From $URL: CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation In _krb5_extract_ticket() the KDC-REP service name must be obtained from encrypted version stored in 'enc_part' instead of the unencrypted version stored in 'ticket'. Use of the unecrypted version provides an opportunity for successful server impersonation and other attacks. Identified by Jeffrey Altman, Viktor Duchovni and Nico Williams. Change-Id: I45ef61e8a46e0f6588d64b5bd572a24c7432547c
Update: https://www.samba.org/samba/security/CVE-2017-11103.html
Arches, please test and mark stable =app-crypt/heimdal-7.4.0 Thank you.
@samba: Can you please comment on whether we're affected by samba embedding c.f comment 1 (i.e whether we unbundle heimdal and use system libraries)? If we embed it in any form please clone this bug and create a tracker.
The Samba Security Announcement states: Samba versions built against MIT Kerberos are not impacted. Unless you are running Samba as an AD DC, then rebuild samba using: ./configure --with-system-mitkrb5. Our in-tree ebuilds do appear to already use this configure option.
(In reply to John R. Graham from comment #4) > The Samba Security Announcement states: > > Samba versions built against MIT Kerberos are not impacted. Unless > you are running Samba as an AD DC, then rebuild samba using: > > ./configure --with-system-mitkrb5. > > Our in-tree ebuilds do appear to already use this configure option. Thank you for the confirmation
Stable on alpha.
(In reply to Tobias Klausmann from comment #6) > Stable on alpha. Bullshit. Amd64 stable.
ia64 stable
arm stable
x86 stable
sparc was dropped to exp. https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b5901d8f716555a1479f12313a2925fcadd177a9
ppc/ppc64 stable
ohhhhhhhhhh HPPA....
hppa stable
GLSA Vote: No Maintainer(s), please clean the vulnerable versions.
cleanup done
Thank you all