Security update for krb5 SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2015:0255-1 Final 1 1 2015-02-04T11:32:27Z current 2015-02-04T11:32:27Z 2015-02-04T11:32:27Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for krb5 krb5 was updated to fix five security issues. These security issues were fixed: - CVE-2014-5351: current keys returned when randomizing the keys for a service principal (bnc#897874) - CVE-2014-5352: An authenticated attacker could cause a vulnerable application (including kadmind) to crash or to execute arbitrary code (bnc#912002). - CVE-2014-9421: An authenticated attacker could cause kadmind or other vulnerable server application to crash or to execute arbitrary code (bnc#912002). - CVE-2014-9422: An attacker who possess the key of a particularly named principal (such as "kad/root") could impersonate any user to kadmind and perform administrative actions as that user (bnc#912002). - CVE-2014-9423: An attacker could attempt to glean sensitive information from the four or eight bytes of uninitialized data output by kadmind or other libgssrpc server application. Because MIT krb5 generally sanitizes memory containing krb5 keys before freeing it, it is unlikely that kadmind would leak Kerberos key information, but it is not impossible (bnc#912002). This non-security issue was fixed: - Work around replay cache creation race (bnc#898439). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) http://lists.opensuse.org/opensuse-updates/2015-02/msg00044.html E-Mail link for openSUSE-SU-2015:0255-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE 13.2 krb5-1.12.2-6.1 krb5-32bit-1.12.2-6.1 krb5-client-1.12.2-6.1 krb5-client-debuginfo-1.12.2-6.1 krb5-debuginfo-1.12.2-6.1 krb5-debuginfo-32bit-1.12.2-6.1 krb5-debugsource-1.12.2-6.1 krb5-devel-1.12.2-6.1 krb5-devel-32bit-1.12.2-6.1 krb5-doc-1.12.2-6.1 krb5-mini-1.12.2-6.1 krb5-mini-debuginfo-1.12.2-6.1 krb5-mini-debugsource-1.12.2-6.1 krb5-mini-devel-1.12.2-6.1 krb5-plugin-kdb-ldap-1.12.2-6.1 krb5-plugin-kdb-ldap-debuginfo-1.12.2-6.1 krb5-plugin-preauth-otp-1.12.2-6.1 krb5-plugin-preauth-otp-debuginfo-1.12.2-6.1 krb5-plugin-preauth-pkinit-1.12.2-6.1 krb5-plugin-preauth-pkinit-debuginfo-1.12.2-6.1 krb5-server-1.12.2-6.1 krb5-server-debuginfo-1.12.2-6.1 krb5-1.12.2-6.1 as a component of openSUSE 13.2 krb5-32bit-1.12.2-6.1 as a component of openSUSE 13.2 krb5-client-1.12.2-6.1 as a component of openSUSE 13.2 krb5-client-debuginfo-1.12.2-6.1 as a component of openSUSE 13.2 krb5-debuginfo-1.12.2-6.1 as a component of openSUSE 13.2 krb5-debuginfo-32bit-1.12.2-6.1 as a component of openSUSE 13.2 krb5-debugsource-1.12.2-6.1 as a component of openSUSE 13.2 krb5-devel-1.12.2-6.1 as a component of openSUSE 13.2 krb5-devel-32bit-1.12.2-6.1 as a component of openSUSE 13.2 krb5-doc-1.12.2-6.1 as a component of openSUSE 13.2 krb5-mini-1.12.2-6.1 as a component of openSUSE 13.2 krb5-mini-debuginfo-1.12.2-6.1 as a component of openSUSE 13.2 krb5-mini-debugsource-1.12.2-6.1 as a component of openSUSE 13.2 krb5-mini-devel-1.12.2-6.1 as a component of openSUSE 13.2 krb5-plugin-kdb-ldap-1.12.2-6.1 as a component of openSUSE 13.2 krb5-plugin-kdb-ldap-debuginfo-1.12.2-6.1 as a component of openSUSE 13.2 krb5-plugin-preauth-otp-1.12.2-6.1 as a component of openSUSE 13.2 krb5-plugin-preauth-otp-debuginfo-1.12.2-6.1 as a component of openSUSE 13.2 krb5-plugin-preauth-pkinit-1.12.2-6.1 as a component of openSUSE 13.2 krb5-plugin-preauth-pkinit-debuginfo-1.12.2-6.1 as a component of openSUSE 13.2 krb5-server-1.12.2-6.1 as a component of openSUSE 13.2 krb5-server-debuginfo-1.12.2-6.1 as a component of openSUSE 13.2 The kadm5_randkey_principal_3 function in lib/kadm5/srv/svr_principal.c in kadmind in MIT Kerberos 5 (aka krb5) before 1.13 sends old keys in a response to a -randkey -keepold request, which allows remote authenticated users to forge tickets by leveraging administrative access. CVE-2014-5351 openSUSE 13.2:krb5-1.12.2-6.1 openSUSE 13.2:krb5-32bit-1.12.2-6.1 openSUSE 13.2:krb5-client-1.12.2-6.1 openSUSE 13.2:krb5-client-debuginfo-1.12.2-6.1 openSUSE 13.2:krb5-debuginfo-1.12.2-6.1 openSUSE 13.2:krb5-debuginfo-32bit-1.12.2-6.1 openSUSE 13.2:krb5-debugsource-1.12.2-6.1 openSUSE 13.2:krb5-devel-1.12.2-6.1 openSUSE 13.2:krb5-devel-32bit-1.12.2-6.1 openSUSE 13.2:krb5-doc-1.12.2-6.1 openSUSE 13.2:krb5-mini-1.12.2-6.1 openSUSE 13.2:krb5-mini-debuginfo-1.12.2-6.1 openSUSE 13.2:krb5-mini-debugsource-1.12.2-6.1 openSUSE 13.2:krb5-mini-devel-1.12.2-6.1 openSUSE 13.2:krb5-plugin-kdb-ldap-1.12.2-6.1 openSUSE 13.2:krb5-plugin-kdb-ldap-debuginfo-1.12.2-6.1 openSUSE 13.2:krb5-plugin-preauth-otp-1.12.2-6.1 openSUSE 13.2:krb5-plugin-preauth-otp-debuginfo-1.12.2-6.1 openSUSE 13.2:krb5-plugin-preauth-pkinit-1.12.2-6.1 openSUSE 13.2:krb5-plugin-preauth-pkinit-debuginfo-1.12.2-6.1 openSUSE 13.2:krb5-server-1.12.2-6.1 openSUSE 13.2:krb5-server-debuginfo-1.12.2-6.1 moderate Please Install the update. http://lists.opensuse.org/opensuse-updates/2015-02/msg00044.html https://www.suse.com/security/cve/CVE-2014-5351.html CVE-2014-5351 https://bugzilla.suse.com/897874 SUSE Bug 897874 The krb5_gss_process_context_token function in lib/gssapi/krb5/process_context_token.c in the libgssapi_krb5 library in MIT Kerberos 5 (aka krb5) through 1.11.5, 1.12.x through 1.12.2, and 1.13.x before 1.13.1 does not properly maintain security-context handles, which allows remote authenticated users to cause a denial of service (use-after-free and double free, and daemon crash) or possibly execute arbitrary code via crafted GSSAPI traffic, as demonstrated by traffic to kadmind. CVE-2014-5352 openSUSE 13.2:krb5-1.12.2-6.1 openSUSE 13.2:krb5-32bit-1.12.2-6.1 openSUSE 13.2:krb5-client-1.12.2-6.1 openSUSE 13.2:krb5-client-debuginfo-1.12.2-6.1 openSUSE 13.2:krb5-debuginfo-1.12.2-6.1 openSUSE 13.2:krb5-debuginfo-32bit-1.12.2-6.1 openSUSE 13.2:krb5-debugsource-1.12.2-6.1 openSUSE 13.2:krb5-devel-1.12.2-6.1 openSUSE 13.2:krb5-devel-32bit-1.12.2-6.1 openSUSE 13.2:krb5-doc-1.12.2-6.1 openSUSE 13.2:krb5-mini-1.12.2-6.1 openSUSE 13.2:krb5-mini-debuginfo-1.12.2-6.1 openSUSE 13.2:krb5-mini-debugsource-1.12.2-6.1 openSUSE 13.2:krb5-mini-devel-1.12.2-6.1 openSUSE 13.2:krb5-plugin-kdb-ldap-1.12.2-6.1 openSUSE 13.2:krb5-plugin-kdb-ldap-debuginfo-1.12.2-6.1 openSUSE 13.2:krb5-plugin-preauth-otp-1.12.2-6.1 openSUSE 13.2:krb5-plugin-preauth-otp-debuginfo-1.12.2-6.1 openSUSE 13.2:krb5-plugin-preauth-pkinit-1.12.2-6.1 openSUSE 13.2:krb5-plugin-preauth-pkinit-debuginfo-1.12.2-6.1 openSUSE 13.2:krb5-server-1.12.2-6.1 openSUSE 13.2:krb5-server-debuginfo-1.12.2-6.1 moderate 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P Please Install the update. http://lists.opensuse.org/opensuse-updates/2015-02/msg00044.html https://www.suse.com/security/cve/CVE-2014-5352.html CVE-2014-5352 https://bugzilla.suse.com/1005509 SUSE Bug 1005509 https://bugzilla.suse.com/770172 SUSE Bug 770172 https://bugzilla.suse.com/912002 SUSE Bug 912002 The auth_gssapi_unwrap_data function in lib/rpc/auth_gssapi_misc.c in MIT Kerberos 5 (aka krb5) through 1.11.5, 1.12.x through 1.12.2, and 1.13.x before 1.13.1 does not properly handle partial XDR deserialization, which allows remote authenticated users to cause a denial of service (use-after-free and double free, and daemon crash) or possibly execute arbitrary code via malformed XDR data, as demonstrated by data sent to kadmind. CVE-2014-9421 openSUSE 13.2:krb5-1.12.2-6.1 openSUSE 13.2:krb5-32bit-1.12.2-6.1 openSUSE 13.2:krb5-client-1.12.2-6.1 openSUSE 13.2:krb5-client-debuginfo-1.12.2-6.1 openSUSE 13.2:krb5-debuginfo-1.12.2-6.1 openSUSE 13.2:krb5-debuginfo-32bit-1.12.2-6.1 openSUSE 13.2:krb5-debugsource-1.12.2-6.1 openSUSE 13.2:krb5-devel-1.12.2-6.1 openSUSE 13.2:krb5-devel-32bit-1.12.2-6.1 openSUSE 13.2:krb5-doc-1.12.2-6.1 openSUSE 13.2:krb5-mini-1.12.2-6.1 openSUSE 13.2:krb5-mini-debuginfo-1.12.2-6.1 openSUSE 13.2:krb5-mini-debugsource-1.12.2-6.1 openSUSE 13.2:krb5-mini-devel-1.12.2-6.1 openSUSE 13.2:krb5-plugin-kdb-ldap-1.12.2-6.1 openSUSE 13.2:krb5-plugin-kdb-ldap-debuginfo-1.12.2-6.1 openSUSE 13.2:krb5-plugin-preauth-otp-1.12.2-6.1 openSUSE 13.2:krb5-plugin-preauth-otp-debuginfo-1.12.2-6.1 openSUSE 13.2:krb5-plugin-preauth-pkinit-1.12.2-6.1 openSUSE 13.2:krb5-plugin-preauth-pkinit-debuginfo-1.12.2-6.1 openSUSE 13.2:krb5-server-1.12.2-6.1 openSUSE 13.2:krb5-server-debuginfo-1.12.2-6.1 moderate 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P Please Install the update. http://lists.opensuse.org/opensuse-updates/2015-02/msg00044.html https://www.suse.com/security/cve/CVE-2014-9421.html CVE-2014-9421 https://bugzilla.suse.com/1005509 SUSE Bug 1005509 https://bugzilla.suse.com/770172 SUSE Bug 770172 https://bugzilla.suse.com/912002 SUSE Bug 912002 The check_rpcsec_auth function in kadmin/server/kadm_rpc_svc.c in kadmind in MIT Kerberos 5 (aka krb5) through 1.11.5, 1.12.x through 1.12.2, and 1.13.x before 1.13.1 allows remote authenticated users to bypass a kadmin/* authorization check and obtain administrative access by leveraging access to a two-component principal with an initial "kadmind" substring, as demonstrated by a "ka/x" principal. CVE-2014-9422 openSUSE 13.2:krb5-1.12.2-6.1 openSUSE 13.2:krb5-32bit-1.12.2-6.1 openSUSE 13.2:krb5-client-1.12.2-6.1 openSUSE 13.2:krb5-client-debuginfo-1.12.2-6.1 openSUSE 13.2:krb5-debuginfo-1.12.2-6.1 openSUSE 13.2:krb5-debuginfo-32bit-1.12.2-6.1 openSUSE 13.2:krb5-debugsource-1.12.2-6.1 openSUSE 13.2:krb5-devel-1.12.2-6.1 openSUSE 13.2:krb5-devel-32bit-1.12.2-6.1 openSUSE 13.2:krb5-doc-1.12.2-6.1 openSUSE 13.2:krb5-mini-1.12.2-6.1 openSUSE 13.2:krb5-mini-debuginfo-1.12.2-6.1 openSUSE 13.2:krb5-mini-debugsource-1.12.2-6.1 openSUSE 13.2:krb5-mini-devel-1.12.2-6.1 openSUSE 13.2:krb5-plugin-kdb-ldap-1.12.2-6.1 openSUSE 13.2:krb5-plugin-kdb-ldap-debuginfo-1.12.2-6.1 openSUSE 13.2:krb5-plugin-preauth-otp-1.12.2-6.1 openSUSE 13.2:krb5-plugin-preauth-otp-debuginfo-1.12.2-6.1 openSUSE 13.2:krb5-plugin-preauth-pkinit-1.12.2-6.1 openSUSE 13.2:krb5-plugin-preauth-pkinit-debuginfo-1.12.2-6.1 openSUSE 13.2:krb5-server-1.12.2-6.1 openSUSE 13.2:krb5-server-debuginfo-1.12.2-6.1 moderate 4.6 AV:N/AC:H/Au:S/C:P/I:P/A:P Please Install the update. http://lists.opensuse.org/opensuse-updates/2015-02/msg00044.html https://www.suse.com/security/cve/CVE-2014-9422.html CVE-2014-9422 https://bugzilla.suse.com/1005509 SUSE Bug 1005509 https://bugzilla.suse.com/770172 SUSE Bug 770172 https://bugzilla.suse.com/912002 SUSE Bug 912002 The svcauth_gss_accept_sec_context function in lib/rpc/svc_auth_gss.c in MIT Kerberos 5 (aka krb5) 1.11.x through 1.11.5, 1.12.x through 1.12.2, and 1.13.x before 1.13.1 transmits uninitialized interposer data to clients, which allows remote attackers to obtain sensitive information from process heap memory by sniffing the network for data in a handle field. CVE-2014-9423 openSUSE 13.2:krb5-1.12.2-6.1 openSUSE 13.2:krb5-32bit-1.12.2-6.1 openSUSE 13.2:krb5-client-1.12.2-6.1 openSUSE 13.2:krb5-client-debuginfo-1.12.2-6.1 openSUSE 13.2:krb5-debuginfo-1.12.2-6.1 openSUSE 13.2:krb5-debuginfo-32bit-1.12.2-6.1 openSUSE 13.2:krb5-debugsource-1.12.2-6.1 openSUSE 13.2:krb5-devel-1.12.2-6.1 openSUSE 13.2:krb5-devel-32bit-1.12.2-6.1 openSUSE 13.2:krb5-doc-1.12.2-6.1 openSUSE 13.2:krb5-mini-1.12.2-6.1 openSUSE 13.2:krb5-mini-debuginfo-1.12.2-6.1 openSUSE 13.2:krb5-mini-debugsource-1.12.2-6.1 openSUSE 13.2:krb5-mini-devel-1.12.2-6.1 openSUSE 13.2:krb5-plugin-kdb-ldap-1.12.2-6.1 openSUSE 13.2:krb5-plugin-kdb-ldap-debuginfo-1.12.2-6.1 openSUSE 13.2:krb5-plugin-preauth-otp-1.12.2-6.1 openSUSE 13.2:krb5-plugin-preauth-otp-debuginfo-1.12.2-6.1 openSUSE 13.2:krb5-plugin-preauth-pkinit-1.12.2-6.1 openSUSE 13.2:krb5-plugin-preauth-pkinit-debuginfo-1.12.2-6.1 openSUSE 13.2:krb5-server-1.12.2-6.1 openSUSE 13.2:krb5-server-debuginfo-1.12.2-6.1 moderate 4.9 AV:N/AC:L/Au:N/C:P/I:N/A:N Please Install the update. http://lists.opensuse.org/opensuse-updates/2015-02/msg00044.html https://www.suse.com/security/cve/CVE-2014-9423.html CVE-2014-9423 https://bugzilla.suse.com/1005509 SUSE Bug 1005509 https://bugzilla.suse.com/912002 SUSE Bug 912002