[Bug 113326] Please sync krb5 (main) from Debian unstable (main)
Kees Cook
kees at ubuntu.com
Tue May 8 13:26:40 BST 2007
Public bug reported:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
affects ubuntu/krb5
status confirmed
subscribe ubuntu-archive
Please sync krb5 (main) from Debian unstable (main).
Explanation of the Ubuntu delta and why it can be dropped:
All Ubuntu changes have been incorporated upstream.
Changelog since current gutsy version 1.4.4-5ubuntu3:
krb5 (1.6.dfsg.1-2) unstable; urgency=low
* Fix shlibdeps to reflect 1.6.dfsg.1 instead of 1.6.1
* Upload 1.6 to unstable
-- Sam Hartman <hartmans at debian.org> Thu, 3 May 2007 20:23:47 -0400
krb5 (1.6.dfsg.1-1) experimental; urgency=low
* Oops, I failed to understand how the version numbers work. Since 1.6.1 is less than 1.6.dfsg, the version numbering is going to be a bit screwy for the 1.6 series. We will use 1.6.dfsg.1 for 1.6.1.
* Update to update-inetd dependency, Closes: #420748
-- Sam Hartman <hartmans at debian.org> Sun, 29 Apr 2007 08:59:28 -0400
krb5 (1.6.1.dfsg-1) experimental; urgency=low
* Depend on keyutils-lib-dev so we consistently get keyring cache support
* New Portuguese translation, thanks Miguel Figueiredo , Closes: #409318
* New Upstream release
- Update shlibs for new API
* Fix handling of null realm in krb5_rd_req_decoded; now we treat a null realm as a default realm there.
-- Sam Hartman <hartmans at debian.org> Sat, 28 Apr 2007 16:21:03 -0400
krb5 (1.6.dfsg-1) experimental; urgency=low
* New 1.6 release from upstream.
* Update copyright
-- Sam Hartman <hartmans at debian.org> Thu, 1 Feb 2007 22:26:08 -0500
krb5 (1.6.dfsg~alpha1-1) experimental; urgency=low
* New upstream release
* Remove IETF RFCs, Closes: #393380
* Update copyright file based on new copyrights upstearm
-- Sam Hartman <hartmans at debian.org> Wed, 22 Nov 2006 10:28:13 -0500
krb5 (1.4.4-8) unstable; urgency=emergency
* MIT-SA-2007-1: telnet allows login as an arbitrary user when
presented with a specially crafted username; CVE-2007-0956
* krb5_klog_syslog has a trivial buffer overflow that can be exploited
by network data; CVE-2007-0957. The upstream patch is very intrusive
because it fixes each call to syslog to have proper length checking as
well as the actual krb5_klog_syslog internals to use vsnprintf rather
than vsprintf. I have chosen to only include the change to
krb5_klog_syslog for sarge. This is sufficient to fix the problem but
is much smaller and less intrusive. (MIT-SA-2007-2)
* MIT-SA-2007-3: The GSS-API library can cause a double free if
applications treat certain errors decoding a message as errors that
require freeing the output buffer. At least the gssapi rpc library
does this, so kadmind is vulnerable. Fix the gssapi library because
the spec allows applications to treat errors this way. CVE-2007-1216
* New Japanese translation, thanks TANAKA Atushi, Closes: #414382
-- Sam Hartman <hartmans at debian.org> Sun, 11 Mar 2007 19:08:52 -0400
krb5 (1.4.4-7) unstable; urgency=low
* Translation updates:
- New Portuguese translation, thanks Rui Branco. (Closes: #409318)
-- Russ Allbery <rra at debian.org> Wed, 21 Feb 2007 15:23:08 -0800
krb5 (1.4.4-6) unstable; urgency=emergency
* MIT-SA-2006-2: kadmind and rpc library call through function pointer
to freed memory (CVE-2006-6143). Null out xp_auth unless it is
associated with an rpcsec_gss connection.
-- Sam Hartman <hartmans at debian.org> Thu, 4 Jan 2007 16:07:02 -0500
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFGQGx5H/9LqRcGPm0RApebAJ9Fqsrnueio5W76x+M1E3t/ErlyEACfcxTq
8m3HPUpRHpPqwioofMluFbQ=
=Odcq
-----END PGP SIGNATURE-----
** Affects: krb5 (Ubuntu)
Importance: Undecided
Status: Confirmed
--
Please sync krb5 (main) from Debian unstable (main)
https://bugs.launchpad.net/bugs/113326
You received this bug notification because you are a member of Ubuntu
Package Archive Administrators, which is a direct subscriber.
More information about the ubuntu-archive
mailing list