Bug#869260: CVE-2017-11368
On Tue, Jul 25, 2017 at 08:04:09AM -0400, Sam Hartman wrote: > > I can absolutely prepare a stable point update request for stretch. > Is there still going to be a last point release to jessie? There will be point releases for jessie at least until June 2018, i.e. one year after the stretch release, so yes :-) Cheers, Moritz
Bug#869260: CVE-2017-11368
I can absolutely prepare a stable point update request for stretch. Is there still going to be a last point release to jessie? If so I'll look into that too; I'd definitely like to get an update in.
Bug#869260: CVE-2017-11368
Hi Sam, On Mon, Jul 24, 2017 at 02:09:06PM -0400, Sam Hartman wrote: > Actually, on that note, why does this bug merit a DSA? > It like the other bugs is a simple KDC crash from an authenticated > attacker. > It seems like it should be handled the same. Yes indeed we can handle it the same. I just have marked it as no-dsa for stretch and jessie. Might any of you have time to prepare an update for an upcoming point release and propose the update to the stable release managers? https://www.debian.org/doc/manuals/developers-reference/ch05.en.html#upload-stable Regards, Salvatore
Bug#869260: CVE-2017-11368
Actually, on that note, why does this bug merit a DSA? It like the other bugs is a simple KDC crash from an authenticated attacker. It seems like it should be handled the same.
Bug#869260: CVE-2017-11368
Hi Sam, On Sun, Jul 23, 2017 at 02:23:17PM -0400, Sam Hartman wrote: > Take a look at the stretch branch of > git://git.debian.org/git/pkg-k5-afs/debian-krb5-2013.git > > Shall I upload that to stable-security? Thanks for your work. Can you sent the resulting debdiff for a short review and ack to the security team at t...@security.debian.org? (Please target stretch-security rather stable-security, the former is preferred). What about jessie-security? There are as well some CVEs previously marked no-dsa because they did not warrant a DSA on its own, can you include fixes for those as well? Regards, Salvatore
Bug#869260: CVE-2017-11368
Take a look at the stretch branch of git://git.debian.org/git/pkg-k5-afs/debian-krb5-2013.git Shall I upload that to stable-security?
Bug#869260: CVE-2017-11368
Source: krb5 Severity: grave Tags: security Hi, please see: https://github.com/krb5/krb5/pull/678/commits/a860385dd8fbd239fdb31b347e07f4e6b2fbdcc2 Cheers, Moritz