| Description: | Summary:
The remote host is missing an update for the 'krb5' package(s) announced via the ELSA-2015-0439 advisory.
Vulnerability Insight:
[1.12.2-14]
- fix for kinit -C loops (#1184629, MIT/krb5 issue 243, 'Do not
loop on principal unknown errors').
[1.12.2-13]
- fix for CVE-2014-5352 (#1179856) 'gss_process_context_token()
incorrectly frees context (MITKRB5-SA-2015-001)'
- fix for CVE-2014-9421 (#1179857) 'kadmind doubly frees partial
deserialization results (MITKRB5-SA-2015-001)'
- fix for CVE-2014-9422 (#1179861) 'kadmind incorrectly
validates server principal name (MITKRB5-SA-2015-001)'
- fix for CVE-2014-9423 (#1179863) 'libgssrpc server applications
leak uninitialized bytes (MITKRB5-SA-2015-001)'
[1.12.2-12]
- fix for CVE-2014-5354 (#1174546) 'krb5: NULL pointer
dereference when using keyless entries'
[1.12.2-11]
- fix for CVE-2014-5353 (#1174543) 'Fix LDAP misused policy
name crash'
[1.12.2-10]
- In ksu, without the -e flag, also check .k5users (#1105489)
When ksu was explicitly told to spawn a shell, a line in .k5users which
listed '*' as the allowed command would cause the principal named on the
line to be considered as a candidate for authentication.
When ksu was not passed a command to run, which implicitly meant that
the invoking user wanted to run the target user's login shell, knowledge
that the principal was a valid candidate was ignored, which could cause
a less optimal choice of the default target principal.
This doesn't impact the authorization checks which we perform later.
Patch by Nalin Dahyabhai [1.12.2-9]- Undo libkadmclnt SONAME change (from 8 to 9) which originally happened in the krb5 1.12 rebase (#1166012) but broke rubygem-rkerberos (sort of ruby language bindings for libkadmclnt&co.) dependencies, as side effect of rubygem-rkerberos using private interfaces in libkadmclnt.[1.12.2-8]- fix the problem where the %license file has been a dangling symlink- ksu: pull in fix from pull #206 to avoid breakage when the default_ccache_name doesn't include a cache type as a prefix- ksu: pull in a proposed fix for pull #207 to avoid breakage when the invoking user doesn't already have a ccache[1.12.2-7]- pull in patch from master to load plugins with RTLD_NODELETE, when defined (RT#7947)[1.12.2-6]- backport patch to make the client skip checking the server's reply address when processing responses to password-change requests, which between NAT and upcoming HTTPS support, can cause us to erroneously report an error to the user when the server actually reported success (RT#7886)- backport support for accessing KDCs and kpasswd services via HTTPS proxies (marked by being specified as https URIs instead as hostnames or hostname-and-port), such as the one implemented in python-kdcproxy (RT#7929, #109919), and pick up a subsequent patch to build HTTPS as a plugin[1.12.2-5]- backport fix for trying all compatible keys when not being strict about acceptor names while reading AP-REQs (RT#7883, #1078888)- define _GNU_SOURCE in files where we use EAI_NODATA, to make sure that it's ... [Please see the references for more information on the vulnerabilities]
Affected Software/OS:
'krb5' package(s) on Oracle Linux 7.
Solution:
Please install the updated package(s).
CVSS Score:
9.0
CVSS Vector:
AV:N/AC:L/Au:S/C:C/I:C/A:C
|
