[Bug 237768] [NEW] Please sync krb5 1.6.dfsg.3-2 (main) from Debian unstable (main).

Mathias Gug mathiaz at ubuntu.com
Thu Jun 5 23:10:16 BST 2008


Public bug reported:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 affects ubuntu/krb5
 status confirmed
 importance wishlist
 subscribe ubuntu-archive

Please sync krb5 1.6.dfsg.3-2 (main) from Debian unstable (main).


Explanation of the Ubuntu delta and why it can be dropped:

The Ubuntu delta was due to two security fixes (MITKRB5-SA-2008-001,
MITKRB5-SA-2008-002) which have been fixed:

krb5 (1.6.dfsg.3~beta1-4) unstable; urgency=emergency

  * MITKRB5-SA-2008-001: When Kerberos v4 support is enabled in the KDC,
    malformed messages may result in NULL pointer use, double-frees, or
    exposure of information.  (CVE-2008-0062, CVE-2008-0063)
  * MITKRB5-SA-2008-002: If the file descriptor limit is larger than
    FD_SETSIZE and kadmind has more open connections than FD_SETSIZE, an
    array overrun and memory corruption may result.  (CVE-2008-0947)

 -- Russ Allbery <rra at debian.org>  Fri, 07 Mar 2008 18:53:59 -0800

Changelog since current intrepid version 1.6.dfsg.3~beta1-2ubuntu1:

krb5 (1.6.dfsg.4~beta1-1) experimental; urgency=low

  * Changes from Russ:
   * Do not translate the Kerberos v4 modes.  They are literal strings
    passed to the Kerberos KDC as arguments to the -4 option.  Comment
    mentions of those strings in the debconf template so that
    translators know this.
   * Rather than prompting at installation time for whether the KDC
    database should be deleted on purge, prompt in prerm when the package
    is being removed for whether the database should be deleted.
   * Translation updates:
    - Galician, thanks Jacobo Tarrio.  (Closes: #482324)
    - French, thanks Christian Perrier.  (Closes: #482326)
    - Vietnamese, thanks Clytie Siddall.  (Closes: #482362)
    - Basque, thanks Piarres Beobide.  (Closes: #482376)
    - Czech, thanks Miroslav Kure.  (Closes: #482428)
    - German, thanks Helge Kreutzmann.  (Closes: #482366)
    - Spanish, thanks Diego D'Onofrio.
    - Finnish, thanks Esko Arajärvi.  (Closes: #482682)
    - Portuguese, thanks Miguel Figueiredo.  (Closes: #483049)
  * From Sam:
    * remove extra space in debian/rules so upstream configure scripts can work
    * Upgrade to 1.6.4 beta 1
    * Upstream includes several fixes to bugs that were assigned CVE
     numbers; upstream does not actually consider these security issues and
     no advisory was issued, but they are included here for the benefit of
     the security team in case anyone asks. , Closes: #454974
      -             fix CVE-2007-5972: double fclose() in
        krb5_def_store_mkey()
      - fix CVE-2007-5971: double-free in gss_krb5int_make_seal_token_v3()
      - fix CVE-2007-5902: integer overflow in svcauth_gss_get_principal()
      - fix CVE-2007-5971: free of non-heap pointer in
        gss_indicate_mechs()
      - fix CVE-2007-5894: apparent uninit length in ftpd.c:reply()
  
 -- Sam Hartman <hartmans at debian.org>  Sat, 31 May 2008 10:53:21 -0400

krb5 (1.6.dfsg.3-2) unstable; urgency=low

  * kdc.conf was previously in krb5-doc, not uninstalled.  Properly
    handle moving it to the krb5-kdc package.  (Closes: #480452)
  * Include libkdb-ldap1 in krb5-kdc-pkinit, install it into a private
    directory (/usr/lib/krb5) rather than directly in /usr/lib, and use an
    RPATH in kdb5_ldap_util and the plugin to find the library.  Drop the
    libkdb-ldap1 library package.  This library isn't intended to be used
    by any software outside of the KDC plugin and utility.  Thanks,
    Bastian Blank.  (Closes: #479384)
  * Load defaults for debconf configuration of krb5-admin-server and
    krb5-kdc from the /etc/default files if they exist.  Thanks, Bastian
    Blank.  (Closes: #479404)
  * Preserve DAEMON_ARGS settings in /etc/default/krb5-admin-server and
    /etc/default/krb5-kdc even if debconf configuration is enabled.
  * Don't require that a stash file be created in /etc/init.d/krb5-kdc.
    Stash files are optional.  (Closes: #479457)
  * Error out instead of silently existing if debconf's confmodule cannot
    be loaded.  Given that we depend on debconf, if this fails, something
    serious went wrong and we shouldn't ignore it.
  * Use /bin/which instead of command -v to check for update-inetd.
  * Unconditionally remove kpropd's inetd.conf entry in the postrm of
    krb5-kdc rather than special-casing remove and deconfigure.
  * Add 256-bit AES and RC4 keys to the default kdc.conf, the first
    because it's the strongest enctype currently supported and the second
    for Windows compatibility.  Improve the README.KDC enctype
    documentation.
  * Install kerberos.ldif and kerberos.schema in krb5-kdc-ldap as
    documentation.  Thanks, Bastian Blank.  (Closes: #479239)

 -- Russ Allbery <rra at debian.org>  Fri, 09 May 2008 20:27:16 -0700

krb5 (1.6.dfsg.3-1) unstable; urgency=low

  * Final upstream 1.6.3 release.
  * Package the LDAP plugin for the KDC, which allows one to use an LDAP
    server to store the KDC database.  Install the krb5-kdc-ldap package
    for the plugin.  (Closes: #453113)
  * If krb5-config/default_realm isn't set, use EXAMPLE.COM as the realm
    so that the kdc.conf will at least be syntactically valid (but will
    still require editing).  (Closes: #474741)
  * krb5-kdc explicitly depends on krb5-config since it relies on debconf
    variables set by that package.
  * Always stop krb524d on /etc/init.d/krb5-kdc stop even if the
    configuration has been changed to no longer run it.  Thanks, Bastian
    Blank.  (Closes: #477294)
  * Install the kdc.conf man page.  (Closes: #477307)
  * krb5-kdc no longer depends on update-inetd and inet-superserver and
    instead just suggests openbsd-inetd | inet-superserver and
    conditionally adds the commented-out kpropd example if update-inetd is
    available.  krb5-admin-server doesn't need inet-superserver at all.
    Thanks, Bastian Blank.  (Closes: #477301)
  * Change the doc-base sections to System/Security.
  * Correctly mangle the version in the watch file.
  * Remove conflicts with packages already not present in oldstable.
  * Remove versioned build-dependencies satisfied by oldstable.
  * Remove versioned Replaces for versions older than oldstable.

 -- Russ Allbery <rra at debian.org>  Sun, 27 Apr 2008 20:39:36 -0700

krb5 (1.6.dfsg.3~beta1-4) unstable; urgency=emergency

  * MITKRB5-SA-2008-001: When Kerberos v4 support is enabled in the KDC,
    malformed messages may result in NULL pointer use, double-frees, or
    exposure of information.  (CVE-2008-0062, CVE-2008-0063)
  * MITKRB5-SA-2008-002: If the file descriptor limit is larger than
    FD_SETSIZE and kadmind has more open connections than FD_SETSIZE, an
    array overrun and memory corruption may result.  (CVE-2008-0947)

 -- Russ Allbery <rra at debian.org>  Fri, 07 Mar 2008 18:53:59 -0800

krb5 (1.6.dfsg.3~beta1-3) unstable; urgency=low

  * Apply cross-build patch from Neil Williams.  (Closes: #465294)
  * Document in comments that configuration management via debconf should
    be disabled before making manual changes to /etc/default/krb5-kdc and
    /etc/default/krb5-admin-server.  (Closes: #443326)
  * Support DAEMON_ARGS in /etc/default/krb5-admin-server for kadmind.
    Thanks, Dwayne Litzenberger.  (Closes: #443331)
  * Don't stop the servers in runlevel S.  This isn't a real runlevel and
    cannot be switched to, so the links are extraneous.
  * Use binary:Version instead of Source-Version in debian/control.
  * Depend on openbsd-inetd | inet-superserver instead of on update-inetd,
    since inetd implementations may provide their own update-inetd.
  * Improve quoting and formatting in the postinsts for krb5-kdc and
    krb5-admin-server.  Error on failure to load debconf, since we do
    depend on it.  Support reconfigure.
  * Fix file locations in the krb524 doc-base control file.
  * Add the info documentation to all doc-base control files.
  * Fix a variety of man page errors uncovered by man --warnings.
  * Wrap Depends and Conflicts fields in debian/control.
  * dpkg-dev now compresses duplicate relations, so no need for lintian
    overrides.
  * Add an override for the empty plugin directory in libkrb53.
  * Update standards version to 3.7.3 (no changes required).
  * Translation updates:
    - Finnish, thanks Esko Arajärvi.  (Closes: #451146)
    - Dutch, thanks Vincent Zweije.  (Closes: #460589)

 -- Russ Allbery <rra at debian.org>  Mon, 18 Feb 2008 20:53:08 -0800


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFISGRFM0thG+z3pVgRAma0AKDiFS3hWz+b5TgvfzJQMlG7dyzLXACeKYV8
4UdoJ1hFH563ydqNK8KlGKs=
=X1LH
-----END PGP SIGNATURE-----

** Affects: krb5 (Ubuntu)
     Importance: Wishlist
         Status: Confirmed

-- 
Please sync krb5 1.6.dfsg.3-2 (main) from Debian unstable (main).
https://bugs.launchpad.net/bugs/237768
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to krb5 in ubuntu.



More information about the Ubuntu-server-bugs mailing list