Created by Peter Pearse and last modified
Get this branch:
bzr branch lp:~peter-pearse/ubuntu/natty/krb5/bootstrap1
Only Peter Pearse can upload to this branch. If you are Peter Pearse please log in for upload directions.

Branch merges

Related bugs

Related blueprints

Branch information

Peter Pearse

Recent revisions

34. By Peter Pearse

Stage 1 build for bootstrapping - debian staging mechanism not implemented.

33. By Steve Beattie

* SECURITY UPDATE: kpropd denial of service via invalid network input
  - src/slave/kpropd.c: don't return on kpropd child exit; applied
  - CVE-2010-4022
  - MITKRB5-SA-2011-001
* SECURITY UPDATE: kdc denial of service from unauthenticated remote
  - src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h,
    applied inline
  - CVE-2011-0281
  - CVE-2011-0282
  - MITKRB5-SA-2011-002

32. By Sam Hartman

Ignore PACs without a server signature generated by OS X Open
Directory rather than failing authentication, Closes: #604925

31. By Sam Hartman

* MITKRB5-SA-2010-007
      * CVE-2010-1324: An unauthenticated attacker can inject arbitrary
      content into an existing GSS connection that appears to be integrity
      protected from the legitimate peer under some circumstances
    * GSS applications may accept a PAC produced by an attacker as if it
      were signed by a KDC
    * CVE-2010-1323: attackers have a 1/256 chance of being able to
      produce krb_safe messages that appear to be from legitimate remote
      sources. Other than use in KDC database copies this may not be a
      huge issue only because no one actually uses krb_safe
      messages. Similarly, an attacker can force clients to display
      challenge/response values of the attacker's choice.
    * CVE-2010-4020: An attacker may be able to generate what is
      accepted as a ad-signedpath or ad-kdc-issued checksum with 1/256
* New Vietnamese debconf translations, Thanks Clytie Siddall,
  Closes: #601533
* Update standards version to 3.9.1 (no changes required

30. By Sam Hartman

* MITKRB5-SA-2010-006 [CVE-2010-1322]: null pointer dereference in
  kdc_authdata.c leading to KDC crash, Closes: #599237
* Fix two memory leaks in krb5_get_init_creds path; one of these memory
  leaks is quite common for any application such as PAM or kinit that
  gets initial credentials, thanks Bastian Blank, Closes: #598032
* Install doc/CHANGES only in krb5-doc, not in all packages, saves
  several megabytes on most Debian systems, Closes: #599562

29. By Kees Cook

* SECURITY UPDATE: remote authenticated user denial of service.
  - src/kdc/kdc_authdata.c: patched inline, thanks to upstream.
  - CVE-2010-1322, MITKRB5-SA-2010-006

28. By Sam Hartman

* Ignore duplicate token sent in mechListMIC from Windows 2000 SPNEGO
  (LP: #551901)
* krb5-admin-server starts after krb5-kdc, Closes: #583494

27. By Sam Hartman

* CVE-2010-1321 GSS-API accept sec context null pointer deref, Closes:
* Force use of bash for build, Closes: #581473
* Start slapd before krb5 when krb5-kdc-ldap installed, Closes:

26. By Sam Hartman

Fix crash in renewal and validation, Thanks Joel Johnson for such a
prompt bug report, Closes: #577490

25. By Kees Cook

* SECURITY UPDATE: unauthenticated remote service crash.
  - src/lib/gssapi/spnego/spnego_mech.c: back-ported upstream fixes
    from krb5 1.8.1.
  - MITKRB5-SA-2010-002 (CVE-2010-0628)

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
Stacked on:
This branch contains Public information 
Everyone can see this information.