[ubuntu/trusty-updates] krb5 1.12+dfsg-2ubuntu5.2 (Accepted)

Ubuntu Archive Robot cjwatson+ubuntu-archive-robot at chiark.greenend.org.uk
Thu Nov 12 18:28:20 UTC 2015


krb5 (1.12+dfsg-2ubuntu5.2) trusty-security; urgency=medium

  * SECURITY UPDATE: denial of service via incorrect null bytes
    - d/p/0030-Fix-krb5_read_message-handling-CVE-2014-5355.patch:
      properly handle null bytes in src/appl/user_user/server.c,
      src/lib/krb5/krb/recvauth.c.
    - CVE-2015-5355
  * SECURITY UPDATE: preauthentication requirement bypass in kdcpreauth
    - d/p/0031-Prevent-requires_preauth-bypass-CVE-2015-2694.patch:
      improve logic in src/plugins/preauth/otp/main.c,
      src/plugins/preauth/pkinit/pkinit_srv.c.
    - CVE-2015-2694
  * SECURITY UPDATE: SPNEGO context aliasing bugs
    - d/p/0031-Fix-SPNEGO-context-aliasing-bugs-CVE-2015-2695.patch:
      improve logic in src/lib/gssapi/spnego/gssapiP_spnego.h,
      src/lib/gssapi/spnego/spnego_mech.c.
    - d/p/0036-Fix-SPNEGO-context-import.patch: fix SPNEGO context import
      in src/lib/gssapi/spnego/spnego_mech.c.
    - CVE-2015-2695
  * SECURITY UPDATE: IAKERB context aliasing bugs
    - d/p/0032-Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch:
      improve logic in src/lib/gssapi/krb5/gssapiP_krb5.h,
      src/lib/gssapi/krb5/gssapi_krb5.c, src/lib/gssapi/krb5/iakerb.c.
    - d/p/0034-Fix-two-IAKERB-comments.patch: fix comments in
      src/lib/gssapi/krb5/iakerb.c.
    - CVE-2015-2696
  * SECURITY UPDATE: KDC crash via invalid string processing
    - d/p/0033-Fix-build_principal-memory-bug-CVE-2015-2697.patch:
      use k5memdup0() instead of strdup() in src/lib/krb5/krb/bld_princ.c.
    - CVE-2015-2697
  * SECURITY UPDATE: memory corruption in IAKERB context export/import
    - d/p/0035-Fix-IAKERB-context-export-import-CVE-2015-2698.patch:
      dereferencing the context_handle pointer before casting it in
      and implement implement an IAKERB gss_import_sec_context() function
      in src/lib/gssapi/krb5/gssapiP_krb5.h,
      src/lib/gssapi/krb5/gssapi_krb5.c, src/lib/gssapi/krb5/iakerb.c.
    - CVE-2015-2698

Date: 2015-11-11 15:21:24.146725+00:00
Changed-By: Marc Deslauriers <marc.deslauriers at canonical.com>
Signed-By: Ubuntu Archive Robot <cjwatson+ubuntu-archive-robot at chiark.greenend.org.uk>
https://launchpad.net/ubuntu/+source/krb5/1.12+dfsg-2ubuntu5.2
-------------- next part --------------
Sorry, changesfile not available.


More information about the Trusty-changes mailing list