From $URL: A flaw was found in krb5 certificate EKU validation which could lead to improper authorization if a forged certificate with the right EKU and no SAN is used. The PKINIT certauth eku module should never authoritatively authorize a certificate, because an extended key usage does not establish a relationship between the certificate and any specific user; it only establishes that the certificate was created for PKINIT client authentication. Upstream bug: https://github.com/krb5/krb5/pull/694 Upstream patch: https://github.com/krb5/krb5/pull/694/commits/50fe4074f188c2d4da0c421e96553acea8378db2 https://github.com/krb5/krb5/pull/694/commits/1de6ca2f2eb1fdbab51f1549a25a6903aefcc196 https://github.com/krb5/krb5/pull/694/commits/b7af544e50a4d8291524f590e20dd44430bf627d
This is fixed upstream in mit-krb5-1.16 which has released on 2017-12-05.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f4a050c738af81bb82e7b640667f08e3199c5ca1 commit f4a050c738af81bb82e7b640667f08e3199c5ca1 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2018-01-26 21:07:00 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2018-01-26 21:07:29 +0000 app-crypt/mit-krb5: bump, fixes CVE-2017-7562 Ebuild changes: =============== - Dropped the following upstreamed patches which are now included in v1.16: - mit-krb5-1.14.2-redeclared-ttyname.patch - mit-krb5-1.14.4-disable-nls.patch - mit-krb5-1.15.2-fix-pkinit.patch - We are now installing systemd services. [Bug 524412] - Tests are now restricted because they are requiring network access. Closes: https://bugs.gentoo.org/524412 Bug: https://bugs.gentoo.org/628936 Package-Manager: Portage-2.3.20, Repoman-2.3.6 app-crypt/mit-krb5/Manifest | 1 + app-crypt/mit-krb5/files/mit-krb5kadmind.service | 8 ++ app-crypt/mit-krb5/files/mit-krb5kdc.service | 9 ++ app-crypt/mit-krb5/files/mit-krb5kpropd.service | 8 ++ app-crypt/mit-krb5/files/mit-krb5kpropd.socket | 9 ++ app-crypt/mit-krb5/files/mit-krb5kpropd_at.service | 8 ++ app-crypt/mit-krb5/mit-krb5-1.16.ebuild | 155 +++++++++++++++++++++ 7 files changed, 198 insertions(+)}
@arches, please stabilize.
ppc64 stable
ppc stable
ia64 stable
not newstabling arm64
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c476eeeae26a5ac514e5769e9a9a5346a6f21349 commit c476eeeae26a5ac514e5769e9a9a5346a6f21349 Author: Aaron Bauman <bman@gentoo.org> AuthorDate: 2018-03-29 01:37:10 +0000 Commit: Aaron Bauman <bman@gentoo.org> CommitDate: 2018-03-29 01:37:10 +0000 app-crypt/mit-krb5: amd64 stable Bug: https://bugs.gentoo.org/628936 Package-Manager: Portage-2.3.26, Repoman-2.3.7 app-crypt/mit-krb5/mit-krb5-1.16.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)}
x86 stable
Stable on alpha.
arm stable
hppa stable
GLSA Vote: No Cleanup will happen in bug 628936
(In reply to Aaron Bauman from comment #13) > GLSA Vote: No > > Cleanup will happen in bug 628936 bug 649610 rather