Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 212363 - app-crypt/mit-krb5 < 1.6.3 MITKRB5-SA-{2008-001|2008-002} (CVE-2008-{0062,0063,0947,0948})
Summary: app-crypt/mit-krb5 < 1.6.3 MITKRB5-SA-{2008-001|2008-002} (CVE-2008-{0062,00...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Highest blocker (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B0 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2008-03-05 10:03 UTC by Sune Kloppenborg Jeppesen
Modified: 2020-04-06 21:01 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
MITKRB5-SA-2008-001 (MITKRB5-SA-2008-001,20.53 KB, text/plain)
2008-03-05 10:04 UTC, Sune Kloppenborg Jeppesen
no flags Details
MITKRB5-SA-2008-002 (MITKRB5-SA-2008-002,9.80 KB, text/plain)
2008-03-05 10:05 UTC, Sune Kloppenborg Jeppesen
no flags Details
1.5-MITKRB5-SA-2008-001.patch (1.5-MITKRB5-SA-2008-001.patch,10.76 KB, patch)
2008-03-18 20:39 UTC, Markus Ullmann (RETIRED)
no flags Details | Diff
1.6-MITKRB5-SA-2008-001.patch (1.6-MITKRB5-SA-2008-001.patch,10.82 KB, patch)
2008-03-18 20:39 UTC, Markus Ullmann (RETIRED)
no flags Details | Diff
MITKRB5-SA-2008-002.patch (MITKRB5-SA-2008-002.patch,1.47 KB, patch)
2008-03-18 20:41 UTC, Markus Ullmann (RETIRED)
no flags Details | Diff
mit-krb5-1.5.3-r2.ebuild (mit-krb5-1.5.3-r2.ebuild,2.68 KB, text/plain)
2008-03-18 20:41 UTC, Markus Ullmann (RETIRED)
no flags Details
mit-krb5/mit-krb5-1.6.3.ebuild (mit-krb5-1.6.3.ebuild,2.40 KB, text/plain)
2008-03-18 20:42 UTC, Markus Ullmann (RETIRED)
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen gentoo-dev 2008-03-05 10:03:45 UTC
Attaching details in a moment.
Comment 1 Sune Kloppenborg Jeppesen gentoo-dev 2008-03-05 10:04:49 UTC
Created attachment 145336 [details]
MITKRB5-SA-2008-001
Comment 2 Sune Kloppenborg Jeppesen gentoo-dev 2008-03-05 10:05:10 UTC
Created attachment 145337 [details]
MITKRB5-SA-2008-002
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2008-03-05 10:25:46 UTC
I'll rate this classified because MIT asked not to publish their drafts.
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2008-03-09 12:36:48 UTC
Markus, please prepare an ebuild using the patches inside the two advisories and attach it to this bug. Do not commit anything to CVS or make details about this vulnerability public.
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2008-03-14 21:53:42 UTC
Adding Wulf.
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2008-03-18 01:58:53 UTC
In case you attach ebuilds, please include the patches mentioned in bug 199205.

Seeing that this will become public today, we might as well bump to the new release which will include patches for all these vulnerabilities.
Comment 7 Markus Ullmann (RETIRED) gentoo-dev 2008-03-18 20:39:07 UTC
Created attachment 146508 [details, diff]
1.5-MITKRB5-SA-2008-001.patch
Comment 8 Markus Ullmann (RETIRED) gentoo-dev 2008-03-18 20:39:46 UTC
Created attachment 146509 [details, diff]
1.6-MITKRB5-SA-2008-001.patch
Comment 9 Markus Ullmann (RETIRED) gentoo-dev 2008-03-18 20:41:07 UTC
Created attachment 146510 [details, diff]
MITKRB5-SA-2008-002.patch
Comment 10 Markus Ullmann (RETIRED) gentoo-dev 2008-03-18 20:41:49 UTC
Created attachment 146511 [details]
mit-krb5-1.5.3-r2.ebuild
Comment 11 Markus Ullmann (RETIRED) gentoo-dev 2008-03-18 20:42:41 UTC
Created attachment 146512 [details]
mit-krb5/mit-krb5-1.6.3.ebuild
Comment 12 Markus Ullmann (RETIRED) gentoo-dev 2008-03-18 20:43:45 UTC
also whoever sent those advisories in, please break a bone there for sending in patches with broken whitespaces... could have done something else than this the last 1 1/2 hours ;)
Comment 13 Markus Ullmann (RETIRED) gentoo-dev 2008-03-18 20:45:56 UTC
(as sent to me by rbu)

Arch Security Liaisons, please test the attached ebuild and report it 
stable on this bug.
Target keywords : "alpha amd64 arm hppa ia64 m68k mips ppc ppc64 release 
s390 sh sparc x86"

CC'ing current Liaisons:
   alpha : ferdy
   amd64 : welp
    hppa : jer
     ppc : dertobi123
   ppc64 : corsair
 release : pva
   sparc : fmccor
     x86 : opfer
Comment 14 Tobias Scherbaum (RETIRED) gentoo-dev 2008-03-18 21:21:30 UTC
Debian just released DSA 1524-1, so i guess we can this opened and committet.
Comment 15 Markus Ullmann (RETIRED) gentoo-dev 2008-03-18 21:36:28 UTC
okay, update... scratch the 1.5 release. a fellow just updated servers and all work fine with 1.6, so we can go straight to that version
Comment 16 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-03-18 22:10:02 UTC
okay, this is public now, so removing sec liaisons, adding arches, and filing GLSA request. if everyone's responsive enough, we shouldn't be too late :)
target for stabilisation is app-crypt/mit-krb5-1.6.3, just commited by jokey. keywords "alpha amd64 arm hppa ia64 m68k mips ppc ppc64 s390 sh sparc x86"
Comment 17 Jeroen Roovers (RETIRED) gentoo-dev 2008-03-18 22:13:16 UTC
(In reply to comment #16)
> if everyone's responsive enough, we shouldn't be too late :)

OK, here goes:

> target for stabilisation is app-crypt/mit-krb5-1.6.3, just commited by jokey.

It hasn't been committed yet! :)
Comment 18 Tobias Scherbaum (RETIRED) gentoo-dev 2008-03-18 22:15:03 UTC
ppc stable
Comment 19 Jeroen Roovers (RETIRED) gentoo-dev 2008-03-18 22:15:52 UTC
(In reply to comment #17)
> It hasn't been committed yet! :)

Ah, it's there now.
Comment 20 Tobias Scherbaum (RETIRED) gentoo-dev 2008-03-18 22:17:34 UTC
fixing priority which i set back to p2 for whatever reason ...
Comment 21 Jeroen Roovers (RETIRED) gentoo-dev 2008-03-19 00:32:20 UTC
Stable for HPPA.
Comment 23 Christian Faulhammer (RETIRED) gentoo-dev 2008-03-19 08:08:45 UTC
x86 stable
Comment 24 Markus Rothe (RETIRED) gentoo-dev 2008-03-19 11:39:28 UTC
app-crypt/mit-krb5-1.6.3 stable on ppc64
Comment 25 Raúl Porcel (RETIRED) gentoo-dev 2008-03-19 14:19:12 UTC
alpha/ia64/sparc stable
Comment 26 Markus Ullmann (RETIRED) gentoo-dev 2008-03-19 16:47:47 UTC
Stable on amd64/arm
Comment 27 Robert Buchholz (RETIRED) gentoo-dev 2008-03-24 19:40:37 UTC
GLSA 200803-31