18
-7f866a47894f28f3065936d45de17e3e2df9ab18
+ae9e8a761c3518843c4b94484c3d095320f1f7bd
+ae9e8a761c3518843c4b94484c3d095320f1f7bd
33a6a841b455f9d0fbc6a1bd5463d3960d5b95fe
33a6a841b455f9d0fbc6a1bd5463d3960d5b95fe
krb5_1.15.orig.tar.gz
diff --git a/debian/changelog b/debian/changelog
index ab1e7df019..06e64454e6 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,15 @@
+krb5 (1.15-1+deb9u1) stretch; urgency=high
+
+ * CVE-2017-11368: Remote authenticated attackers can crash the KDC,
+ Closes: #869260
+ * Upstream patches to fix startup if getaddrinfo() returns a wildcard v6
+ address, and to fix handling of explicitly specified v4 wildcard
+ address; regression over previous versions, Closes: #860767
+ * Fix SRV lookups to respect udp_preference_limit, regression over
+ previous versions with OTP, Closes: #856307
+
+ -- Sam Hartman <hartm...@debian.org> Wed, 09 Aug 2017 12:19:50 -0400
+
krb5 (1.15-1) unstable; urgency=medium
[ Benjamin Kaduk ]
diff --git a/debian/patches/0010-Initial-German-translations.patch
b/debian/patches/0010-Initial-German-translations.patch
index e7d5011e59..0c7d198a54 100644
--- a/debian/patches/0010-Initial-German-translations.patch
+++ b/debian/patches/0010-Initial-German-translations.patch
@@ -13,7 +13,7 @@ modified 2016-11-04 to actually build the German catalogue.
create mode 100644 src/po/de.po
diff --git a/src/po/Makefile.in b/src/po/Makefile.in
-index fdaf872..6753447 100644
+index fdaf872a16..6753447dc7 100644
--- a/src/po/Makefile.in
+++ b/src/po/Makefile.in
@@ -18,7 +18,7 @@ ETSRCS=
$(BUILDTOP)/lib/gssapi/generic/gssapi_err_generic.c \
@@ -27,7 +27,7 @@ index fdaf872..6753447 100644
.po.mo:
diff --git a/src/po/de.po b/src/po/de.po
new file mode 100644
-index 0000000..fd199b3
+index 0000000000..fd199b372a
--- /dev/null
+++ b/src/po/de.po
@@ -0,0 +1,9301 @@
diff --git a/debian/patches/debian-local/0001-Debian-HURD-compatibility.patch
b/debian/patches/debian-local/0001-Debian-HURD-compatibility.patch
index 790400e806..bd93b76813 100644
--- a/debian/patches/debian-local/0001-Debian-HURD-compatibility.patch
+++ b/debian/patches/debian-local/0001-Debian-HURD-compatibility.patch
@@ -18,7 +18,7 @@ Patch-Category: debian-local
8 files changed, 30 insertions(+)
diff --git a/src/clients/ksu/ksu.h b/src/clients/ksu/ksu.h
-index ee8e9d6..695305f 100644
+index ee8e9d6a0f..695305fe7d 100644
--- a/src/clients/ksu/ksu.h
+++ b/src/clients/ksu/ksu.h
@@ -56,6 +56,10 @@
@@ -33,7 +33,7 @@ index ee8e9d6..695305f 100644
extern int optind;
extern char * optarg;
diff --git a/src/include/k5-int.h b/src/include/k5-int.h
-index 6499173..63c509a 100644
+index 64991738a3..63c509a2a1 100644
--- a/src/include/k5-int.h
+++ b/src/include/k5-int.h
@@ -580,6 +580,9 @@ extern char *strdup (const char *);
@@ -47,7 +47,7 @@ index 6499173..63c509a 100644
#ifdef HAVE_SYS_FILE_H
#include <sys/file.h> /* prototypes for file-related
diff --git a/src/kadmin/ktutil/ktutil_funcs.c
b/src/kadmin/ktutil/ktutil_funcs.c
-index 20a348c..b8b61ce 100644
+index 20a348c805..b8b61cef84 100644
--- a/src/kadmin/ktutil/ktutil_funcs.c
+++ b/src/kadmin/ktutil/ktutil_funcs.c
@@ -33,6 +33,10 @@
@@ -62,7 +62,7 @@ index 20a348c..b8b61ce 100644
* Free a kt_list
*/
diff --git a/src/lib/gssapi/spnego/spnego_mech.c
b/src/lib/gssapi/spnego/spnego_mech.c
-index 9d6027c..585d8a6 100644
+index 9d6027ce80..585d8a6581 100644
--- a/src/lib/gssapi/spnego/spnego_mech.c
+++ b/src/lib/gssapi/spnego/spnego_mech.c
@@ -65,6 +65,9 @@
@@ -76,7 +76,7 @@ index 9d6027c..585d8a6 100644
#undef g_token_size
#undef g_verify_token_header
diff --git a/src/lib/krb5/os/sn2princ.c b/src/lib/krb5/os/sn2princ.c
-index 5932fd9..187daa8 100644
+index 5932fd9b3f..187daa84d6 100644
--- a/src/lib/krb5/os/sn2princ.c
+++ b/src/lib/krb5/os/sn2princ.c
@@ -126,6 +126,10 @@ find_trailer(const char *hostname)
@@ -91,7 +91,7 @@ index 5932fd9..187daa8 100644
krb5_sname_to_principal(krb5_context context, const char *hostname,
const char *sname, krb5_int32 type,
diff --git a/src/plugins/kdb/db2/libdb2/include/db-int.h
b/src/plugins/kdb/db2/libdb2/include/db-int.h
-index 7e981d4..d83b3b6 100644
+index 7e981d4a5f..d83b3b6a6f 100644
--- a/src/plugins/kdb/db2/libdb2/include/db-int.h
+++ b/src/plugins/kdb/db2/libdb2/include/db-int.h
@@ -280,4 +280,8 @@ void __dbpanic __P((DB *dbp));
@@ -104,7 +104,7 @@ index 7e981d4..d83b3b6 100644
+#endif
#endif /* _DB_INT_H_ */
diff --git a/src/slave/kprop_util.c b/src/slave/kprop_util.c
-index f182554..0658390 100644
+index f182554e61..06583909ea 100644
--- a/src/slave/kprop_util.c
+++ b/src/slave/kprop_util.c
@@ -32,6 +32,10 @@
@@ -119,7 +119,7 @@ index f182554..0658390 100644
* Convert an IPv4 or IPv6 socket address to a newly allocated krb5_address.
* There is similar code elsewhere in the tree, so this should possibly become
diff --git a/src/tests/resolve/resolve.c b/src/tests/resolve/resolve.c
-index 7339d21..38f7253 100644
+index 7339d21bd9..38f725322b 100644
--- a/src/tests/resolve/resolve.c
+++ b/src/tests/resolve/resolve.c
@@ -73,6 +73,10 @@ char *strchr();
diff --git
a/debian/patches/debian-local/0002-debian-suppress-multi-arch-paths-in-krb5-config.patch
b/debian/patches/debian-local/0002-debian-suppress-multi-arch-paths-in-krb5-config.patch
index 7d274c2dd4..271b563999 100644
---
a/debian/patches/debian-local/0002-debian-suppress-multi-arch-paths-in-krb5-config.patch
+++
b/debian/patches/debian-local/0002-debian-suppress-multi-arch-paths-in-krb5-config.patch
@@ -14,7 +14,7 @@ Patch-Category: debian-local
1 file changed, 9 insertions(+), 5 deletions(-)
diff --git a/src/build-tools/krb5-config.in b/src/build-tools/krb5-config.in
-index f6184da..637bad7 100755
+index f6184da3fb..637bad7c75 100755
--- a/src/build-tools/krb5-config.in
+++ b/src/build-tools/krb5-config.in
@@ -138,6 +138,7 @@ if test -n "$do_help"; then
diff --git
a/debian/patches/debian-local/0003-debian-osconf.hin-path-changes.patch
b/debian/patches/debian-local/0003-debian-osconf.hin-path-changes.patch
index 76bfbc3857..4234b3e2fd 100644
--- a/debian/patches/debian-local/0003-debian-osconf.hin-path-changes.patch
+++ b/debian/patches/debian-local/0003-debian-osconf.hin-path-changes.patch
@@ -9,7 +9,7 @@ Patch-Category: debian-local
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/include/osconf.hin b/src/include/osconf.hin
-index 98a4674..2f51cc1 100644
+index 98a467454b..2f51cc13c7 100644
--- a/src/include/osconf.hin
+++ b/src/include/osconf.hin
@@ -59,7 +59,7 @@
diff --git
a/debian/patches/debian-local/0004-debian-install-ldap-library-in-subdirectory.patch
b/debian/patches/debian-local/0004-debian-install-ldap-library-in-subdirectory.patch
index 6338aa3b1d..dcc512a5a2 100644
---
a/debian/patches/debian-local/0004-debian-install-ldap-library-in-subdirectory.patch
+++
b/debian/patches/debian-local/0004-debian-install-ldap-library-in-subdirectory.patch
@@ -16,7 +16,7 @@ Patch-Category: debian-local
2 files changed, 2 insertions(+)
diff --git a/src/plugins/kdb/ldap/Makefile.in
b/src/plugins/kdb/ldap/Makefile.in
-index 94df816..2ed562b 100644
+index 94df816eb5..2ed562b110 100644
--- a/src/plugins/kdb/ldap/Makefile.in
+++ b/src/plugins/kdb/ldap/Makefile.in
@@ -20,6 +20,7 @@ SHLIB_EXPDEPS = \
@@ -28,7 +28,7 @@ index 94df816..2ed562b 100644
SRCS= $(srcdir)/ldap_exp.c
diff --git a/src/plugins/kdb/ldap/ldap_util/Makefile.in
b/src/plugins/kdb/ldap/ldap_util/Makefile.in
-index 8669c24..2d92a26 100644
+index 8669c2436c..2d92a26be5 100644
--- a/src/plugins/kdb/ldap/ldap_util/Makefile.in
+++ b/src/plugins/kdb/ldap/ldap_util/Makefile.in
@@ -2,6 +2,7 @@ mydir=plugins$(S)kdb$(S)ldap$(S)ldap_util
diff --git
a/debian/patches/debian-local/0005-gssapi-never-unload-mechanisms.patch
b/debian/patches/debian-local/0005-gssapi-never-unload-mechanisms.patch
index abf290bfcf..0b1bb8f7b3 100644
--- a/debian/patches/debian-local/0005-gssapi-never-unload-mechanisms.patch
+++ b/debian/patches/debian-local/0005-gssapi-never-unload-mechanisms.patch
@@ -20,7 +20,7 @@ Patch-Category: debian-local
1 file changed, 2 deletions(-)
diff --git a/src/lib/gssapi/mechglue/g_initialize.c
b/src/lib/gssapi/mechglue/g_initialize.c
-index 9197666..890bd2c 100644
+index 9197666e10..890bd2c037 100644
--- a/src/lib/gssapi/mechglue/g_initialize.c
+++ b/src/lib/gssapi/mechglue/g_initialize.c
@@ -562,8 +562,6 @@ releaseMechInfo(gss_mech_info *pCf)
diff --git a/debian/patches/debian-local/0006-Add-substpdf-target.patch
b/debian/patches/debian-local/0006-Add-substpdf-target.patch
index 6bcca358cc..2f89ed74ca 100644
--- a/debian/patches/debian-local/0006-Add-substpdf-target.patch
+++ b/debian/patches/debian-local/0006-Add-substpdf-target.patch
@@ -13,7 +13,7 @@ Patch-Category: debian-local
1 file changed, 15 insertions(+)
diff --git a/src/doc/Makefile.in b/src/doc/Makefile.in
-index 1fb5fea..043de76 100644
+index 1fb5fea927..043de76fa5 100644
--- a/src/doc/Makefile.in
+++ b/src/doc/Makefile.in
@@ -87,6 +87,21 @@ pdf: $(PDFDIR)
diff --git
a/debian/patches/debian-local/0007-Fix-pkg-config-library-include-paths.patch
b/debian/patches/debian-local/0007-Fix-pkg-config-library-include-paths.patch
index b47e7b7937..60aa69498f 100644
---
a/debian/patches/debian-local/0007-Fix-pkg-config-library-include-paths.patch
+++
b/debian/patches/debian-local/0007-Fix-pkg-config-library-include-paths.patch
@@ -17,7 +17,7 @@ Patch-Category: debian-local
6 files changed, 12 insertions(+), 12 deletions(-)
diff --git a/src/build-tools/gssrpc.pc.in b/src/build-tools/gssrpc.pc.in
-index ca90921..e08c2e8 100644
+index ca909217eb..e08c2e840a 100644
--- a/src/build-tools/gssrpc.pc.in
+++ b/src/build-tools/gssrpc.pc.in
@@ -1,7 +1,7 @@
@@ -31,7 +31,7 @@ index ca90921..e08c2e8 100644
Name: gssrpc
diff --git a/src/build-tools/kadm-client.pc.in
b/src/build-tools/kadm-client.pc.in
-index c8d1cd1..de56a75 100644
+index c8d1cd1262..de56a75213 100644
--- a/src/build-tools/kadm-client.pc.in
+++ b/src/build-tools/kadm-client.pc.in
@@ -1,7 +1,7 @@
@@ -45,7 +45,7 @@ index c8d1cd1..de56a75 100644
Name: kadm-client
Description: Kerberos administration client library
diff --git a/src/build-tools/kadm-server.pc.in
b/src/build-tools/kadm-server.pc.in
-index cd2f86c..a73ff86 100644
+index cd2f86c649..a73ff86cfe 100644
--- a/src/build-tools/kadm-server.pc.in
+++ b/src/build-tools/kadm-server.pc.in
@@ -1,7 +1,7 @@
@@ -59,7 +59,7 @@ index cd2f86c..a73ff86 100644
Name: kadm-server
Description: Kerberos administration server library
diff --git a/src/build-tools/kdb.pc.in b/src/build-tools/kdb.pc.in
-index 461a8d01d0..356501d 100644
+index 461a8d01d0..356501d38c 100644
--- a/src/build-tools/kdb.pc.in
+++ b/src/build-tools/kdb.pc.in
@@ -1,7 +1,7 @@
@@ -73,7 +73,7 @@ index 461a8d01d0..356501d 100644
KDB5_DB_LIB=@KDB5_DB_LIB@
diff --git a/src/build-tools/mit-krb5-gssapi.pc.in
b/src/build-tools/mit-krb5-gssapi.pc.in
-index 7b91b19..b2b2436 100644
+index 7b91b19f19..b2b243630c 100644
--- a/src/build-tools/mit-krb5-gssapi.pc.in
+++ b/src/build-tools/mit-krb5-gssapi.pc.in
@@ -1,7 +1,7 @@
@@ -87,7 +87,7 @@ index 7b91b19..b2b2436 100644
Name: mit-krb5-gssapi
Description: Kerberos implementation of the GSSAPI
diff --git a/src/build-tools/mit-krb5.pc.in b/src/build-tools/mit-krb5.pc.in
-index 0308815..058e75f 100644
+index 030881512f..058e75f24d 100644
--- a/src/build-tools/mit-krb5.pc.in
+++ b/src/build-tools/mit-krb5.pc.in
@@ -1,7 +1,7 @@
diff --git
a/debian/patches/debian-local/0008-Use-isystem-for-include-paths.patch
b/debian/patches/debian-local/0008-Use-isystem-for-include-paths.patch
index 4e91c2571e..f7416bf36a 100644
--- a/debian/patches/debian-local/0008-Use-isystem-for-include-paths.patch
+++ b/debian/patches/debian-local/0008-Use-isystem-for-include-paths.patch
@@ -26,7 +26,7 @@ Patch-Category: debian-local
7 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/src/build-tools/gssrpc.pc.in b/src/build-tools/gssrpc.pc.in
-index e08c2e8..fb4f489 100644
+index e08c2e840a..fb4f489f87 100644
--- a/src/build-tools/gssrpc.pc.in
+++ b/src/build-tools/gssrpc.pc.in
@@ -7,6 +7,6 @@ vendor=MIT
@@ -38,7 +38,7 @@ index e08c2e8..fb4f489 100644
Libs: -L${libdir} -lgssrpc
Requires.private: mit-krb5-gssapi
diff --git a/src/build-tools/kadm-client.pc.in
b/src/build-tools/kadm-client.pc.in
-index de56a75..47541ac 100644
+index de56a75213..47541ac2af 100644
--- a/src/build-tools/kadm-client.pc.in
+++ b/src/build-tools/kadm-client.pc.in
@@ -7,5 +7,5 @@ Name: kadm-client
@@ -49,7 +49,7 @@ index de56a75..47541ac 100644
+Cflags: -isystem ${includedir}
Libs: -L${libdir} -lkadm5clnt_mit
diff --git a/src/build-tools/kadm-server.pc.in
b/src/build-tools/kadm-server.pc.in
-index a73ff86..5ce4b73 100644
+index a73ff86cfe..5ce4b733c4 100644
--- a/src/build-tools/kadm-server.pc.in
+++ b/src/build-tools/kadm-server.pc.in
@@ -7,5 +7,5 @@ Name: kadm-server
@@ -60,7 +60,7 @@ index a73ff86..5ce4b73 100644
+Cflags: -isystem ${includedir}
Libs: -L${libdir} -lkadm5srv_mit
diff --git a/src/build-tools/kdb.pc.in b/src/build-tools/kdb.pc.in
-index 356501d..d39eeef 100644
+index 356501d38c..d39eeef889 100644
--- a/src/build-tools/kdb.pc.in
+++ b/src/build-tools/kdb.pc.in
@@ -9,6 +9,6 @@ Name: kdb
@@ -72,7 +72,7 @@ index 356501d..d39eeef 100644
Libs: -L${libdir} -lkdb5
Libs.private: ${KDB5_DB_LIB}
diff --git a/src/build-tools/krb5-config.in b/src/build-tools/krb5-config.in
-index 637bad7..5a109b0 100755
+index 637bad7c75..5a109b0145 100755
--- a/src/build-tools/krb5-config.in
+++ b/src/build-tools/krb5-config.in
@@ -201,7 +201,7 @@ fi
@@ -85,7 +85,7 @@ index 637bad7..5a109b0 100755
echo ''
fi
diff --git a/src/build-tools/mit-krb5-gssapi.pc.in
b/src/build-tools/mit-krb5-gssapi.pc.in
-index b2b2436..f919222 100644
+index b2b243630c..f919222699 100644
--- a/src/build-tools/mit-krb5-gssapi.pc.in
+++ b/src/build-tools/mit-krb5-gssapi.pc.in
@@ -7,5 +7,5 @@ Name: mit-krb5-gssapi
@@ -96,7 +96,7 @@ index b2b2436..f919222 100644
+Cflags: -isystem ${includedir}
Libs: -L${libdir} -lgssapi_krb5
diff --git a/src/build-tools/mit-krb5.pc.in b/src/build-tools/mit-krb5.pc.in
-index 058e75f..455427a 100644
+index 058e75f24d..455427a42e 100644
--- a/src/build-tools/mit-krb5.pc.in
+++ b/src/build-tools/mit-krb5.pc.in
@@ -10,6 +10,6 @@ defcktname=@DEFCKTNAME@
diff --git a/debian/patches/debian-local/0009-Fix-krb5-config-paths.patch
b/debian/patches/debian-local/0009-Fix-krb5-config-paths.patch
index f3b1edde82..8c1c584b35 100644
--- a/debian/patches/debian-local/0009-Fix-krb5-config-paths.patch
+++ b/debian/patches/debian-local/0009-Fix-krb5-config-paths.patch
@@ -14,7 +14,7 @@ Patch-Category: debian-local
1 file changed, 3 insertions(+), 11 deletions(-)
diff --git a/src/build-tools/krb5-config.in b/src/build-tools/krb5-config.in
-index 5a109b0..723d1eb 100755
+index 5a109b0145..723d1ebac8 100755
--- a/src/build-tools/krb5-config.in
+++ b/src/build-tools/krb5-config.in
@@ -29,8 +29,8 @@ version_string="Kerberos 5 release @KRB5_VERSION@"
diff --git a/debian/patches/series b/debian/patches/series
index b849ed1b8e..adab9183c9 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -8,3 +8,7 @@ debian-local/0007-Fix-pkg-config-library-include-paths.patch
debian-local/0008-Use-isystem-for-include-paths.patch
debian-local/0009-Fix-krb5-config-paths.patch
0010-Initial-German-translations.patch
+upstream/0011-Fix-KDC-kadmind-startup-on-some-IPv4-only-systems.patch
+upstream/0012-Use-pktinfo-for-explicit-UDP-wildcard-listeners.patch
+upstream/0013-Fix-udp_preference_limit-with-SRV-records.patch
+upstream/0014-Prevent-KDC-unset-status-assertion-failures.patch
diff --git
a/debian/patches/upstream/0011-Fix-KDC-kadmind-startup-on-some-IPv4-only-systems.patch
b/debian/patches/upstream/0011-Fix-KDC-kadmind-startup-on-some-IPv4-only-systems.patch
new file mode 100644
index 0000000000..a43d78cf2b
--- /dev/null
+++
b/debian/patches/upstream/0011-Fix-KDC-kadmind-startup-on-some-IPv4-only-systems.patch
@@ -0,0 +1,65 @@
+From 99022bb640a9bff0d77dc312339ed5e83a2022c0 Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghud...@mit.edu>
+Date: Mon, 26 Dec 2016 15:09:24 -0500
+Subject: Fix KDC/kadmind startup on some IPv4-only systems
+
+getaddrinfo(NULL, ...) may yield an IPv6 wildcard address on IPv4-only
+systems, and creating a socket for that address may result in an
+EAFNOSUPPORT error. Tolerate that error as long as we can bind at
+least one socket for the address.
+
+(cherry picked from commit 04c2bb56f5203b296b24314810eca02f5dc7e491)
+
+ticket: 8531
+version_fixed: 1.15.1
+
+(cherry picked from commit 552a129fb857e7f6fa734011d69785ad912b3fc5)
+Patch-Category: upstream
+---
+ src/lib/apputils/net-server.c | 16 +++++++++++++---
+ 1 file changed, 13 insertions(+), 3 deletions(-)
+
+diff --git a/src/lib/apputils/net-server.c b/src/lib/apputils/net-server.c
+index 171ecc4047..d64ffddd68 100644
+--- a/src/lib/apputils/net-server.c
++++ b/src/lib/apputils/net-server.c
+@@ -834,7 +834,7 @@ setup_addresses(struct socksetup *data)
+ };
+ krb5_error_code ret = 0;
+ size_t i;
+- int err;
++ int err, bound_any;
+ struct bind_address addr;
+ struct addrinfo hints, *ai_list = NULL, *ai = NULL;
+ verto_callback vcb;
+@@ -871,8 +871,12 @@ setup_addresses(struct socksetup *data)
+ * Loop through all the sockets that getaddrinfo could find to match
+ * the requested address. For wildcard listeners, this should usually
+ * have two results, one for each of IPv4 and IPv6, or one or the
+- * other, depending on the system.
++ * other, depending on the system. On IPv4-only systems,
getaddrinfo()
++ * may return both IPv4 and IPv6 addresses, but creating an IPv6
socket
++ * may give an EAFNOSUPPORT error, so tolerate that error as long as
we
++ * can bind at least one socket.
+ */
++ bound_any = 0;
+ for (ai = ai_list; ai != NULL; ai = ai->ai_next) {
+ /* Make sure getaddrinfo returned a socket with the same type that
+ * was requested. */
+@@ -889,9 +893,15 @@ setup_addresses(struct socksetup *data)
+ _("Failed setting up a %s socket (for %s)"),
+ bind_type_names[addr.type],
+ paddr(ai->ai_addr));
+- goto cleanup;
++ if (ret != EAFNOSUPPORT)
++ goto cleanup;
++ } else {
++ bound_any = 1;
+ }
+ }
++ if (!bound_any)
++ goto cleanup;
++ ret = 0;
+
+ if (ai_list != NULL)
+ freeaddrinfo(ai_list);
diff --git
a/debian/patches/upstream/0012-Use-pktinfo-for-explicit-UDP-wildcard-listeners.patch
b/debian/patches/upstream/0012-Use-pktinfo-for-explicit-UDP-wildcard-listeners.patch
new file mode 100644
index 0000000000..779621062d
--- /dev/null
+++
b/debian/patches/upstream/0012-Use-pktinfo-for-explicit-UDP-wildcard-listeners.patch
@@ -0,0 +1,52 @@
+From 1bffb7f177dc7a9ed95bce03c607dd20c15d39fb Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghud...@mit.edu>
+Date: Mon, 26 Dec 2016 15:18:05 -0500
+Subject: Use pktinfo for explicit UDP wildcard listeners
+
+In net-server.c, use pktinfo on UDP server sockets if they are bound
+to wildcard addresses, whether that is explicit or implicit in the
+address specification.
+
+(cherry picked from commit d005beaa72c70bc28b2b0b49b9d83eff160ca8f1)
+
+ticket: 8530
+version_fixed: 1.15.1
+
+(cherry picked from commit e23d062471bf9071072aaf2df39054508fe74cc1)
+
+Patch-Category: upstream
+---
+ src/lib/apputils/net-server.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/src/lib/apputils/net-server.c b/src/lib/apputils/net-server.c
+index d64ffddd68..29ec84a15b 100644
+--- a/src/lib/apputils/net-server.c
++++ b/src/lib/apputils/net-server.c
+@@ -105,6 +105,17 @@ paddr(struct sockaddr *sa)
+ return buf;
+ }
+
++/* Return true if sa is an IPv4 or IPv6 wildcard address. */
++static int
++is_wildcard(struct sockaddr *sa)
++{
++ if (sa->sa_family == AF_INET6)
++ return IN6_IS_ADDR_UNSPECIFIED(&sa2sin6(sa)->sin6_addr);
++ else if (sa->sa_family == AF_INET)
++ return sa2sin(sa)->sin_addr.s_addr == INADDR_ANY;
++ return 0;
++}
++
+ /* KDC data. */
+
+ enum conn_type {
+@@ -753,7 +764,7 @@ setup_socket(struct socksetup *data, struct bind_address
*ba,
+ }
+
+ /* Try to turn on pktinfo for UDP wildcard sockets. */
+- if (ba->type == UDP && ba->address == NULL) {
++ if (ba->type == UDP && is_wildcard(sock_address)) {
+ krb5_klog_syslog(LOG_DEBUG, _("Setting pktinfo on socket %s"),
+ paddr(sock_address));
+ ret = set_pktinfo(sock, sock_address->sa_family);
diff --git
a/debian/patches/upstream/0013-Fix-udp_preference_limit-with-SRV-records.patch
b/debian/patches/upstream/0013-Fix-udp_preference_limit-with-SRV-records.patch
new file mode 100644
index 0000000000..a017ac96c5
--- /dev/null
+++
b/debian/patches/upstream/0013-Fix-udp_preference_limit-with-SRV-records.patch
@@ -0,0 +1,60 @@
+From 79f8689317c4bdb8b31306677ffa38664344ed6b Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghud...@mit.edu>
+Date: Mon, 27 Feb 2017 22:35:07 -0500
+Subject: Fix udp_preference_limit with SRV records
+
+In sendto_kdc:resolve_server() when resolving a server entry with a
+specified transport, defer the resulting addresses if the strategy
+dictates that the specified transport is not preferred. Reported by
+Jochen Hein.
+
+(cherry picked from commit bc7594058011c2f9711f24af4fa15a421a8d5b62)
+
+ticket: 8554
+version_fixed: 1.15.1
+
+(cherry picked from commit 59a3449f13c63048b44f56cad2d528c0805d3627)
+
+Patch-Category: upstream
+---
+ src/lib/krb5/os/sendto_kdc.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/src/lib/krb5/os/sendto_kdc.c b/src/lib/krb5/os/sendto_kdc.c
+index ef80991c1d..fffe0262f6 100644
+--- a/src/lib/krb5/os/sendto_kdc.c
++++ b/src/lib/krb5/os/sendto_kdc.c
+@@ -791,7 +791,7 @@ resolve_server(krb5_context context, const krb5_data
*realm,
+ struct server_entry *entry = &servers->servers[ind];
+ k5_transport transport;
+ struct addrinfo *addrs, *a, hint, ai;
+- krb5_boolean defer;
++ krb5_boolean defer = FALSE;
+ int err, result;
+ char portbuf[PORT_LENGTH];
+
+@@ -811,9 +811,13 @@ resolve_server(krb5_context context, const krb5_data
*realm,
+ NULL, NULL, entry->uri_path, udpbufp);
+ }
+
+- /* If the entry has a specified transport, use it. */
+- if (entry->transport != TCP_OR_UDP)
++ /* If the entry has a specified transport, use it, but possibly defer the
++ * addresses we add based on the strategy. */
++ if (entry->transport != TCP_OR_UDP) {
+ transport = entry->transport;
++ defer = (entry->transport == TCP && strategy == UDP_FIRST) ||
++ (entry->transport == UDP && strategy == UDP_LAST);
++ }
+
+ memset(&hint, 0, sizeof(hint));
+ hint.ai_family = entry->family;
+@@ -833,7 +837,7 @@ resolve_server(krb5_context context, const krb5_data
*realm,
+ /* Add each address with the specified or preferred transport. */
+ retval = 0;
+ for (a = addrs; a != 0 && retval == 0; a = a->ai_next) {
+- retval = add_connection(conns, transport, FALSE, a, ind, realm,
++ retval = add_connection(conns, transport, defer, a, ind, realm,
+ entry->hostname, portbuf, entry->uri_path,
+ udpbufp);
+ }
diff --git
a/debian/patches/upstream/0014-Prevent-KDC-unset-status-assertion-failures.patch
b/debian/patches/upstream/0014-Prevent-KDC-unset-status-assertion-failures.patch
new file mode 100644
index 0000000000..57c064dbd7
--- /dev/null
+++
b/debian/patches/upstream/0014-Prevent-KDC-unset-status-assertion-failures.patch
@@ -0,0 +1,109 @@
+From ae9e8a761c3518843c4b94484c3d095320f1f7bd Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghud...@mit.edu>
+Date: Thu, 13 Jul 2017 12:14:20 -0400
+Subject: Prevent KDC unset status assertion failures
+
+Assign status values if S4U2Self padata fails to decode, if an
+S4U2Proxy request uses invalid KDC options, or if an S4U2Proxy request
+uses an evidence ticket which does not match the canonicalized request
+server principal name. Reported by Samuel Cabrero.
+
+If a status value is not assigned during KDC processing, default to
+"UNKNOWN_REASON" rather than failing an assertion. This change will
+prevent future denial of service bugs due to similar mistakes, and
+will allow us to omit assigning status values for unlikely errors such
+as small memory allocation failures.
+
+CVE-2017-11368:
+
+In MIT krb5 1.7 and later, an authenticated attacker can cause an
+assertion failure in krb5kdc by sending an invalid S4U2Self or
+S4U2Proxy request.
+
+ CVSSv3 Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:H/RL:O/RC:C
+
+ticket: 8599 (new)
+target_version: 1.15-next
+target_version: 1.14-next
+tags: pullup
+
+Patch-Category: upstream
+---
+ src/kdc/do_as_req.c | 4 ++--
+ src/kdc/do_tgs_req.c | 3 ++-
+ src/kdc/kdc_util.c | 10 ++++++++--
+ 3 files changed, 12 insertions(+), 5 deletions(-)
+
+diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
+index 712ccb7946..a4bf91b1b6 100644
+--- a/src/kdc/do_as_req.c
++++ b/src/kdc/do_as_req.c
+@@ -365,8 +365,8 @@ finish_process_as_req(struct as_req_state *state,
krb5_error_code errcode)
+ did_log = 1;
+
+ egress:
+- if (errcode != 0)
+- assert (state->status != 0);
++ if (errcode != 0 && state->status == NULL)
++ state->status = "UNKNOWN_REASON";
+
+ au_state->status = state->status;
+ au_state->reply = &state->reply;
+diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
+index 547a414417..339259fd1e 100644
+--- a/src/kdc/do_tgs_req.c
++++ b/src/kdc/do_tgs_req.c
+@@ -823,7 +823,8 @@ process_tgs_req(struct server_handle *handle, krb5_data
*pkt,
+ free(reply.enc_part.ciphertext.data);
+
+ cleanup:
+- assert(status != NULL);
++ if (status == NULL)
++ status = "UNKNOWN_REASON";
+ if (reply_key)
+ krb5_free_keyblock(kdc_context, reply_key);
+ if (errcode)
+diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
+index 29f9dbbf07..30c501c679 100644
+--- a/src/kdc/kdc_util.c
++++ b/src/kdc/kdc_util.c
+@@ -1220,8 +1220,10 @@ kdc_process_for_user(kdc_realm_t *kdc_active_realm,
+ req_data.data = (char *)pa_data->contents;
+
+ code = decode_krb5_pa_for_user(&req_data, &for_user);
+- if (code)
++ if (code) {
++ *status = "DECODE_PA_FOR_USER";
+ return code;
++ }
+
+ code = verify_for_user_checksum(kdc_context, tgs_session, for_user);
+ if (code) {
+@@ -1320,8 +1322,10 @@ kdc_process_s4u_x509_user(krb5_context context,
+ req_data.data = (char *)pa_data->contents;
+
+ code = decode_krb5_pa_s4u_x509_user(&req_data, s4u_x509_user);
+- if (code)
++ if (code) {
++ *status = "DECODE_PA_S4U_X509_USER";
+ return code;
++ }
+
+ code = verify_s4u_x509_user_checksum(context,
+ tgs_subkey ? tgs_subkey :
+@@ -1624,6 +1628,7 @@ kdc_process_s4u2proxy_req(kdc_realm_t *kdc_active_realm,
+ * that is validated previously in validate_tgs_request().
+ */
+ if (request->kdc_options & (NON_TGT_OPTION | KDC_OPT_ENC_TKT_IN_SKEY)) {
++ *status = "INVALID_S4U2PROXY_OPTIONS";
+ return KRB5KDC_ERR_BADOPTION;
+ }
+
+@@ -1631,6 +1636,7 @@ kdc_process_s4u2proxy_req(kdc_realm_t *kdc_active_realm,
+ if (!krb5_principal_compare(kdc_context,
+ server->princ, /* after canon */
+ server_princ)) {
++ *status = "EVIDENCE_TICKET_MISMATCH";
+ return KRB5KDC_ERR_SERVER_NOMATCH;
+ }
+
