pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/pkgsrc-2017Q3]: pkgsrc/security/mit-krb5 Pullup ticket #5569 - reques...
details: https://anonhg.NetBSD.org/pkgsrc/rev/aa35d43d0926
branches: pkgsrc-2017Q3
changeset: 408526:aa35d43d0926
user: spz <spz%pkgsrc.org@localhost>
date: Sun Oct 15 12:06:58 2017 +0000
description:
Pullup ticket #5569 - requested by sevan
security/mit-krb5: security update
Revisions pulled up:
- security/mit-krb5/Makefile 1.95
- security/mit-krb5/distinfo 1.62
- security/mit-krb5/patches/patch-CVE-2017-11368 deleted
-------------------------------------------------------------------
Module Name: pkgsrc
Committed By: tez
Date: Tue Oct 10 21:22:53 UTC 2017
Modified Files:
pkgsrc/security/mit-krb5: Makefile distinfo
Removed Files:
pkgsrc/security/mit-krb5/patches: patch-CVE-2017-11368
Log Message:
mit-krb5: update to 1.14.6
Major changes in 1.14.6 (2017-09-25)
This is a bug fix release.
Fix a KDC denial of service vulnerability caused by unset status
strings [CVE-2017-11368]
Preserve GSS contexts on init/accept failure [CVE-2017-11462]
Fix kadm5 setkey operation with LDAP KDB module
Use a ten-second timeout after successful connection for HTTPS KDC
requests, as we do for TCP requests
Fix client null dereference when KDC offers encrypted challenge
without FAST
To generate a diff of this commit:
cvs rdiff -u -r1.94 -r1.95 pkgsrc/security/mit-krb5/Makefile
cvs rdiff -u -r1.61 -r1.62 pkgsrc/security/mit-krb5/distinfo
cvs rdiff -u -r1.1 -r0 pkgsrc/security/mit-krb5/patches/patch-CVE-2017-11368
diffstat:
security/mit-krb5/Makefile | 5 +-
security/mit-krb5/distinfo | 10 +-
security/mit-krb5/patches/patch-CVE-2017-11368 | 79 --------------------------
3 files changed, 7 insertions(+), 87 deletions(-)
diffs (115 lines):
diff -r 76a4ec795959 -r aa35d43d0926 security/mit-krb5/Makefile
--- a/security/mit-krb5/Makefile Sun Oct 15 11:49:07 2017 +0000
+++ b/security/mit-krb5/Makefile Sun Oct 15 12:06:58 2017 +0000
@@ -1,8 +1,7 @@
-# $NetBSD: Makefile,v 1.94 2017/08/21 22:19:26 tez Exp $
+# $NetBSD: Makefile,v 1.94.4.1 2017/10/15 12:06:58 spz Exp $
-DISTNAME= krb5-1.14.5
+DISTNAME= krb5-1.14.6
PKGNAME= mit-${DISTNAME}
-PKGREVISION= 1
CATEGORIES= security
MASTER_SITES= http://web.mit.edu/kerberos/dist/krb5/${PKGVERSION_NOREV:R}/
EXTRACT_SUFX= .tar.gz
diff -r 76a4ec795959 -r aa35d43d0926 security/mit-krb5/distinfo
--- a/security/mit-krb5/distinfo Sun Oct 15 11:49:07 2017 +0000
+++ b/security/mit-krb5/distinfo Sun Oct 15 12:06:58 2017 +0000
@@ -1,9 +1,9 @@
-$NetBSD: distinfo,v 1.61 2017/08/21 22:19:26 tez Exp $
+$NetBSD: distinfo,v 1.61.4.1 2017/10/15 12:06:58 spz Exp $
-SHA1 (krb5-1.14.5.tar.gz) = 3b8d8c4a09350f8807a8e6eb9971617755a4521f
-RMD160 (krb5-1.14.5.tar.gz) = 673087853a1ce9551d69516e01fbfd888feff717
-SHA512 (krb5-1.14.5.tar.gz) = 2484f9581b5e0b99cc49ba7f8770ea3a8751e756c98cc552d92ca223575eac58f6f1a9c268254ead4435d2d49b50ccf3181eb7bdbd56874c43f91bcfc2a66d3b
-Size (krb5-1.14.5.tar.gz) = 12322802 bytes
+SHA1 (krb5-1.14.6.tar.gz) = ea7928a3368ae6d8ecf29a70f70598091f226740
+RMD160 (krb5-1.14.6.tar.gz) = 7e9f8192845d11108a3c48dd707d7d4bc5dd0a29
+SHA512 (krb5-1.14.6.tar.gz) = 8a88193e40aa60bb10dc57028a7c83aaac48cfded5d369b9f5383851854f1ea3df3587f7bce8b22d4e5cf2ce5825eb37c8d85684abad29da04db34e8f7962ca7
+Size (krb5-1.14.6.tar.gz) = 12326355 bytes
SHA1 (patch-CVE-2017-11368) = 91551099d48690c051ada72889bc645706775eb1
SHA1 (patch-Makefile.in) = 11ead9de708f4da99233b66df2cf906b156faa87
SHA1 (patch-aa) = 941848a1773dfbe51dff3134d4b8504a850a958d
diff -r 76a4ec795959 -r aa35d43d0926 security/mit-krb5/patches/patch-CVE-2017-11368
--- a/security/mit-krb5/patches/patch-CVE-2017-11368 Sun Oct 15 11:49:07 2017 +0000
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,79 +0,0 @@
-$NetBSD: patch-CVE-2017-11368,v 1.1 2017/08/21 22:19:26 tez Exp $
-
-Patch for CVE-2017-11368 from:
-https://github.com/krb5/krb5/commit/ffb35baac6981f9e8914f8f3bffd37f284b85970.diff
-
-
-diff --git kdc/do_as_req.c b/src/kdc/do_as_req.c
-index 2d3ad134d0..9b256c8764 100644
---- kdc/do_as_req.c
-+++ kdc/do_as_req.c
-@@ -366,8 +366,8 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode)
- did_log = 1;
-
- egress:
-- if (errcode != 0)
-- assert (state->status != 0);
-+ if (errcode != 0 && state->status == NULL)
-+ state->status = "UNKNOWN_REASON";
-
- au_state->status = state->status;
- au_state->reply = &state->reply;
-diff --git kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
-index cdc79ad2f1..d8d67199b9 100644
---- kdc/do_tgs_req.c
-+++ kdc/do_tgs_req.c
-@@ -823,7 +823,8 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt,
- free(reply.enc_part.ciphertext.data);
-
- cleanup:
-- assert(status != NULL);
-+ if (status == NULL)
-+ status = "UNKNOWN_REASON";
- if (reply_key)
- krb5_free_keyblock(kdc_context, reply_key);
- if (errcode)
-diff --git kdc/kdc_util.c b/src/kdc/kdc_util.c
-index 778a629e52..b710aefe4c 100644
---- kdc/kdc_util.c
-+++ kdc/kdc_util.c
-@@ -1220,8 +1220,10 @@ kdc_process_for_user(kdc_realm_t *kdc_active_realm,
- req_data.data = (char *)pa_data->contents;
-
- code = decode_krb5_pa_for_user(&req_data, &for_user);
-- if (code)
-+ if (code) {
-+ *status = "DECODE_PA_FOR_USER";
- return code;
-+ }
-
- code = verify_for_user_checksum(kdc_context, tgs_session, for_user);
- if (code) {
-@@ -1320,8 +1322,10 @@ kdc_process_s4u_x509_user(krb5_context context,
- req_data.data = (char *)pa_data->contents;
-
- code = decode_krb5_pa_s4u_x509_user(&req_data, s4u_x509_user);
-- if (code)
-+ if (code) {
-+ *status = "DECODE_PA_S4U_X509_USER";
- return code;
-+ }
-
- code = verify_s4u_x509_user_checksum(context,
- tgs_subkey ? tgs_subkey :
-@@ -1624,6 +1628,7 @@ kdc_process_s4u2proxy_req(kdc_realm_t *kdc_active_realm,
- * that is validated previously in validate_tgs_request().
- */
- if (request->kdc_options & (NON_TGT_OPTION | KDC_OPT_ENC_TKT_IN_SKEY)) {
-+ *status = "INVALID_S4U2PROXY_OPTIONS";
- return KRB5KDC_ERR_BADOPTION;
- }
-
-@@ -1631,6 +1636,7 @@ kdc_process_s4u2proxy_req(kdc_realm_t *kdc_active_realm,
- if (!krb5_principal_compare(kdc_context,
- server->princ, /* after canon */
- server_princ)) {
-+ *status = "EVIDENCE_TICKET_MISMATCH";
- return KRB5KDC_ERR_SERVER_NOMATCH;
- }
-
Home |
Main Index |
Thread Index |
Old Index