-
krb5 (1.12+dfsg-2ubuntu5.4) trusty-security; urgency=medium
* SECURITY UPDATE: DoS (out-of-bounds read) via a crafted string
- debian/patches/CVE-2015-8629.patch: Verify decode kadmin C strings
- CVE-2015-8629
* SECURITY UPDATE: DoS (NULL pointer dereference) by specifying KADM5_POLICY
with a NULL policy name
- debian/patches/CVE-2015-8630.patch: Check for null kadm5 policy name
- CVE-2015-8630
* SECURITY UPDATE: DoS (memory consumption) via a request specifying a NULL
principal name
- debian/patches/CVE-2015-8631.patch: Fix leaks in kadmin server stubs
- CVE-2015-8631
* SECURITY UPDATE: DoS (NULL pointer dereference) via a crafted request to
modify a principal
- debian/patches/CVE-2016-3119.patch: Fix LDAP null dereference on
empty arg
- CVE-2016-3119
* SECURITY UPDATE: DoS (NULL pointer dereference) via an S4U2Self request
- debian/patches/CVE-2016-3120.patch: Fix S4U2Self KDC crash when anon
is restricted
- CVE-2016-3120
* SECURITY UPDATE: KDC assertion failure
- debian/patches/CVE-2017-11368-1.patch: Prevent KDC unset status
assertion failures
- debian/patches/CVE-2017-11368-2.patch: Simplify KDC status assignment
- CVE-2017-11368
* SECURITY UPDATE: Double free vulnerability
- debian/patches/CVE-2017-11462.patch: Preserve GSS context on init/accept
failure
- CVE-2017-11462
* SECURITY UPDATE: Authenticated kadmin with permission to add principals
to an LDAP Kerberos can DoS or bypass DN container check.
- debian/patches/CVE-2018-5729-CVE-2018-5730.patch: Fix flaws in LDAP DN
checking
- CVE-2018-5729
- CVE-2018-5730
-- Eduardo Barretto <email address hidden> Wed, 09 Jan 2019 14:01:22 -0200
-
krb5 (1.12+dfsg-2ubuntu5.3) trusty; urgency=medium
* d/p/upstream/0001-Add-SPNEGO-special-case-for-NTLMSSP-MechListMIC.patch:
Cherry-pick from upstream to add SPNEGO special case for
NTLMSSP+MechListMIC. LP: #1643708.
-- Steve Langasek <email address hidden> Mon, 21 Nov 2016 18:14:47 -0800
-
krb5 (1.12+dfsg-2ubuntu5.2) trusty-security; urgency=medium
* SECURITY UPDATE: denial of service via incorrect null bytes
- d/p/0030-Fix-krb5_read_message-handling-CVE-2014-5355.patch:
properly handle null bytes in src/appl/user_user/server.c,
src/lib/krb5/krb/recvauth.c.
- CVE-2015-5355
* SECURITY UPDATE: preauthentication requirement bypass in kdcpreauth
- d/p/0031-Prevent-requires_preauth-bypass-CVE-2015-2694.patch:
improve logic in src/plugins/preauth/otp/main.c,
src/plugins/preauth/pkinit/pkinit_srv.c.
- CVE-2015-2694
* SECURITY UPDATE: SPNEGO context aliasing bugs
- d/p/0031-Fix-SPNEGO-context-aliasing-bugs-CVE-2015-2695.patch:
improve logic in src/lib/gssapi/spnego/gssapiP_spnego.h,
src/lib/gssapi/spnego/spnego_mech.c.
- d/p/0036-Fix-SPNEGO-context-import.patch: fix SPNEGO context import
in src/lib/gssapi/spnego/spnego_mech.c.
- CVE-2015-2695
* SECURITY UPDATE: IAKERB context aliasing bugs
- d/p/0032-Fix-IAKERB-context-aliasing-bugs-CVE-2015-2696.patch:
improve logic in src/lib/gssapi/krb5/gssapiP_krb5.h,
src/lib/gssapi/krb5/gssapi_krb5.c, src/lib/gssapi/krb5/iakerb.c.
- d/p/0034-Fix-two-IAKERB-comments.patch: fix comments in
src/lib/gssapi/krb5/iakerb.c.
- CVE-2015-2696
* SECURITY UPDATE: KDC crash via invalid string processing
- d/p/0033-Fix-build_principal-memory-bug-CVE-2015-2697.patch:
use k5memdup0() instead of strdup() in src/lib/krb5/krb/bld_princ.c.
- CVE-2015-2697
* SECURITY UPDATE: memory corruption in IAKERB context export/import
- d/p/0035-Fix-IAKERB-context-export-import-CVE-2015-2698.patch:
dereferencing the context_handle pointer before casting it in
and implement implement an IAKERB gss_import_sec_context() function
in src/lib/gssapi/krb5/gssapiP_krb5.h,
src/lib/gssapi/krb5/gssapi_krb5.c, src/lib/gssapi/krb5/iakerb.c.
- CVE-2015-2698
-- Marc Deslauriers <email address hidden> Wed, 11 Nov 2015 09:08:08 -0500
-
krb5 (1.12+dfsg-2ubuntu5.1) trusty-security; urgency=medium
* SECURITY UPDATE: ticket forging via old keys
- debian/patches/CVE-2014-5321.patch: return only new keys in
src/lib/kadm5/srv/svr_principal.c.
- CVE-2014-5321
* SECURITY UPDATE: use-after-free and double-free memory access
violations
- debian/patches/CVE-2014-5352.patch: properly handle context deletion
in src/lib/gssapi/krb5/context_time.c,
src/lib/gssapi/krb5/export_sec_context.c,
src/lib/gssapi/krb5/gssapiP_krb5.h,
src/lib/gssapi/krb5/gssapi_krb5.c,
src/lib/gssapi/krb5/inq_context.c,
src/lib/gssapi/krb5/k5seal.c,
src/lib/gssapi/krb5/k5sealiov.c,
src/lib/gssapi/krb5/k5unseal.c,
src/lib/gssapi/krb5/k5unsealiov.c,
src/lib/gssapi/krb5/lucid_context.c,
src/lib/gssapi/krb5/prf.c,
src/lib/gssapi/krb5/process_context_token.c,
src/lib/gssapi/krb5/wrap_size_limit.c.
- CVE-2014-5352
* SECURITY UPDATE: denial of service via LDAP query with no results
- debian/patches/CVE-2014-5353.patch: properly handle policy name in
src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c.
- CVE-2014-5353
* SECURITY UPDATE: denial of service via database entry for a keyless
principal
- debian/patches/CVE-2014-5354.patch: support keyless principals in
src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c.
- CVE-2014-5354
* SECURITY UPDATE: denial of service or code execution in kadmind XDR
data processing
- debian/patches/CVE-2014-9421.patch: fix double free in
src/lib/kadm5/kadm_rpc_xdr.c, src/lib/rpc/auth_gssapi_misc.c.
- CVE-2014-9421
* SECURITY UPDATE: impersonation attack via two-component server
principals
- debian/patches/CVE-2014-9422.patch: fix kadmind server validation in
src/kadmin/server/kadm_rpc_svc.c.
- CVE-2014-9422
* SECURITY UPDATE: gssrpc data leakage
- debian/patches/CVE-2014-9423.patch: fix leakage in
src/lib/gssapi/mechglue/mglueP.h, src/lib/rpc/svc_auth_gss.c.
- CVE-2014-9423
-- Marc Deslauriers <email address hidden> Fri, 06 Feb 2015 15:26:22 -0500
-
krb5 (1.12+dfsg-2ubuntu5) trusty; urgency=low
* Use ADD_METHOD_NOLOOP rather than ADD_METHOD for new GSS-API entry
points, avoids infinite recursive loop when a mechanism doesn't
provide an entry point and does include calls back into the mechglue
(LP: #1326500)
* Make libkadm5srv-mit8 be arch: any multi-arch: same to work around
upgrade bug (LP: #1334052)
* Use tailq macros to work around GCC 4.8 optimizer bug and prevent
infinite loop for database propagation (LP: #1347147)
-- Sam Hartman <email address hidden> Wed, 30 Jul 2014 21:06:49 -0400
-
krb5 (1.12+dfsg-2ubuntu4.2) trusty-security; urgency=medium
* SECURITY UPDATE: denial of service via invalid tokens
- debian/patches/CVE-2014-4341-4342.patch: handle invalid tokens in
src/lib/gssapi/krb5/k5unseal.c, src/lib/gssapi/krb5/k5unsealiov.c.
- CVE-2014-4341
- CVE-2014-4342
* SECURITY UPDATE: denial of service via double-free in SPNEGO
- debian/patches/CVE-2014-4343.patch: fix double-free in
src/lib/gssapi/spnego/spnego_mech.c.
- CVE-2014-4343
* SECURITY UPDATE: denial of service via null deref in SPNEGO acceptor
- debian/patches/CVE-2014-4344.patch: validate REMAIN in
src/lib/gssapi/spnego/spnego_mech.c.
- CVE-2014-4344
* SECURITY UPDATE: denial of service and possible code execution in
kadmind with LDAP backend
- debian/patches/CVE-2014-4345.patch: fix off-by-one in
src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
- CVE-2014-4345
-- Marc Deslauriers <email address hidden> Fri, 08 Aug 2014 14:58:49 -0400
-
krb5 (1.12+dfsg-2ubuntu4) trusty; urgency=low
* Add transitional libkadm5srv-mit8 package to help libapt
calculating the upgrade (LP: #1304403) to trusty.
This transitional package can be dropped once trusty is
released.
-- Michael Vogt <email address hidden> Wed, 09 Apr 2014 11:11:43 +0200
-
krb5 (1.12+dfsg-2ubuntu3) trusty; urgency=medium
* Add missing versioned Replaces: libkadm5srv-mit8 to the libkdb5-7 package.
Fixes upgrades from trusty. (LP: #1304403)
-- Martin Pitt <email address hidden> Tue, 08 Apr 2014 18:04:14 +0200
-
krb5 (1.12+dfsg-2ubuntu2) trusty; urgency=medium
* debian/rules: force -O2 to work around build failure with -O3.
-- Adam Conrad <email address hidden> Mon, 17 Feb 2014 08:50:33 +0000
-
krb5 (1.12+dfsg-2ubuntu1) trusty; urgency=low
* Merge from Debian unstable. Remaining changes:
- Add alternate dependency on libverto-libevent1 as that's the
package ABI name in ubuntu.
krb5 (1.12+dfsg-2) unstable; urgency=low
* Split out libkrad-dev into its own package, Closes: #735323
krb5 (1.12+dfsg-1) experimental; urgency=low
[ Benjamin Kaduk ]
* New upstream release (closes: #730085, #728845, #637662, #729291).
* Update HURD compatibility patch (closes: #729191).
* Move pkgconfig files to krb5-multidev and avoid conflicts with
heimdal (closes: #730267).
krb5 (1.12~alpha1+dfsg-1) experimental; urgency=low
[ Benjamin Kaduk ]
* New upstream release, Closes: #694988, #697954
* Build-depend on python-lxml, Closes: #725596
* Remove Debian versions from symbols
* Add myself to uploaders
[ Sam Hartman ]
* Build-depend on libverto-dev 0.2.4 to get verto_set_flags
krb5 (1.11.3+dfsg-3+nmu1) unstable; urgency=high
* Non-maintainer upload by the Security Team.
* Add python-lxml build dependency (closes: #725596).
* Fix cve-2013-1417: KDC daemon crash condition (closes: #730085).
* Fix cve-2013-1418: null pointer dereference issue (closes: #728845).
-- Timo Aaltonen <email address hidden> Tue, 04 Feb 2014 14:29:23 +0200
-
krb5 (1.11.3+dfsg-3ubuntu2) trusty; urgency=low
* Add alternate dependency on libverto-libevent1 as that's the package
ABI name in ubuntu.
-- Dmitrijs Ledkovs <email address hidden> Sun, 10 Nov 2013 02:20:12 +0000
-
krb5 (1.11.3+dfsg-3ubuntu1) trusty; urgency=low
* Add build dependency on python-lxml. Closes: #725596.
krb5 (1.11.3+dfsg-3) unstable; urgency=low
[ Benjamin Kaduk ]
* Update config.sub and config.guess, patch from upstream, Closes: #717840
* Update Brazillian Portugese Translation, thanks Fernando Ike,
Closes: #719726
* Bump the version of the gssrpc_clnt_create symbol. The routine itself
was changed in a backwards-compatible way, but callers from the kadm5
libraries were changed to rely on the new behavior, Closes: #718275
* Add symbols files for the kadm5 libraries. The KADM5 API version number
was increased for the 1.11 release but the corresponding library sonames
were not, so we must indicate the behavior change ourself, Closes: #716772
[ Sam Hartman ]
* krb5-kdc depends on libverto-libev1, work around for #652699
* Remove krb5-kdc conflict since it's more than one release cycle old
* Add Benjamin Kaduk to uploaders
krb5 (1.11.3+dfsg-2) experimental; urgency=low
* Run autoreconf to update configure based on aclocal patch
krb5 (1.11.3+dfsg-1) experimental; urgency=low
* New upstream version
- Turns out 1.11.2+dfsg didn't include the pingpong fix, but this
does , Closes: #
krb5 (1.11.2+dfsg-2) experimental; urgency=low
* Import upstream's patch to not warn or error on variadic macros,
Closes: #709824
krb5 (1.11.2+dfsg-1) experimental; urgency=low
* New upstream version, Closes: #697662
- By not depending on texinfo, we avoid FTBFSing from its changes,
Closes: #708711
* Fix "usage of keytabs gives "Generic preauthentication failure while
getting initial credentials"" via upstream change to prefer keys in
the keytab
(Closes: #698534)
* Fixed upstream "kerberos password policy attributes missing from
kerberos.schema" (Closes:
#655381)
* Remove arch-dep and arch-indep dependency in rules (Closes: #708973)
-- Matthias Klose <email address hidden> Wed, 23 Oct 2013 18:47:25 +0200
-
krb5 (1.11.3+dfsg-3) unstable; urgency=low
[ Benjamin Kaduk ]
* Update config.sub and config.guess, patch from upstream, Closes: #717840
* Update Brazillian Portugese Translation, thanks Fernando Ike,
Closes: #719726
* Bump the version of the gssrpc_clnt_create symbol. The routine itself
was changed in a backwards-compatible way, but callers from the kadm5
libraries were changed to rely on the new behavior, Closes: #718275
* Add symbols files for the kadm5 libraries. The KADM5 API version number
was increased for the 1.11 release but the corresponding library sonames
were not, so we must indicate the behavior change ourself, Closes: #716772
[ Sam Hartman ]
* krb5-kdc depends on libverto-libev1, work around for #652699
* Remove krb5-kdc conflict since it's more than one release cycle old
* Add Benjamin Kaduk to uploaders
-- Sam Hartman <email address hidden> Sun, 25 Aug 2013 16:48:53 -0400
-
krb5 (1.10.1+dfsg-6.1ubuntu1) saucy; urgency=low
* Update config.{guess,sub} for Aarch64.
-- Matthias Klose <email address hidden> Tue, 23 Jul 2013 22:15:04 +0200
