Mailinglist Archive: opensuse-updates (101 mails)

< Previous Next >
openSUSE-SU-2015:0255-1: moderate: Security update for krb5
openSUSE Security Update: Security update for krb5
______________________________________________________________________________

Announcement ID: openSUSE-SU-2015:0255-1
Rating: moderate
References: #897874 #898439 #912002
Cross-References: CVE-2014-5351 CVE-2014-5352 CVE-2014-9421
CVE-2014-9422 CVE-2014-9423
Affected Products:
openSUSE 13.2
______________________________________________________________________________

An update that fixes 5 vulnerabilities is now available.

Description:

krb5 was updated to fix five security issues.

These security issues were fixed:
- CVE-2014-5351: current keys returned when randomizing the keys for a
service principal (bnc#897874)
- CVE-2014-5352: An authenticated attacker could cause a vulnerable
application (including kadmind) to crash or to execute arbitrary code
(bnc#912002).
- CVE-2014-9421: An authenticated attacker could cause kadmind or other
vulnerable server application to crash or to execute arbitrary code
(bnc#912002).
- CVE-2014-9422: An attacker who possess the key of a particularly named
principal (such as "kad/root") could impersonate any user to kadmind and
perform administrative actions as that user (bnc#912002).
- CVE-2014-9423: An attacker could attempt to glean sensitive information
from the four or eight bytes of uninitialized data output by kadmind or
other libgssrpc server application. Because MIT krb5 generally
sanitizes memory containing krb5 keys before freeing it, it is unlikely
that kadmind would leak Kerberos key information, but it is not
impossible (bnc#912002).

This non-security issue was fixed:
- Work around replay cache creation race (bnc#898439).


Patch Instructions:

To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

- openSUSE 13.2:

zypper in -t patch openSUSE-2015-128=1

To bring your system up-to-date, use "zypper patch".


Package List:

- openSUSE 13.2 (i586 x86_64):

krb5-1.12.2-6.1
krb5-client-1.12.2-6.1
krb5-client-debuginfo-1.12.2-6.1
krb5-debuginfo-1.12.2-6.1
krb5-debugsource-1.12.2-6.1
krb5-devel-1.12.2-6.1
krb5-doc-1.12.2-6.1
krb5-mini-1.12.2-6.1
krb5-mini-debuginfo-1.12.2-6.1
krb5-mini-debugsource-1.12.2-6.1
krb5-mini-devel-1.12.2-6.1
krb5-plugin-kdb-ldap-1.12.2-6.1
krb5-plugin-kdb-ldap-debuginfo-1.12.2-6.1
krb5-plugin-preauth-otp-1.12.2-6.1
krb5-plugin-preauth-otp-debuginfo-1.12.2-6.1
krb5-plugin-preauth-pkinit-1.12.2-6.1
krb5-plugin-preauth-pkinit-debuginfo-1.12.2-6.1
krb5-server-1.12.2-6.1
krb5-server-debuginfo-1.12.2-6.1

- openSUSE 13.2 (x86_64):

krb5-32bit-1.12.2-6.1
krb5-debuginfo-32bit-1.12.2-6.1
krb5-devel-32bit-1.12.2-6.1


References:

http://support.novell.com/security/cve/CVE-2014-5351.html
http://support.novell.com/security/cve/CVE-2014-5352.html
http://support.novell.com/security/cve/CVE-2014-9421.html
http://support.novell.com/security/cve/CVE-2014-9422.html
http://support.novell.com/security/cve/CVE-2014-9423.html
https://bugzilla.suse.com/show_bug.cgi?id=897874
https://bugzilla.suse.com/show_bug.cgi?id=898439
https://bugzilla.suse.com/show_bug.cgi?id=912002


< Previous Next >
This Thread
  • No further messages