Debian Package Tracker

From: Sam Hartman <hartmans@debian.org>
To: <debian-changes@lists.debian.org>
Subject: Accepted krb5 1.3.6-2sarge4 (source i386 all)
Date: Sat, 07 Apr 2007 13:14:21 +0000
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 11 Mar 2007 18:52:11 -0400
Source: krb5
Binary: krb5-doc libkrb5-dev krb5-rsh-server krb5-user krb5-ftpd libkadm55 libkrb53 krb5-clients krb5-telnetd krb5-kdc krb5-admin-server
Architecture: source i386 all
Version: 1.3.6-2sarge4
Distribution: stable-security
Urgency: emergency
Maintainer: Sam Hartman <hartmans@debian.org>
Changed-By: Sam Hartman <hartmans@debian.org>
Description: 
 krb5-admin-server - Mit Kerberos master server (kadmind)
 krb5-clients - Secure replacements for ftp, telnet and rsh using MIT Kerberos
 krb5-doc   - Documentation for krb5
 krb5-ftpd  - Secure FTP server supporting MIT Kerberos
 krb5-kdc   - Mit Kerberos key server (KDC)
 krb5-rsh-server - Secure replacements for rshd and rlogind  using MIT Kerberos
 krb5-telnetd - Secure telnet server supporting MIT Kerberos
 krb5-user  - Basic programs to authenticate using MIT Kerberos
 libkadm55  - MIT Kerberos administration runtime libraries
 libkrb5-dev - Headers and development libraries for MIT Kerberos
 libkrb53   - MIT Kerberos runtime libraries
Changes: 
 krb5 (1.3.6-2sarge4) stable-security; urgency=emergency
 .
   * MIT-SA-2007-1: telnet allows  login as an arbitrary user when
     presented with a specially crafted username; CVE-2007-0956
   * krb5_klog_syslog has a trivial buffer overflow that can be exploited
     by network data; CVE-2007-0957.  The upstream patch is very intrusive
     because it fixes each call to syslog to have proper length checking as
     well as the actual krb5_klog_syslog internals to use vsnprintf rather
     than vsprintf.  I have chosen to only include the change to
     krb5_klog_syslog for sarge.  This is sufficient to fix the problem but
     is much smaller and less intrusive.   (MIT-SA-2007-2)
   * MIT-SA-2007-3: The GSS-API library can cause a double free if
     applications treat certain errors decoding a message as errors that
     require freeing the output buffer.  At least the gssapi rpc library
     does this, so kadmind is vulnerable.    Fix the gssapi library because
     the spec allows applications to treat errors this way.  CVE-2007-1216
Files: 
 a4a9a2cff9292af1de210f83edcee281 782 net standard krb5_1.3.6-2sarge4.dsc
 006edbace85ee6fab561c8f5ba59914d 666048 net standard krb5_1.3.6-2sarge4.diff.gz
 9bd56e8f5a673661416a042cc315509b 718724 doc optional krb5-doc_1.3.6-2sarge4_all.deb
 aba5e1342c5c0d993b45d79ba7733b93 165536 libs optional libkadm55_1.3.6-2sarge4_i386.deb
 b5e0a23fa9d19709e2541d1247646c53 349210 libs standard libkrb53_1.3.6-2sarge4_i386.deb
 424e2d5b62373d8d903b0610e1c096f1 127714 net optional krb5-user_1.3.6-2sarge4_i386.deb
 e84d322bdd6aa2880dfba7777b081afa 191318 net optional krb5-clients_1.3.6-2sarge4_i386.deb
 21feee38a4073694deae7a94b7c74961 75686 net optional krb5-rsh-server_1.3.6-2sarge4_i386.deb
 25c09098ba171b5870e03138c3fb8c07 52708 net extra krb5-ftpd_1.3.6-2sarge4_i386.deb
 57277b50a393a4b804f6e44e8fbed14c 57572 net extra krb5-telnetd_1.3.6-2sarge4_i386.deb
 00e1857255939453af3e38584e52d75d 116110 net optional krb5-kdc_1.3.6-2sarge4_i386.deb
 4ebb65f09a2813e7a87099683a76a936 95302 net optional krb5-admin-server_1.3.6-2sarge4_i386.deb
 bcde4ee063fa9ad80072f9e60af18a48 574568 libdevel extra libkrb5-dev_1.3.6-2sarge4_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFF/46E/I12czyGJg8RAvWAAKCZZLjyIFw3JlrUUTSQryoHSoyKgACeNuUP
B6Rd/cUtK0zSIIndDfXC6S0=
=wyYA
-----END PGP SIGNATURE-----


Accepted:
krb5-admin-server_1.3.6-2sarge4_i386.deb
  to pool/main/k/krb5/krb5-admin-server_1.3.6-2sarge4_i386.deb
krb5-clients_1.3.6-2sarge4_i386.deb
  to pool/main/k/krb5/krb5-clients_1.3.6-2sarge4_i386.deb
krb5-doc_1.3.6-2sarge4_all.deb
  to pool/main/k/krb5/krb5-doc_1.3.6-2sarge4_all.deb
krb5-ftpd_1.3.6-2sarge4_i386.deb
  to pool/main/k/krb5/krb5-ftpd_1.3.6-2sarge4_i386.deb
krb5-kdc_1.3.6-2sarge4_i386.deb
  to pool/main/k/krb5/krb5-kdc_1.3.6-2sarge4_i386.deb
krb5-rsh-server_1.3.6-2sarge4_i386.deb
  to pool/main/k/krb5/krb5-rsh-server_1.3.6-2sarge4_i386.deb
krb5-telnetd_1.3.6-2sarge4_i386.deb
  to pool/main/k/krb5/krb5-telnetd_1.3.6-2sarge4_i386.deb
krb5-user_1.3.6-2sarge4_i386.deb
  to pool/main/k/krb5/krb5-user_1.3.6-2sarge4_i386.deb
krb5_1.3.6-2sarge4.diff.gz
  to pool/main/k/krb5/krb5_1.3.6-2sarge4.diff.gz
krb5_1.3.6-2sarge4.dsc
  to pool/main/k/krb5/krb5_1.3.6-2sarge4.dsc
libkadm55_1.3.6-2sarge4_i386.deb
  to pool/main/k/krb5/libkadm55_1.3.6-2sarge4_i386.deb
libkrb5-dev_1.3.6-2sarge4_i386.deb
  to pool/main/k/krb5/libkrb5-dev_1.3.6-2sarge4_i386.deb
libkrb53_1.3.6-2sarge4_i386.deb
  to pool/main/k/krb5/libkrb53_1.3.6-2sarge4_i386.deb
News for package krb5
