[Bug 237768] [NEW] Please sync krb5 1.6.dfsg.3-2 (main) from Debian unstable (main).
Mathias Gug
mathiaz at ubuntu.com
Thu Jun 5 23:10:16 BST 2008
Public bug reported:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
affects ubuntu/krb5
status confirmed
importance wishlist
subscribe ubuntu-archive
Please sync krb5 1.6.dfsg.3-2 (main) from Debian unstable (main).
Explanation of the Ubuntu delta and why it can be dropped:
The Ubuntu delta was due to two security fixes (MITKRB5-SA-2008-001,
MITKRB5-SA-2008-002) which have been fixed:
krb5 (1.6.dfsg.3~beta1-4) unstable; urgency=emergency
* MITKRB5-SA-2008-001: When Kerberos v4 support is enabled in the KDC,
malformed messages may result in NULL pointer use, double-frees, or
exposure of information. (CVE-2008-0062, CVE-2008-0063)
* MITKRB5-SA-2008-002: If the file descriptor limit is larger than
FD_SETSIZE and kadmind has more open connections than FD_SETSIZE, an
array overrun and memory corruption may result. (CVE-2008-0947)
-- Russ Allbery <rra at debian.org> Fri, 07 Mar 2008 18:53:59 -0800
Changelog since current intrepid version 1.6.dfsg.3~beta1-2ubuntu1:
krb5 (1.6.dfsg.4~beta1-1) experimental; urgency=low
* Changes from Russ:
* Do not translate the Kerberos v4 modes. They are literal strings
passed to the Kerberos KDC as arguments to the -4 option. Comment
mentions of those strings in the debconf template so that
translators know this.
* Rather than prompting at installation time for whether the KDC
database should be deleted on purge, prompt in prerm when the package
is being removed for whether the database should be deleted.
* Translation updates:
- Galician, thanks Jacobo Tarrio. (Closes: #482324)
- French, thanks Christian Perrier. (Closes: #482326)
- Vietnamese, thanks Clytie Siddall. (Closes: #482362)
- Basque, thanks Piarres Beobide. (Closes: #482376)
- Czech, thanks Miroslav Kure. (Closes: #482428)
- German, thanks Helge Kreutzmann. (Closes: #482366)
- Spanish, thanks Diego D'Onofrio.
- Finnish, thanks Esko Arajärvi. (Closes: #482682)
- Portuguese, thanks Miguel Figueiredo. (Closes: #483049)
* From Sam:
* remove extra space in debian/rules so upstream configure scripts can work
* Upgrade to 1.6.4 beta 1
* Upstream includes several fixes to bugs that were assigned CVE
numbers; upstream does not actually consider these security issues and
no advisory was issued, but they are included here for the benefit of
the security team in case anyone asks. , Closes: #454974
- fix CVE-2007-5972: double fclose() in
krb5_def_store_mkey()
- fix CVE-2007-5971: double-free in gss_krb5int_make_seal_token_v3()
- fix CVE-2007-5902: integer overflow in svcauth_gss_get_principal()
- fix CVE-2007-5971: free of non-heap pointer in
gss_indicate_mechs()
- fix CVE-2007-5894: apparent uninit length in ftpd.c:reply()
-- Sam Hartman <hartmans at debian.org> Sat, 31 May 2008 10:53:21 -0400
krb5 (1.6.dfsg.3-2) unstable; urgency=low
* kdc.conf was previously in krb5-doc, not uninstalled. Properly
handle moving it to the krb5-kdc package. (Closes: #480452)
* Include libkdb-ldap1 in krb5-kdc-pkinit, install it into a private
directory (/usr/lib/krb5) rather than directly in /usr/lib, and use an
RPATH in kdb5_ldap_util and the plugin to find the library. Drop the
libkdb-ldap1 library package. This library isn't intended to be used
by any software outside of the KDC plugin and utility. Thanks,
Bastian Blank. (Closes: #479384)
* Load defaults for debconf configuration of krb5-admin-server and
krb5-kdc from the /etc/default files if they exist. Thanks, Bastian
Blank. (Closes: #479404)
* Preserve DAEMON_ARGS settings in /etc/default/krb5-admin-server and
/etc/default/krb5-kdc even if debconf configuration is enabled.
* Don't require that a stash file be created in /etc/init.d/krb5-kdc.
Stash files are optional. (Closes: #479457)
* Error out instead of silently existing if debconf's confmodule cannot
be loaded. Given that we depend on debconf, if this fails, something
serious went wrong and we shouldn't ignore it.
* Use /bin/which instead of command -v to check for update-inetd.
* Unconditionally remove kpropd's inetd.conf entry in the postrm of
krb5-kdc rather than special-casing remove and deconfigure.
* Add 256-bit AES and RC4 keys to the default kdc.conf, the first
because it's the strongest enctype currently supported and the second
for Windows compatibility. Improve the README.KDC enctype
documentation.
* Install kerberos.ldif and kerberos.schema in krb5-kdc-ldap as
documentation. Thanks, Bastian Blank. (Closes: #479239)
-- Russ Allbery <rra at debian.org> Fri, 09 May 2008 20:27:16 -0700
krb5 (1.6.dfsg.3-1) unstable; urgency=low
* Final upstream 1.6.3 release.
* Package the LDAP plugin for the KDC, which allows one to use an LDAP
server to store the KDC database. Install the krb5-kdc-ldap package
for the plugin. (Closes: #453113)
* If krb5-config/default_realm isn't set, use EXAMPLE.COM as the realm
so that the kdc.conf will at least be syntactically valid (but will
still require editing). (Closes: #474741)
* krb5-kdc explicitly depends on krb5-config since it relies on debconf
variables set by that package.
* Always stop krb524d on /etc/init.d/krb5-kdc stop even if the
configuration has been changed to no longer run it. Thanks, Bastian
Blank. (Closes: #477294)
* Install the kdc.conf man page. (Closes: #477307)
* krb5-kdc no longer depends on update-inetd and inet-superserver and
instead just suggests openbsd-inetd | inet-superserver and
conditionally adds the commented-out kpropd example if update-inetd is
available. krb5-admin-server doesn't need inet-superserver at all.
Thanks, Bastian Blank. (Closes: #477301)
* Change the doc-base sections to System/Security.
* Correctly mangle the version in the watch file.
* Remove conflicts with packages already not present in oldstable.
* Remove versioned build-dependencies satisfied by oldstable.
* Remove versioned Replaces for versions older than oldstable.
-- Russ Allbery <rra at debian.org> Sun, 27 Apr 2008 20:39:36 -0700
krb5 (1.6.dfsg.3~beta1-4) unstable; urgency=emergency
* MITKRB5-SA-2008-001: When Kerberos v4 support is enabled in the KDC,
malformed messages may result in NULL pointer use, double-frees, or
exposure of information. (CVE-2008-0062, CVE-2008-0063)
* MITKRB5-SA-2008-002: If the file descriptor limit is larger than
FD_SETSIZE and kadmind has more open connections than FD_SETSIZE, an
array overrun and memory corruption may result. (CVE-2008-0947)
-- Russ Allbery <rra at debian.org> Fri, 07 Mar 2008 18:53:59 -0800
krb5 (1.6.dfsg.3~beta1-3) unstable; urgency=low
* Apply cross-build patch from Neil Williams. (Closes: #465294)
* Document in comments that configuration management via debconf should
be disabled before making manual changes to /etc/default/krb5-kdc and
/etc/default/krb5-admin-server. (Closes: #443326)
* Support DAEMON_ARGS in /etc/default/krb5-admin-server for kadmind.
Thanks, Dwayne Litzenberger. (Closes: #443331)
* Don't stop the servers in runlevel S. This isn't a real runlevel and
cannot be switched to, so the links are extraneous.
* Use binary:Version instead of Source-Version in debian/control.
* Depend on openbsd-inetd | inet-superserver instead of on update-inetd,
since inetd implementations may provide their own update-inetd.
* Improve quoting and formatting in the postinsts for krb5-kdc and
krb5-admin-server. Error on failure to load debconf, since we do
depend on it. Support reconfigure.
* Fix file locations in the krb524 doc-base control file.
* Add the info documentation to all doc-base control files.
* Fix a variety of man page errors uncovered by man --warnings.
* Wrap Depends and Conflicts fields in debian/control.
* dpkg-dev now compresses duplicate relations, so no need for lintian
overrides.
* Add an override for the empty plugin directory in libkrb53.
* Update standards version to 3.7.3 (no changes required).
* Translation updates:
- Finnish, thanks Esko Arajärvi. (Closes: #451146)
- Dutch, thanks Vincent Zweije. (Closes: #460589)
-- Russ Allbery <rra at debian.org> Mon, 18 Feb 2008 20:53:08 -0800
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFISGRFM0thG+z3pVgRAma0AKDiFS3hWz+b5TgvfzJQMlG7dyzLXACeKYV8
4UdoJ1hFH563ydqNK8KlGKs=
=X1LH
-----END PGP SIGNATURE-----
** Affects: krb5 (Ubuntu)
Importance: Wishlist
Status: Confirmed
--
Please sync krb5 1.6.dfsg.3-2 (main) from Debian unstable (main).
https://bugs.launchpad.net/bugs/237768
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to krb5 in ubuntu.
More information about the Ubuntu-server-bugs
mailing list