Created by James Westby and last modified
Get this branch:
bzr branch lp:ubuntu/natty-security/krb5
Members of Ubuntu branches can upload to this branch. Log in for directions.

Branch merges

Related bugs

Related blueprints

Branch information

Ubuntu branches
Review team:
Ubuntu Development Team

Recent revisions

40. By Steve Beattie

* SECURITY UPDATE: KDC heap corruption and crash vulnerabilities
  - src/kdc/kdc_preauth.c, src/kdc/kdc_util.c,
    src/lib/kdb/kdb_default.c: initialize pointers both at allocation
    and assignment time
  - CVE-2012-1015
* SECURITY UPDATE: denial of service in kadmind (LP: #1009422)
  - src/lib/kadm5/srv/svr_principal.c: check for null password
  - CVE-2012-1013

39. By Steve Beattie

* SECURITY UPDATE: fix multiple kdc DoS issues:
  - db2/lockout.c, ldap/libkdb_ldap/ldap_principal2.c,
    + more strict checking for null pointers
    + disable assert iand return when db is locked
    + applied inline
  - CVE-2011-1528 and CVE-2011-1529
  - MITKRB5-SA-2011-006

38. By Kees Cook

* SECURITY UPDATE: kadmind denial of service from freeing of uninitialized
  - src/kadmin/server/{network,schpw}.c: fix, thanks to upstream.
  - CVE-2011-0285
  - MITKRB5-SA-2011-004

37. By Steve Langasek

releasing version 1.8.3+dfsg-5ubuntu2

36. By Steve Langasek

* FFe LP: #733501
* Build for multiarch, with pre-depends on multiarch-support virtual
* Add Breaks: on old versions of external packages (i.e., sssd) using
  /usr/lib/krb5 due to the path transition.

35. By Steve Beattie

* SECURITY UPDATE: kdc denial of service due to double-free if PKINIT
  capability is used.
  - src/kdc/do_as_req.c: clear fields on allocation; applied inine,
    thanks to upstream
  - CVE-2011-0284
  - MITKRB5-SA-2011-003

34. By Sam Hartman

* KDC/LDAP DOS (CVE-2010-4022, CVE-2011-0281, and CVE-2011-0282,
  Closes: #613487
* Fix delegation of credentials against Windows servers; significant
  interoperability issue, Closes: #611906
* Set nt-srv-inst on TGS names to work against W2K8R2 KDCs, Closes:
* Don't fail authentication when PAC verification fails; support hmac-
  md5 checksums even for non-RC4 keys, Closes: #616728

33. By Steve Beattie

* SECURITY UPDATE: kpropd denial of service via invalid network input
  - src/slave/kpropd.c: don't return on kpropd child exit; applied
  - CVE-2010-4022
  - MITKRB5-SA-2011-001
* SECURITY UPDATE: kdc denial of service from unauthenticated remote
  - src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h,
    applied inline
  - CVE-2011-0281
  - CVE-2011-0282
  - MITKRB5-SA-2011-002

32. By Sam Hartman

Ignore PACs without a server signature generated by OS X Open
Directory rather than failing authentication, Closes: #604925

31. By Sam Hartman

* MITKRB5-SA-2010-007
      * CVE-2010-1324: An unauthenticated attacker can inject arbitrary
      content into an existing GSS connection that appears to be integrity
      protected from the legitimate peer under some circumstances
    * GSS applications may accept a PAC produced by an attacker as if it
      were signed by a KDC
    * CVE-2010-1323: attackers have a 1/256 chance of being able to
      produce krb_safe messages that appear to be from legitimate remote
      sources. Other than use in KDC database copies this may not be a
      huge issue only because no one actually uses krb_safe
      messages. Similarly, an attacker can force clients to display
      challenge/response values of the attacker's choice.
    * CVE-2010-4020: An attacker may be able to generate what is
      accepted as a ad-signedpath or ad-kdc-issued checksum with 1/256
* New Vietnamese debconf translations, Thanks Clytie Siddall,
  Closes: #601533
* Update standards version to 3.9.1 (no changes required

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
Stacked on:
This branch contains Public information 
Everyone can see this information.