Bug#869260: CVE-2017-11368

2017-07-25 Thread Moritz Muehlenhoff 
On Tue, Jul 25, 2017 at 08:04:09AM -0400, Sam Hartman wrote:
> 
> I can absolutely prepare a stable point update request for stretch.
> Is there still going to be a last point release to jessie?

There will be point releases for jessie at least until June 2018,
i.e. one year after the stretch release, so yes :-)

Cheers,
Moritz

Bug#869260: CVE-2017-11368

2017-07-25 Thread Sam Hartman 

I can absolutely prepare a stable point update request for stretch.
Is there still going to be a last point release to jessie?
If so I'll look into that too; I'd definitely like to get an update in.

Bug#869260: CVE-2017-11368

2017-07-25 Thread Salvatore Bonaccorso 
Hi Sam,

On Mon, Jul 24, 2017 at 02:09:06PM -0400, Sam Hartman wrote:
> Actually, on that note, why does this bug merit a DSA?
> It like the other bugs is a simple KDC crash from an authenticated
> attacker.
> It seems like it should be handled the same.

Yes indeed we can handle it the same. I just have marked it as no-dsa
for stretch and jessie.

Might any of you have time to prepare an update for an upcoming point
release and propose the update to the stable release managers?

https://www.debian.org/doc/manuals/developers-reference/ch05.en.html#upload-stable

Regards,
Salvatore

Bug#869260: CVE-2017-11368

2017-07-24 Thread Sam Hartman 
Actually, on that note, why does this bug merit a DSA?
It like the other bugs is a simple KDC crash from an authenticated
attacker.
It seems like it should be handled the same.

Bug#869260: CVE-2017-11368

2017-07-24 Thread Salvatore Bonaccorso 
Hi Sam,

On Sun, Jul 23, 2017 at 02:23:17PM -0400, Sam Hartman wrote:
> Take a look at  the stretch branch of
> git://git.debian.org/git/pkg-k5-afs/debian-krb5-2013.git
> 
> Shall I upload that to stable-security?

Thanks for your work. Can you sent the resulting debdiff for a short
review and ack to the security team at t...@security.debian.org?

(Please target stretch-security rather stable-security, the former is
preferred).

What about jessie-security? There are as well some CVEs previously
marked no-dsa because they did not warrant a DSA on its own, can you
include fixes for those as well?

Regards,
Salvatore

Bug#869260: CVE-2017-11368

2017-07-23 Thread Sam Hartman 
Take a look at  the stretch branch of
git://git.debian.org/git/pkg-k5-afs/debian-krb5-2013.git

Shall I upload that to stable-security?

Bug#869260: CVE-2017-11368

2017-07-22 Thread Moritz Muehlenhoff 
Source: krb5
Severity: grave
Tags: security

Hi,
please see:
https://github.com/krb5/krb5/pull/678/commits/a860385dd8fbd239fdb31b347e07f4e6b2fbdcc2

Cheers,
Moritz