Public bug reported: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
affects ubuntu/krb5 status confirmed importance wishlist subscribe ubuntu-archive Please sync krb5 1.6.dfsg.3-2 (main) from Debian unstable (main). Explanation of the Ubuntu delta and why it can be dropped: Security fixes taken upstream. Changelog since current intrepid version 1.6.dfsg.3~beta1-2ubuntu1: krb5 (1.6.dfsg.4~beta1-1) experimental; urgency=low * Changes from Russ: * Do not translate the Kerberos v4 modes. They are literal strings passed to the Kerberos KDC as arguments to the -4 option. Comment mentions of those strings in the debconf template so that translators know this. * Rather than prompting at installation time for whether the KDC database should be deleted on purge, prompt in prerm when the package is being removed for whether the database should be deleted. * Translation updates: - Galician, thanks Jacobo Tarrio. (Closes: #482324) - French, thanks Christian Perrier. (Closes: #482326) - Vietnamese, thanks Clytie Siddall. (Closes: #482362) - Basque, thanks Piarres Beobide. (Closes: #482376) - Czech, thanks Miroslav Kure. (Closes: #482428) - German, thanks Helge Kreutzmann. (Closes: #482366) - Spanish, thanks Diego D'Onofrio. - Finnish, thanks Esko Arajärvi. (Closes: #482682) - Portuguese, thanks Miguel Figueiredo. (Closes: #483049) * From Sam: * remove extra space in debian/rules so upstream configure scripts can work * Upgrade to 1.6.4 beta 1 * Upstream includes several fixes to bugs that were assigned CVE numbers; upstream does not actually consider these security issues and no advisory was issued, but they are included here for the benefit of the security team in case anyone asks. , Closes: #454974 - fix CVE-2007-5972: double fclose() in krb5_def_store_mkey() - fix CVE-2007-5971: double-free in gss_krb5int_make_seal_token_v3() - fix CVE-2007-5902: integer overflow in svcauth_gss_get_principal() - fix CVE-2007-5971: free of non-heap pointer in gss_indicate_mechs() - fix CVE-2007-5894: apparent uninit length in ftpd.c:reply() -- Sam Hartman <[EMAIL PROTECTED]> Sat, 31 May 2008 10:53:21 -0400 krb5 (1.6.dfsg.3-2) unstable; urgency=low * kdc.conf was previously in krb5-doc, not uninstalled. Properly handle moving it to the krb5-kdc package. (Closes: #480452) * Include libkdb-ldap1 in krb5-kdc-pkinit, install it into a private directory (/usr/lib/krb5) rather than directly in /usr/lib, and use an RPATH in kdb5_ldap_util and the plugin to find the library. Drop the libkdb-ldap1 library package. This library isn't intended to be used by any software outside of the KDC plugin and utility. Thanks, Bastian Blank. (Closes: #479384) * Load defaults for debconf configuration of krb5-admin-server and krb5-kdc from the /etc/default files if they exist. Thanks, Bastian Blank. (Closes: #479404) * Preserve DAEMON_ARGS settings in /etc/default/krb5-admin-server and /etc/default/krb5-kdc even if debconf configuration is enabled. * Don't require that a stash file be created in /etc/init.d/krb5-kdc. Stash files are optional. (Closes: #479457) * Error out instead of silently existing if debconf's confmodule cannot be loaded. Given that we depend on debconf, if this fails, something serious went wrong and we shouldn't ignore it. * Use /bin/which instead of command -v to check for update-inetd. * Unconditionally remove kpropd's inetd.conf entry in the postrm of krb5-kdc rather than special-casing remove and deconfigure. * Add 256-bit AES and RC4 keys to the default kdc.conf, the first because it's the strongest enctype currently supported and the second for Windows compatibility. Improve the README.KDC enctype documentation. * Install kerberos.ldif and kerberos.schema in krb5-kdc-ldap as documentation. Thanks, Bastian Blank. (Closes: #479239) -- Russ Allbery <[EMAIL PROTECTED]> Fri, 09 May 2008 20:27:16 -0700 krb5 (1.6.dfsg.3-1) unstable; urgency=low * Final upstream 1.6.3 release. * Package the LDAP plugin for the KDC, which allows one to use an LDAP server to store the KDC database. Install the krb5-kdc-ldap package for the plugin. (Closes: #453113) * If krb5-config/default_realm isn't set, use EXAMPLE.COM as the realm so that the kdc.conf will at least be syntactically valid (but will still require editing). (Closes: #474741) * krb5-kdc explicitly depends on krb5-config since it relies on debconf variables set by that package. * Always stop krb524d on /etc/init.d/krb5-kdc stop even if the configuration has been changed to no longer run it. Thanks, Bastian Blank. (Closes: #477294) * Install the kdc.conf man page. (Closes: #477307) * krb5-kdc no longer depends on update-inetd and inet-superserver and instead just suggests openbsd-inetd | inet-superserver and conditionally adds the commented-out kpropd example if update-inetd is available. krb5-admin-server doesn't need inet-superserver at all. Thanks, Bastian Blank. (Closes: #477301) * Change the doc-base sections to System/Security. * Correctly mangle the version in the watch file. * Remove conflicts with packages already not present in oldstable. * Remove versioned build-dependencies satisfied by oldstable. * Remove versioned Replaces for versions older than oldstable. -- Russ Allbery <[EMAIL PROTECTED]> Sun, 27 Apr 2008 20:39:36 -0700 krb5 (1.6.dfsg.3~beta1-4) unstable; urgency=emergency * MITKRB5-SA-2008-001: When Kerberos v4 support is enabled in the KDC, malformed messages may result in NULL pointer use, double-frees, or exposure of information. (CVE-2008-0062, CVE-2008-0063) * MITKRB5-SA-2008-002: If the file descriptor limit is larger than FD_SETSIZE and kadmind has more open connections than FD_SETSIZE, an array overrun and memory corruption may result. (CVE-2008-0947) -- Russ Allbery <[EMAIL PROTECTED]> Fri, 07 Mar 2008 18:53:59 -0800 krb5 (1.6.dfsg.3~beta1-3) unstable; urgency=low * Apply cross-build patch from Neil Williams. (Closes: #465294) * Document in comments that configuration management via debconf should be disabled before making manual changes to /etc/default/krb5-kdc and /etc/default/krb5-admin-server. (Closes: #443326) * Support DAEMON_ARGS in /etc/default/krb5-admin-server for kadmind. Thanks, Dwayne Litzenberger. (Closes: #443331) * Don't stop the servers in runlevel S. This isn't a real runlevel and cannot be switched to, so the links are extraneous. * Use binary:Version instead of Source-Version in debian/control. * Depend on openbsd-inetd | inet-superserver instead of on update-inetd, since inetd implementations may provide their own update-inetd. * Improve quoting and formatting in the postinsts for krb5-kdc and krb5-admin-server. Error on failure to load debconf, since we do depend on it. Support reconfigure. * Fix file locations in the krb524 doc-base control file. * Add the info documentation to all doc-base control files. * Fix a variety of man page errors uncovered by man --warnings. * Wrap Depends and Conflicts fields in debian/control. * dpkg-dev now compresses duplicate relations, so no need for lintian overrides. * Add an override for the empty plugin directory in libkrb53. * Update standards version to 3.7.3 (no changes required). * Translation updates: - Finnish, thanks Esko Arajärvi. (Closes: #451146) - Dutch, thanks Vincent Zweije. (Closes: #460589) -- Russ Allbery <[EMAIL PROTECTED]> Mon, 18 Feb 2008 20:53:08 -0800 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) Comment: Kees Cook <[EMAIL PROTECTED]> iEYEARECAAYFAkhNbvcACgkQH/9LqRcGPm2DEgCfeuNt4HaiPLLVZpe7GElvUQy8 0NwAmwXyFuK4qIhUcwlMHxixYhSou9Ei =IB5H -----END PGP SIGNATURE----- ** Affects: krb5 (Ubuntu) Importance: Wishlist Status: Confirmed -- Please sync krb5 1.6.dfsg.3-2 (main) from Debian unstable (main). https://bugs.launchpad.net/bugs/238630 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to krb5 in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs