[ubuntu/lucid-security] krb5 1.8.1+dfsg-2ubuntu0.14 (Accepted)

Marc Deslauriers marc.deslauriers at canonical.com
Tue Feb 10 19:30:34 UTC 2015 

krb5 (1.8.1+dfsg-2ubuntu0.14) lucid-security; urgency=medium

  * SECURITY UPDATE: ticket forging via old keys
    - src/lib/kadm5/srv/svr_principal.c: return only new keys
    - af0ed4df4dfae762ab5fb605f5a0c8f59cb4f6ca
    - CVE-2014-5321
  * SECURITY UPDATE: use-after-free and double-free memory access
    violations
    - properly handle context deletion in
      src/lib/gssapi/krb5/context_time.c,
      src/lib/gssapi/krb5/export_sec_context.c,
      src/lib/gssapi/krb5/gssapiP_krb5.h,
      src/lib/gssapi/krb5/gssapi_krb5.c,
      src/lib/gssapi/krb5/inq_context.c,
      src/lib/gssapi/krb5/k5seal.c,
      src/lib/gssapi/krb5/k5sealiov.c,
      src/lib/gssapi/krb5/k5unseal.c,
      src/lib/gssapi/krb5/k5unsealiov.c,
      src/lib/gssapi/krb5/lucid_context.c,
      src/lib/gssapi/krb5/prf.c,
      src/lib/gssapi/krb5/process_context_token.c,
      src/lib/gssapi/krb5/wrap_size_limit.c.
    - 82dc33da50338ac84c7b4102dc6513d897d0506a
    - CVE-2014-5352
  * SECURITY UPDATE: denial of service via LDAP query with no results
    - src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c: properly handle
      policy name.
    - d1f707024f1d0af6e54a18885322d70fa15ec4d3
    - CVE-2014-5353
  * SECURITY UPDATE: denial of service via database entry for a keyless
    principal
    - src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c: support keyless
      principals.
    - 877ad027ca2103f3ac2f581451fdd347a76b8981
    - CVE-2014-5354
  * SECURITY UPDATE: denial of service or code execution in kadmind XDR
    data processing
    - fix double free in src/lib/kadm5/kadm_rpc_xdr.c,
      src/lib/rpc/auth_gssapi_misc.c.
    - a197e92349a4aa2141b5dff12e9dd44c2a2166e3
    - CVE-2014-9421
  * SECURITY UPDATE: impersonation attack via two-component server
    principals
    - src/kadmin/server/kadm_rpc_svc.c: fix kadmind server validation.
    - 6609658db0799053fbef0d7d0aa2f1fd68ef32d8
    - CVE-2014-9422
  * SECURITY UPDATE: gssrpc data leakage
    - src/lib/rpc/svc_auth_gss.c: fix leakage.
    - 5bb8a6b9c9eb8dd22bc9526751610aaa255ead9c
    - CVE-2014-9423

Date: 2015-02-06 21:07:20.277381+00:00
Changed-By: Marc Deslauriers <marc.deslauriers at canonical.com>
https://launchpad.net/ubuntu/+source/krb5/1.8.1+dfsg-2ubuntu0.14
-------------- next part --------------
Sorry, changesfile not available.

More information about the Lucid-changes mailing list