** Please note that this issue is confidential and no information should be disclosed until it is made public, see "Whiteboard" for a date ** CVE-2010-4022: The MIT krb5 KDC database propagation daemon (kpropd) is vulnerable to a denial-of-service attack triggered by invalid network input. An unauthenticated remote attacker can cause kpropd running in standalone mode (the "-S" option) to terminate its listening process, preventing database propagations to the KDC host on which it was running. Configurations where kpropd runs in incremental propagation mode ("iprop") or as an inetd server are not affected. Affected: >=mit-krb5-1.7 -- CVE-2011-0281: An unauthenticated remote attacker can cause a KDC configured with an LDAP back end to become completely unresponsive until restarted. Affected: >=mit-krb5-1.6 -- CVE-2011-0282: An unauthenticated remote attacker can cause a KDC configured with an LDAP back end to crash with a null pointer dereference. Affected: >=mit-krb5-1.6 -- CVE-2011-0283: An unauthenticated remote attacker can cause a krb5-1.9 KDC with any back end to crash with a null pointer dereference. Affected: >=mit-krb5-1.9 (~arch only)
Upstream notes that the disclosure of CVE-2011-0281 might already happen before Feb 08 as the trigger is already semi-public. Eray, do you want to prepare an updated ebuild for prestabling? These issues are 'just' DoS in special configurations, that might not warrant the effort, but with likely 12 days of time left, it might still be worth perusing. Let me know, and I'll request the patches.
Aye, if you can get the patches, I am all for updating the ebuild. Thanks.
+*mit-krb5-1.9-r1 (08 Feb 2011) +*mit-krb5-1.8.3-r3 (08 Feb 2011) + + 08 Feb 2011; Eray Aslan <eras@gentoo.org> +mit-krb5-1.8.3-r3.ebuild, + +files/mit-krb5-1.8.3-CVE-2011-0281.0282.0283.patch, + +mit-krb5-1.9-r1.ebuild, +files/CVE-2010-4022.patch, + +files/CVE-2011-0281.0282.0283.patch: + Security bump - bug #352859 +
These issues are now public: http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-001.txt http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-002.txt (In reply to comment #3) > +*mit-krb5-1.9-r1 (08 Feb 2011) > +*mit-krb5-1.8.3-r3 (08 Feb 2011) > + Thank you, Eray. Are we ok to stabilize =app-crypt/mit-krb5-1.8.3-r3?
(In reply to comment #4) > Are we ok to stabilize =app-crypt/mit-krb5-1.8.3-r3? Yes, =app-crypt/mit-krb5-1.8.3-r3 is OK for stabilization. Sorry, should have mentioned it in my comment above.
(In reply to comment #5) > (In reply to comment #4) > > Are we ok to stabilize =app-crypt/mit-krb5-1.8.3-r3? > > Yes, =app-crypt/mit-krb5-1.8.3-r3 is OK for stabilization. Sorry, should have > mentioned it in my comment above. > Thanks and no problem. Arches, please test and mark stable: =app-crypt/mit-krb5-1.8.3-r3 Target keywords : "alpha amd64 arm hppa ia64 m68k ppc ppc64 s390 sh sparc x86"
amd64 ok
amd64 done. Thanks Agostino
ppc/ppc64 stable
x86 stable
lpha/arm/ia64/m68k/s390/sh/sparc stable
Stable for HPPA.
Thanks, folks. GLSA Vote: Yes.
GLSA with #323525 .
CVE-2011-0284 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0284): Double free vulnerability in the prepare_error_as function in do_as_req.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.7 through 1.9, when the PKINIT feature is enabled, allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via an e_data field containing typed data. CVE-2011-0283 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0283): The Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.9 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a malformed request packet that does not trigger a response packet. CVE-2011-0282 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0282): The Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.6.x through 1.9, when an LDAP backend is used, allows remote attackers to cause a denial of service (NULL pointer dereference or buffer over-read, and daemon crash) via a crafted principal name. CVE-2011-0281 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0281): The unparse implementation in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.6.x through 1.9, when an LDAP backend is used, allows remote attackers to cause a denial of service (file descriptor exhaustion and daemon hang) via a principal name that triggers use of a backslash escape sequence, as demonstrated by a \n sequence.
CVE-2010-4022 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4022): The do_standalone function in the MIT krb5 KDC database propagation daemon (kpropd) in Kerberos 1.7, 1.8, and 1.9, when running in standalone mode, does not properly handle when a worker child process "exits abnormally," which allows remote attackers to cause a denial of service (listening process termination, no new connections, and lack of updates in slave KVC) via unspecified vectors.
This issue was resolved and addressed in GLSA 201201-13 at http://security.gentoo.org/glsa/glsa-201201-13.xml by GLSA coordinator Sean Amoss (ackle).