Bug 49601 - heimdal: Multiple issues (4.3)
heimdal: Multiple issues (4.3)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.3
All Linux
: P3 normal (vote)
: UCS 4.3-4-errata
Assigned To: Quality Assurance
Philipp Hahn
:
Depends on: 49600
Blocks:
  Show dependency treegraph
 
Reported: 2019-06-05 21:33 CEST by Philipp Hahn
Modified: 2019-06-12 16:44 CEST (History)
1 user (show)

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score: 7.5 (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) NVD RedHat


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Philipp Hahn univentionstaff 2019-06-05 21:33:10 CEST
New Debian heimdal 7.1.0+dfsg-13+deb9u3A~4.3.0.201906052130 fixes:
This update addresses the following issues:
* S4U2Self with unkeyed checksum (CVE-2018-16860)
* In the client side of Heimdal before 7.6.0, failure to verify anonymous  PKINIT PA-PKINIT-KX key exchange permits a man-in-the-middle attack. This  issue is in krb5_init_creds_step in lib/krb5/init_creds_pw.c.  (CVE-2019-12098)
Comment 1 Quality Assurance univentionstaff 2019-06-05 23:00:12 CEST
--- mirror/ftp/4.3/unmaintained/4.3-0/source/heimdal_7.1.0+dfsg-13+deb9u2A~4.3.0.201801240026.dsc
+++ apt/ucs_4.3-0-errata4.3-4/source/heimdal_7.1.0+dfsg-13+deb9u3A~4.3.0.201906052130.dsc
@@ -1,4 +1,4 @@
-7.1.0+dfsg-13+deb9u2A~4.3.0.201801240026 [Wed, 24 Jan 2018 00:26:54 +0100] Univention builddaemon <buildd@univention.de>:
+7.1.0+dfsg-13+deb9u3A~4.3.0.201906052130 [Wed, 05 Jun 2019 21:30:51 +0200] Univention builddaemon <buildd@univention.de>:
 
   * UCS auto build. The following patches have been applied to the original source package
     0001-password_sync
@@ -7,6 +7,14 @@
     0098-s4-badPwdCount-02-part2
     0098-s4-badPwdCount-02-part3
 
+7.1.0+dfsg-13+deb9u3 [Tue, 28 May 2019 17:16:51 +1000] Brian May <bam@debian.org>:
+
+  * CVE-2018-16860: Samba AD DC S4U2Self/S4U2Proxy unkeyed checksum.
+    Closes: #928966.
+  * CVE-2019-12098: Always confirm PA-PKINIT-KX for anon PKINIT.
+    Closes: #929064.
+  * Update test certificates to pre 2038 expiry.
+
 7.1.0+dfsg-13+deb9u2 [Wed, 06 Dec 2017 13:24:04 +0100] Dominik George <nik@naturalnet.de>:
 
   * CVE-2017-17439: Remote unauthenticated DoS in Heimdal-KDC 7.1

<http://10.200.17.11/4.3-4/#3183242857806190174>
Comment 2 Philipp Hahn univentionstaff 2019-06-06 09:05:33 CEST
OK: yaml
OK: announce_errata
OK: patch
OK: piuparts

[4.3-4] 73da7c4aab Bug #49601: heimdal 7.1.0+dfsg-13+deb9u3A~4.3.0.201906052130
 doc/errata/staging/heimdal.yaml | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)
Comment 3 Arvid Requate univentionstaff 2019-06-12 16:44:24 CEST
<http://errata.software-univention.de/ucs/4.3/529.html>