Summary: | app-crypt/mit-krb5 Multiple issues CVE-2007-{095{6|7}|1216} | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Sune Kloppenborg Jeppesen (RETIRED) <jaervosz> | ||||||||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||||||||
Status: | RESOLVED FIXED | ||||||||||||
Severity: | blocker | CC: | lkml_ccc, seemant | ||||||||||
Priority: | High | ||||||||||||
Version: | unspecified | ||||||||||||
Hardware: | All | ||||||||||||
OS: | Linux | ||||||||||||
Whiteboard: | B0? [glsa] jaervosz | ||||||||||||
Package list: | Runtime testing required: | --- | |||||||||||
Attachments: |
|
Description
Sune Kloppenborg Jeppesen (RETIRED)
2007-03-23 07:25:43 UTC
Seemant please attach updated ebuilds for pretesting. Do not commit anything to Portage yet. I didn't see what the "fix" is here and am curious, as I would like to *quietly* add a fix for this to the snapshot for the release. We're planning on releasing before this date, and GRP does include kerberos support, but we likely will only be releasing 1 day before, meaning if I can slip in a patch without a revision bump into the current stable (in my snapshot only), nobody would be the wiser. We would have a secure out-of-box release, yet the "upgrade" would still be the next day. Is that possible/doable? Chris, yes, I'll send you an ebuild Seemant could you attach the ebuilds here as well so I can call arch security liaisons? Chris I'm awaiting answer from upstream. I'll update this as soon as I know more. Answer received from upstream. Forwarded to Chris. Seement could you please attach the updated ebuilds, the deadline is getting close? Created attachment 114842 [details]
new ebuild
This is the new proposed ebuild (though I reckon for final release the version will change).
Created attachment 114843 [details, diff]
The first patch to fix telnetd
Created attachment 114844 [details, diff]
The second patch to fix syslogging
Created attachment 114845 [details, diff]
The third and final patch
OK, here's the ebuild with 3 patches. Please put the patches into FILESDIR. Still 1.5.2, correct? Thx Seemant. Arch Security Liaisons please test and report back on this bug. Do NOT commit anything at this time. OK. I've added this as 1.5.2 (not -r1) into the snapshot. While this will go public before the release date, this just makes it simpler on me since anything official that goes into the tree will definitely supersede the snapshot's version. Thanks everyone! compiles and works on ppc64. looks good on ppc Looks ok on sparc. Looks good on hppa. Coordinated release in about 48 hours. Status so far is that we are ready for the following arches: hppa ppc ppc64 sparc We still need OK from the following arches: x86 amd64 alpha Security please review the drafted GLSA. looks good on x86 adding kingtaco for amd64 alpha and ia64 looks good. Removing tcort since he's retired. patches and compiles on amd64. nice public now, advisories availably on MIT site and bugtraq seemant, please commit the updated ebuild (directly to stable for the tested arches) http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-003.txt http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-002-syslog.txt http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-001-telnetd.txt arm (and mips?) should be added as soon as the ebuild has been commited updating status, since we should of course wait for the ebuild ;-) thanks for the fast commit seemant removing arch team members, adding missing arches ready for GLSA publication Thx everyone! GLSA 200704-02 *** Bug 173299 has been marked as a duplicate of this bug. *** |