CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation
In _krb5_extract_ticket() the KDC-REP service name must be obtained from
encrypted version stored in 'enc_part' instead of the unencrypted version
stored in 'ticket'. Use of the unecrypted version provides an
opportunity for successful server impersonation and other attacks.
Identified by Jeffrey Altman, Viktor Duchovni and Nico Williams.
Arches, please test and mark stable
@samba: Can you please comment on whether we're affected by samba embedding c.f comment 1 (i.e whether we unbundle heimdal and use system libraries)?
If we embed it in any form please clone this bug and create a tracker.
The Samba Security Announcement states:
Samba versions built against MIT Kerberos are not impacted. Unless
you are running Samba as an AD DC, then rebuild samba using:
Our in-tree ebuilds do appear to already use this configure option.
(In reply to John R. Graham from comment #4)
> The Samba Security Announcement states:
> Samba versions built against MIT Kerberos are not impacted. Unless
> you are running Samba as an AD DC, then rebuild samba using:
> ./configure --with-system-mitkrb5.
> Our in-tree ebuilds do appear to already use this configure option.
Thank you for the confirmation
Stable on alpha.
(In reply to Tobias Klausmann from comment #6)
> Stable on alpha.
Bullshit. Amd64 stable.
sparc was dropped to exp.
GLSA Vote: No
Maintainer(s), please clean the vulnerable versions.
Thank you all