Find following the beginning of the two advisories published today, a Debian security announcement has been made too. Patches are available in the original advisories. 1) http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2004-003-asn1.txt MIT krb5 Security Advisory 2004-003 Original release: 2004-08-31 Topic: ASN.1 decoder denial of service Severity: serious SUMMARY ======= The ASN.1 decoder library in the MIT Kerberos 5 distribution is vulnerable to a denial-of-service attack causing an infinite loop in the decoder. The KDC is vulnerable to this attack. IMPACT ====== * An unauthenticated remote attacker can cause a KDC or application server to hang inside an infinite loop. [CAN-2004-0644] * An attacker impersonating a legitimate KDC or application server may cause a client program to hang inside an infinite loop. [CAN-2004-0644] AFFECTED SOFTWARE ================= * KDC software and applications from MIT Kerberos 5 releases krb5-1.2.2 through krb5-1.3.4. * Applications using the MIT krb5 libraries from the above releases. FIXES ===== * The upcoming krb5-1.3.5 release will contain fixes for these problems. * Apply the appropriate patch referenced below, and rebuild the software. Patches available: * Patch against krb5-1.3.4 (should apply to earlier krb5-1.3.x releases) * Patch against krb5-1.2.8 (should apply to releases krb5-1.2.2 through krb5-1.2.7 as well) [...] 2) http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2004-002-dblfree.txt MIT krb5 Security Advisory 2004-002 Original release: 2004-08-31 Topic: double-free vulnerabilities in KDC and libraries Severity: CRITICAL SUMMARY ======= The MIT Kerberos 5 implementation's Key Distribution Center (KDC) program contains a double-free vulnerability that potentially allows a remote attacker to execute arbitrary code. Compromise of a KDC host compromises the security of the entire authentication realm served by the KDC. Additionally, double-free vulnerabilities exist in MIT Kerberos 5 library code, making client programs and application servers vulnerable. Exploitation of double-free bugs is believed to be difficult. No exploits are known to exist for these vulnerabilities. IMPACT ====== * A unauthenticated remote attacker can potentially execute arbitrary code on a KDC host, compromising an entire Kerberos realm. [CAN-2004-0642] * A remote attacker can potentially execute arbitrary code on a host running krb524d, possibly compromising an entire Kerberos realm if the host is a KDC host. [CAN-2004-0772] * An authenticated attacker can also potentially execute arbitrary code on hosts running vulnerable services. [CAN-2004-0643] * An attacker impersonating a legitimate KDC or application server can potentially execute arbitrary code on a client host while the client is authenticating. [CAN-2004-0642] AFFECTED SOFTWARE ================= * KDC software from all releases of MIT Kerberos 5 up to and including krb5-1.3.4. [CAN-2004-0642] * The krb524d program from krb5-1.2.8 and later. The krb524d present in earlier releases is vulnerable if it has been patched to disable krb4 cross-realm functionality. [CAN-2004-0772] * Applications calling the krb5_rd_cred() function in releases prior to krb5-1.3.2. Such applications in the MIT krb5 releases include the remote login daemons (krshd, klogind, and telnetd) and the FTP daemon. The krb5_rd_cred() function decrypts and decodes forwarded Kerberos credentials. Third-party applications calling this function directly or indirectly (by means of the GSSAPI or other libraries) are vulnerable. [CAN-2004-0643] * Client code from all releases of MIT Kerberos 5 up to and including krb5-1.3.4. Third-party applications directly or indirectly calling client library functions may also be vulnerable. [CAN-2004-0642] FIXES ===== * The upcoming krb5-1.3.5 release will contain fixes for these problems. * Apply the appropriate patch or patches referenced below, and rebuild the software. - If you are running krb5-1.3 through krb5-1.3.4, apply 2004-002-patch_1.3.4.txt. - If you are running krb5-1.3 through krb5-1.3.1, apply 2004-002-patch_1.3.1.txt. - If you are running krb5-1.2.8, apply 2004-002-patch_1.2.8.txt. - Things become more complicated if you are running krb5-1.2 through krb5-1.2.7. The correct set of patches to apply will depend on whether you have applied the patches to disable krb4 cross-realm functionality [MITKRB5-SA-2003-004]. + If you are running krb5-1.2.6 through krb5-1.2.7, and have applied the patches to disable krb4 cross-realm functionality, apply 2004-002-patch_1.2.8.txt. + If you are running krb5-1.2 through krb5-1.2.5, and have applied the patches to disable krb4 cross-realm functionality, apply 2004-002-patch_1.2.7.txt, followed by 2004-002-k524d_patch_1.2.5.txt. + If you are running krb5-1.2 through krb5-1.2.7, and have not applied the patches to disable krb4 cross-realm functionality, apply 2004-002-patch_1.2.7.txt. [...]
aliz or rphillips please provide an updated ebuild.
Added 1.3.4 with patches from MITKRB5-SA-2004-003 and MITKRB5-SA-2004-002.
Arches please mark stable.
builds and installs on amd64, marking stable.
Stable on sparc.
Stable on alpha.
Stable on mips.
aliz: if you tested it on x86, could you push it into stable ? We are waiting for this to issue the GLSA.
bumped to stable.
oops
Ready for GLSA publication
GLSA 200409-09 hppa, ia64, ppc64, s390 : please mark stable to benefit from GLSA
thanks, stable on ppc64