openSUSE Security Update: Security update for krb5 ______________________________________________________________________________ Announcement ID: openSUSE-SU-2015:0255-1 Rating: moderate References: #897874 #898439 #912002 Cross-References: CVE-2014-5351 CVE-2014-5352 CVE-2014-9421 CVE-2014-9422 CVE-2014-9423 Affected Products: openSUSE 13.2 ______________________________________________________________________________ An update that fixes 5 vulnerabilities is now available. Description: krb5 was updated to fix five security issues. These security issues were fixed: - CVE-2014-5351: current keys returned when randomizing the keys for a service principal (bnc#897874) - CVE-2014-5352: An authenticated attacker could cause a vulnerable application (including kadmind) to crash or to execute arbitrary code (bnc#912002). - CVE-2014-9421: An authenticated attacker could cause kadmind or other vulnerable server application to crash or to execute arbitrary code (bnc#912002). - CVE-2014-9422: An attacker who possess the key of a particularly named principal (such as "kad/root") could impersonate any user to kadmind and perform administrative actions as that user (bnc#912002). - CVE-2014-9423: An attacker could attempt to glean sensitive information from the four or eight bytes of uninitialized data output by kadmind or other libgssrpc server application. Because MIT krb5 generally sanitizes memory containing krb5 keys before freeing it, it is unlikely that kadmind would leak Kerberos key information, but it is not impossible (bnc#912002). This non-security issue was fixed: - Work around replay cache creation race (bnc#898439). Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 13.2: zypper in -t patch openSUSE-2015-128=1 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 13.2 (i586 x86_64): krb5-1.12.2-6.1 krb5-client-1.12.2-6.1 krb5-client-debuginfo-1.12.2-6.1 krb5-debuginfo-1.12.2-6.1 krb5-debugsource-1.12.2-6.1 krb5-devel-1.12.2-6.1 krb5-doc-1.12.2-6.1 krb5-mini-1.12.2-6.1 krb5-mini-debuginfo-1.12.2-6.1 krb5-mini-debugsource-1.12.2-6.1 krb5-mini-devel-1.12.2-6.1 krb5-plugin-kdb-ldap-1.12.2-6.1 krb5-plugin-kdb-ldap-debuginfo-1.12.2-6.1 krb5-plugin-preauth-otp-1.12.2-6.1 krb5-plugin-preauth-otp-debuginfo-1.12.2-6.1 krb5-plugin-preauth-pkinit-1.12.2-6.1 krb5-plugin-preauth-pkinit-debuginfo-1.12.2-6.1 krb5-server-1.12.2-6.1 krb5-server-debuginfo-1.12.2-6.1 - openSUSE 13.2 (x86_64): krb5-32bit-1.12.2-6.1 krb5-debuginfo-32bit-1.12.2-6.1 krb5-devel-32bit-1.12.2-6.1 References: http://support.novell.com/security/cve/CVE-2014-5351.html http://support.novell.com/security/cve/CVE-2014-5352.html http://support.novell.com/security/cve/CVE-2014-9421.html http://support.novell.com/security/cve/CVE-2014-9422.html http://support.novell.com/security/cve/CVE-2014-9423.html https://bugzilla.suse.com/show_bug.cgi?id=897874 https://bugzilla.suse.com/show_bug.cgi?id=898439 https://bugzilla.suse.com/show_bug.cgi?id=912002