| Summary: | <dev-python/pykerberos-1.1.7: checkPassword() does not verify KDC authenticity | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | minor | CC: | andreis.vinogradovs, maksbotan, proxy-maint |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1223802 | ||
| Whiteboard: | B3 [noglsa] | ||
| Package list: | Runtime testing required: | --- | |
*pykerberos-1.1.7 (29 May 2015) 29 May 2015; Ian Delaney <idella4@gentoo.org> +pykerberos-1.1.7.ebuild: bump wrt to sec bug #550120 I bumped this as a member of proxy-maint. I know nothing more of the package. Check with the others listed in CC if you wish. dev-python/pykerberos implemented KDC verification support via https://github.com/02strich/pykerberos/commit/02d13860b25fab58e739f0e000bed0067b7c6f9c $ git tag --contains 02d13860b25fab58e739f0e000bed0067b7c6f9c v1.1.10 v1.1.11 v1.1.12 v1.1.13 v1.1.6 v1.1.7 v1.1.8 v1.1.9 So this was fixed for Gentoo once =dev-python/pykerberos-1.1.7 appeared. @ Arches, please test and mark stable: =dev-python/pykerberos-1.1.9 amd64 stable x86 stable. Maintainer(s), please cleanup. Security, please vote. commit 7dd1321fe354b963a72c3876e18d6c211fa2c0ab (HEAD -> master, origin/master, origin/HEAD) Author: Patrice Clement <monsieurp@gentoo.org> AuthorDate: Sat Nov 26 00:29:57 2016 +0100 Commit: Patrice Clement <monsieurp@gentoo.org> CommitDate: Sat Nov 26 00:30:10 2016 +0100 dev-python/pykerberos: clean up vulnerable version. Gentoo-Bug: https://bugs.gentoo.org/550120 Package-Manager: portage-2.3.0 dev-python/pykerberos/Manifest | 1 - dev-python/pykerberos/pykerberos-1.1.5.ebuild | 22 ---------------------- 2 files changed, 23 deletions(-) delete mode 100644 dev-python/pykerberos/pykerberos-1.1.5.ebuild Clean up done. Over to the security team! GLSA Vote: No |
From ${URL} : The python-kerberos checkPassword() function does not verify that the KDC that it is authenticating with is the one that it intended to communicate with. This could allow a man-in-the-middle attacker to spoof a KDC when an application using python-kerberos attempts to verify a password via the checkPassword() function. This issue is tracked upstream in https://www.calendarserver.org/ticket/833 , however it was resolved by documenting the shortcomings of the checkPassword() function: https://pypi.python.org/pypi/kerberos . The pykerberos library (https://pypi.python.org/pypi/pykerberos), a fork of python-kerberos, does include KDC validation support. This change should be backported to python-kerberos to avoid various other application that rely on checkPassword() from having to replace the checkPassword() with a more secure alternative. @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.