Debian Package Tracker

general

source: krb5 (main)
version: 1.16-2
maintainer: Sam Hartman [DMD]
uploaders: Russ Allbery [DMD] – Benjamin Kaduk [DMD]
arch: all any
std-ver: 4.1.1
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 1.10.1+dfsg-5+deb7u7
o-o-sec: 1.10.1+dfsg-5+deb7u9
oldstable: 1.12.1+dfsg-19+deb8u4
old-sec: 1.12.1+dfsg-19+deb8u2
stable: 1.15-1+deb9u1
testing: 1.16-2
unstable: 1.16-2

versioned links

1.10.1+dfsg-5+deb7u7: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.10.1+dfsg-5+deb7u9: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.12.1+dfsg-19+deb8u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.12.1+dfsg-19+deb8u4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.15-1+deb9u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
1.16-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

krb5-admin-server
krb5-doc
krb5-gss-samples
krb5-k5tls
krb5-kdc
krb5-kdc-ldap
krb5-kpropd
krb5-locales
krb5-multidev
krb5-otp
krb5-pkinit
krb5-user
libgssapi-krb5-2
libgssrpc4
libk5crypto3
libkadm5clnt-mit11
libkadm5srv-mit11
libkdb5-9
libkrad-dev
libkrad0
libkrb5-3
libkrb5-dbg
libkrb5-dev
libkrb5support0

action needed

4 security issues in sid high

There are 4 open security issues in sid.

4 important issues:

CVE-2018-5709: An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable "dbentry->n_key_data" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a "u4" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.
CVE-2018-5729: MIT krb5 1.6 or later allows an authenticated kadmin with permission to add principals to an LDAP Kerberos database to cause a denial of service (NULL pointer dereference) or bypass a DN container check by supplying tagged data that is internal to the database module.
CVE-2018-5710: An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. The pre-defined function "strlen" is getting a "NULL" string as a parameter value in plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c in the Key Distribution Center (KDC), which allows remote authenticated users to cause a denial of service (NULL pointer dereference) via a modified kadmin client.
CVE-2018-5730: MIT krb5 1.6 or later allows an authenticated kadmin with permission to add principals to an LDAP Kerberos database to circumvent a DN containership check by supplying both a "linkdn" and "containerdn" database argument, or by supplying a DN string which is a left extension of a container DN string but is not hierarchically within the container DN.

Please fix them.

Created: 2018-01-17 Last update: 2018-03-31 07:54

4 security issues in buster high

There are 4 open security issues in buster.

4 important issues:

CVE-2018-5709: An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable "dbentry->n_key_data" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a "u4" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.
CVE-2018-5729: MIT krb5 1.6 or later allows an authenticated kadmin with permission to add principals to an LDAP Kerberos database to cause a denial of service (NULL pointer dereference) or bypass a DN container check by supplying tagged data that is internal to the database module.
CVE-2018-5710: An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. The pre-defined function "strlen" is getting a "NULL" string as a parameter value in plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c in the Key Distribution Center (KDC), which allows remote authenticated users to cause a denial of service (NULL pointer dereference) via a modified kadmin client.
CVE-2018-5730: MIT krb5 1.6 or later allows an authenticated kadmin with permission to add principals to an LDAP Kerberos database to circumvent a DN containership check by supplying both a "linkdn" and "containerdn" database argument, or by supplying a DN string which is a left extension of a container DN string but is not hierarchically within the container DN.

Please fix them.

Created: 2018-01-17 Last update: 2018-03-31 07:54

6 security issues in wheezy high

There are 6 open security issues in wheezy.

4 important issues:

CVE-2018-5709: An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable "dbentry->n_key_data" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a "u4" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.
CVE-2018-5729: MIT krb5 1.6 or later allows an authenticated kadmin with permission to add principals to an LDAP Kerberos database to cause a denial of service (NULL pointer dereference) or bypass a DN container check by supplying tagged data that is internal to the database module.
CVE-2018-5710: An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. The pre-defined function "strlen" is getting a "NULL" string as a parameter value in plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c in the Key Distribution Center (KDC), which allows remote authenticated users to cause a denial of service (NULL pointer dereference) via a modified kadmin client.
CVE-2018-5730: MIT krb5 1.6 or later allows an authenticated kadmin with permission to add principals to an LDAP Kerberos database to circumvent a DN containership check by supplying both a "linkdn" and "containerdn" database argument, or by supplying a DN string which is a left extension of a container DN string but is not hierarchically within the container DN.

2 issues skipped by the security teams:

CVE-2015-2694: The kdcpreauth modules in MIT Kerberos 5 (aka krb5) 1.12.x and 1.13.x before 1.13.2 do not properly track whether a client's request has been validated, which allows remote attackers to bypass an intended preauthentication requirement by providing (1) zero bytes of data or (2) an arbitrary realm name, related to plugins/preauth/otp/main.c and plugins/preauth/pkinit/pkinit_srv.c.
CVE-2017-11462: Double free vulnerability in MIT Kerberos 5 (aka krb5) allows attackers to have unspecified impact via vectors involving automatic deletion of security contexts on error.

Please fix them.

Created: 2015-07-12 Last update: 2018-03-31 07:54

5 security issues in jessie high

There are 5 open security issues in jessie.

4 important issues:

CVE-2018-5709: An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable "dbentry->n_key_data" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a "u4" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.
CVE-2018-5729: MIT krb5 1.6 or later allows an authenticated kadmin with permission to add principals to an LDAP Kerberos database to cause a denial of service (NULL pointer dereference) or bypass a DN container check by supplying tagged data that is internal to the database module.
CVE-2018-5710: An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. The pre-defined function "strlen" is getting a "NULL" string as a parameter value in plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c in the Key Distribution Center (KDC), which allows remote authenticated users to cause a denial of service (NULL pointer dereference) via a modified kadmin client.
CVE-2018-5730: MIT krb5 1.6 or later allows an authenticated kadmin with permission to add principals to an LDAP Kerberos database to circumvent a DN containership check by supplying both a "linkdn" and "containerdn" database argument, or by supplying a DN string which is a left extension of a container DN string but is not hierarchically within the container DN.

1 issue skipped by the security teams:

CVE-2017-11462: Double free vulnerability in MIT Kerberos 5 (aka krb5) allows attackers to have unspecified impact via vectors involving automatic deletion of security contexts on error.

Please fix them.

Created: 2015-07-12 Last update: 2018-03-31 07:54

5 security issues in stretch high

There are 5 open security issues in stretch.

4 important issues:

CVE-2018-5709: An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable "dbentry->n_key_data" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a "u4" variable to it, which is for 32-bit data. An attacker can use this vulnerability to affect other artifacts of the database as we know that a Kerberos database dump file contains trusted data.
CVE-2018-5729: MIT krb5 1.6 or later allows an authenticated kadmin with permission to add principals to an LDAP Kerberos database to cause a denial of service (NULL pointer dereference) or bypass a DN container check by supplying tagged data that is internal to the database module.
CVE-2018-5710: An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. The pre-defined function "strlen" is getting a "NULL" string as a parameter value in plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c in the Key Distribution Center (KDC), which allows remote authenticated users to cause a denial of service (NULL pointer dereference) via a modified kadmin client.
CVE-2018-5730: MIT krb5 1.6 or later allows an authenticated kadmin with permission to add principals to an LDAP Kerberos database to circumvent a DN containership check by supplying both a "linkdn" and "containerdn" database argument, or by supplying a DN string which is a left extension of a container DN string but is not hierarchically within the container DN.

1 issue skipped by the security teams:

CVE-2017-11462: Double free vulnerability in MIT Kerberos 5 (aka krb5) allows attackers to have unspecified impact via vectors involving automatic deletion of security contexts on error.

Please fix them.

Created: 2017-07-22 Last update: 2018-03-31 07:54

lintian reports 1 warning high

Lintian reports 1 warning about this package. You should make the package lintian clean getting rid of them.

Created: 2017-07-11 Last update: 2017-10-26 01:19

Multiarch hinter reports 2 issue(s) normal

There are issues with the multiarch metadata for this package.

krb5-doc could be marked Multi-Arch: foreign
libkrad-dev could be marked Multi-Arch: same

Created: 2016-09-14 Last update: 2018-04-22 14:17

3 bugs tagged patch in the BTS normal

The BTS contains patches fixing 3 bugs, consider including or untagging them.

Created: 2017-11-21 Last update: 2018-04-22 13:42

Build log checks report 1 warning low

Build log checks report 1 warning

Created: 2017-10-26 Last update: 2017-10-26 07:22

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.1.4 instead of 4.1.1).

Created: 2018-01-18 Last update: 2018-04-16 20:45

news

[rss feed]

[2018-01-31] Accepted krb5 1.10.1+dfsg-5+deb7u9 (source all amd64) into oldoldstable (Markus Koschany)
[2018-01-26] krb5 1.16-2 MIGRATED to testing (Debian testing watch)
[2018-01-20] Accepted krb5 1.16-2 (source) into unstable (Sam Hartman)
[2018-01-18] Accepted krb5 1.16-1 (all amd64 source) into unstable, unstable (Sam Hartman)
[2017-11-03] krb5 1.15.2-2 MIGRATED to testing (Debian testing watch)
[2017-10-29] Accepted krb5 1.15.2-2 (source amd64 all) into unstable (Benjamin Kaduk)
[2017-10-25] Accepted krb5 1.15.2-1 (source amd64 all) into unstable (Benjamin Kaduk)
[2017-09-08] Accepted krb5 1.12.1+dfsg-19+deb8u4 (source all amd64) into oldstable-proposed-updates->oldstable-new, oldstable-proposed-updates (Sam Hartman)
[2017-08-14] Accepted krb5 1.10.1+dfsg-5+deb7u8 (source all amd64) into oldoldstable (Lucas Kanashiro)
[2017-08-12] Accepted krb5 1.15-1+deb9u1 (source) into proposed-updates->stable-new, proposed-updates (Sam Hartman)
[2017-07-26] krb5 1.15.1-2 MIGRATED to testing (Debian testing watch)
[2017-07-23] Accepted krb5 1.15.1-2 (source) into unstable (Sam Hartman)
[2017-07-15] krb5 1.15.1-1 MIGRATED to testing (Debian testing watch)
[2017-07-09] Accepted krb5 1.15.1-1 (source) into unstable (Sam Hartman)
[2017-04-21] Accepted krb5 1.15-2 (source amd64 all) into experimental (Sam Hartman)
[2016-12-16] krb5 1.15-1 MIGRATED to testing (Debian testing watch)
[2016-12-04] Accepted krb5 1.15-1 (source amd64 all) into unstable (Benjamin Kaduk)
[2016-11-28] krb5 1.15~beta1-1 MIGRATED to testing (Debian testing watch)
[2016-11-03] Accepted krb5 1.15~beta1-1 (source amd64 all) into unstable, unstable (Sam Hartman)
[2016-09-12] krb5 1.14.3+dfsg-2 MIGRATED to testing (Debian testing watch)
[2016-09-06] Accepted krb5 1.14.3+dfsg-2 (source amd64 all) into unstable (Sam Hartman)
[2016-08-07] krb5 1.14.3+dfsg-1 MIGRATED to testing (Debian testing watch)
[2016-08-06] krb5 1.14.3+dfsg-1 MIGRATED to testing (Debian testing watch)
[2016-07-31] Accepted krb5 1.14.3+dfsg-1 (source) into unstable (Benjamin Kaduk)
[2016-06-05] krb5 1.14.2+dfsg-1 MIGRATED to testing (Debian testing watch)
[2016-05-30] Accepted krb5 1.14.2+dfsg-1 (source amd64 all) into unstable (Sam Hartman)
[2016-02-28] Accepted krb5 1.14+dfsg-1 (source amd64 all) into experimental, experimental (Sam Hartman)
[2016-02-27] krb5 1.13.2+dfsg-5 MIGRATED to testing (Debian testing watch)
[2016-02-23] Accepted krb5 1.13.2+dfsg-5 (source) into unstable (Sam Hartman)
[2016-02-22] Accepted krb5 1.8.3+dfsg-4squeeze11 (source all i386) into squeeze-lts (Thorsten Alteholz)

bugs [bug history graph]

all: 33 34
RC: 0
I&N: 19
M&W: 14 15
F&P: 0

links

homepage
lintian (0, 1)
buildd: logs, checks, clang, reproducibility
popcon
browse source code
edit tags
security tracker

ubuntu

[Information about Ubuntu for Debian Developers]

version: 1.16-2build1
23 bugs (2 patches)