Security update for krb5 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2015:0290-2 Final 1 1 2015-01-21T10:07:55Z current 2015-01-21T10:07:55Z 2015-01-21T10:07:55Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for krb5 MIT kerberos krb5 was updated to fix several security issues and bugs. Security issues fixed: CVE-2014-5351: The kadm5_randkey_principal_3 function in lib/kadm5/srv/svr_principal.c in kadmind in MIT Kerberos 5 (aka krb5) sent old keys in a response to a -randkey -keepold request, which allowed remote authenticated users to forge tickets by leveraging administrative access. CVE-2014-5352: In the MIT krb5 libgssapi_krb5 library, after gss_process_context_token() is used to process a valid context deletion token, the caller was left with a security context handle containing a dangling pointer. Further uses of this handle would have resulted in use-after-free and double-free memory access violations. libgssrpc server applications such as kadmind were vulnerable as they can be instructed to call gss_process_context_token(). CVE-2014-9421: If the MIT krb5 kadmind daemon receives invalid XDR data from an authenticated user, it may have performed use-after-free and double-free memory access violations while cleaning up the partial deserialization results. Other libgssrpc server applications might also been vulnerable if they contain insufficiently defensive XDR functions. CVE-2014-9422: The MIT krb5 kadmind daemon incorrectly accepted authentications to two-component server principals whose first component is a left substring of 'kadmin' or whose realm is a left prefix of the default realm. CVE-2014-9423: libgssrpc applications including kadmind output four or eight bytes of uninitialized memory to the network as part of an unused 'handle' field in replies to clients. Bugs fixed: - Work around replay cache creation race; (bnc#898439). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-BSK-12-2015-74,SUSE-SLE-DESKTOP-12-2015-74,SUSE-SLE-SDK-12-2015-74,SUSE-SLE-SERVER-12-2015-74 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2015/suse-su-20150290-2/ Link for SUSE-SU-2015:0290-2 https://lists.opensuse.org/opensuse-security-announce/2015-02/msg00017.html E-Mail link for SUSE-SU-2015:0290-2 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/897874 SUSE Bug 897874 https://bugzilla.suse.com/898439 SUSE Bug 898439 https://bugzilla.suse.com/912002 SUSE Bug 912002 https://www.suse.com/security/cve/CVE-2014-5351/ SUSE CVE CVE-2014-5351 page https://www.suse.com/security/cve/CVE-2014-5352/ SUSE CVE CVE-2014-5352 page https://www.suse.com/security/cve/CVE-2014-9421/ SUSE CVE CVE-2014-9421 page https://www.suse.com/security/cve/CVE-2014-9422/ SUSE CVE CVE-2014-9422 page https://www.suse.com/security/cve/CVE-2014-9423/ SUSE CVE CVE-2014-9423 page SUSE Linux Enterprise Desktop 12 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Server for SAP Applications 12 SUSE Linux Enterprise Software Development Kit 12 krb5-1.12.1-9.1 krb5-32bit-1.12.1-9.1 krb5-client-1.12.1-9.1 krb5-devel-1.12.1-9.1 krb5-doc-1.12.1-9.1 krb5-plugin-kdb-ldap-1.12.1-9.1 krb5-plugin-preauth-otp-1.12.1-9.1 krb5-plugin-preauth-pkinit-1.12.1-9.1 krb5-server-1.12.1-9.1 krb5-1.12.1-9.1 as a component of SUSE Linux Enterprise Desktop 12 krb5-32bit-1.12.1-9.1 as a component of SUSE Linux Enterprise Desktop 12 krb5-client-1.12.1-9.1 as a component of SUSE Linux Enterprise Desktop 12 krb5-1.12.1-9.1 as a component of SUSE Linux Enterprise Server 12 krb5-32bit-1.12.1-9.1 as a component of SUSE Linux Enterprise Server 12 krb5-client-1.12.1-9.1 as a component of SUSE Linux Enterprise Server 12 krb5-doc-1.12.1-9.1 as a component of SUSE Linux Enterprise Server 12 krb5-plugin-kdb-ldap-1.12.1-9.1 as a component of SUSE Linux Enterprise Server 12 krb5-plugin-preauth-otp-1.12.1-9.1 as a component of SUSE Linux Enterprise Server 12 krb5-plugin-preauth-pkinit-1.12.1-9.1 as a component of SUSE Linux Enterprise Server 12 krb5-server-1.12.1-9.1 as a component of SUSE Linux Enterprise Server 12 krb5-1.12.1-9.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 krb5-32bit-1.12.1-9.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 krb5-client-1.12.1-9.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 krb5-doc-1.12.1-9.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 krb5-plugin-kdb-ldap-1.12.1-9.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 krb5-plugin-preauth-otp-1.12.1-9.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 krb5-plugin-preauth-pkinit-1.12.1-9.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 krb5-server-1.12.1-9.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 krb5-devel-1.12.1-9.1 as a component of SUSE Linux Enterprise Software Development Kit 12 The kadm5_randkey_principal_3 function in lib/kadm5/srv/svr_principal.c in kadmind in MIT Kerberos 5 (aka krb5) before 1.13 sends old keys in a response to a -randkey -keepold request, which allows remote authenticated users to forge tickets by leveraging administrative access. CVE-2014-5351 SUSE Linux Enterprise Desktop 12:krb5-1.12.1-9.1 SUSE Linux Enterprise Desktop 12:krb5-32bit-1.12.1-9.1 SUSE Linux Enterprise Desktop 12:krb5-client-1.12.1-9.1 SUSE Linux Enterprise Server 12:krb5-1.12.1-9.1 SUSE Linux Enterprise Server 12:krb5-32bit-1.12.1-9.1 SUSE Linux Enterprise Server 12:krb5-client-1.12.1-9.1 SUSE Linux Enterprise Server 12:krb5-doc-1.12.1-9.1 SUSE Linux Enterprise Server 12:krb5-plugin-kdb-ldap-1.12.1-9.1 SUSE Linux Enterprise Server 12:krb5-plugin-preauth-otp-1.12.1-9.1 SUSE Linux Enterprise Server 12:krb5-plugin-preauth-pkinit-1.12.1-9.1 SUSE Linux Enterprise Server 12:krb5-server-1.12.1-9.1 SUSE Linux Enterprise Server for SAP Applications 12:krb5-1.12.1-9.1 SUSE Linux Enterprise Server for SAP Applications 12:krb5-32bit-1.12.1-9.1 SUSE Linux Enterprise Server for SAP Applications 12:krb5-client-1.12.1-9.1 SUSE Linux Enterprise Server for SAP Applications 12:krb5-doc-1.12.1-9.1 SUSE Linux Enterprise Server for SAP Applications 12:krb5-plugin-kdb-ldap-1.12.1-9.1 SUSE Linux Enterprise Server for SAP Applications 12:krb5-plugin-preauth-otp-1.12.1-9.1 SUSE Linux Enterprise Server for SAP Applications 12:krb5-plugin-preauth-pkinit-1.12.1-9.1 SUSE Linux Enterprise Server for SAP Applications 12:krb5-server-1.12.1-9.1 SUSE Linux Enterprise Software Development Kit 12:krb5-devel-1.12.1-9.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2015/suse-su-20150290-2/ https://www.suse.com/security/cve/CVE-2014-5351.html CVE-2014-5351 https://bugzilla.suse.com/897874 SUSE Bug 897874 The krb5_gss_process_context_token function in lib/gssapi/krb5/process_context_token.c in the libgssapi_krb5 library in MIT Kerberos 5 (aka krb5) through 1.11.5, 1.12.x through 1.12.2, and 1.13.x before 1.13.1 does not properly maintain security-context handles, which allows remote authenticated users to cause a denial of service (use-after-free and double free, and daemon crash) or possibly execute arbitrary code via crafted GSSAPI traffic, as demonstrated by traffic to kadmind. CVE-2014-5352 SUSE Linux Enterprise Desktop 12:krb5-1.12.1-9.1 SUSE Linux Enterprise Desktop 12:krb5-32bit-1.12.1-9.1 SUSE Linux Enterprise Desktop 12:krb5-client-1.12.1-9.1 SUSE Linux Enterprise Server 12:krb5-1.12.1-9.1 SUSE Linux Enterprise Server 12:krb5-32bit-1.12.1-9.1 SUSE Linux Enterprise Server 12:krb5-client-1.12.1-9.1 SUSE Linux Enterprise Server 12:krb5-doc-1.12.1-9.1 SUSE Linux Enterprise Server 12:krb5-plugin-kdb-ldap-1.12.1-9.1 SUSE Linux Enterprise Server 12:krb5-plugin-preauth-otp-1.12.1-9.1 SUSE Linux Enterprise Server 12:krb5-plugin-preauth-pkinit-1.12.1-9.1 SUSE Linux Enterprise Server 12:krb5-server-1.12.1-9.1 SUSE Linux Enterprise Server for SAP Applications 12:krb5-1.12.1-9.1 SUSE Linux Enterprise Server for SAP Applications 12:krb5-32bit-1.12.1-9.1 SUSE Linux Enterprise Server for SAP Applications 12:krb5-client-1.12.1-9.1 SUSE Linux Enterprise Server for SAP Applications 12:krb5-doc-1.12.1-9.1 SUSE Linux Enterprise Server for SAP Applications 12:krb5-plugin-kdb-ldap-1.12.1-9.1 SUSE Linux Enterprise Server for SAP Applications 12:krb5-plugin-preauth-otp-1.12.1-9.1 SUSE Linux Enterprise Server for SAP Applications 12:krb5-plugin-preauth-pkinit-1.12.1-9.1 SUSE Linux Enterprise Server for SAP Applications 12:krb5-server-1.12.1-9.1 SUSE Linux Enterprise Software Development Kit 12:krb5-devel-1.12.1-9.1 moderate 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2015/suse-su-20150290-2/ https://www.suse.com/security/cve/CVE-2014-5352.html CVE-2014-5352 https://bugzilla.suse.com/1005509 SUSE Bug 1005509 https://bugzilla.suse.com/770172 SUSE Bug 770172 https://bugzilla.suse.com/912002 SUSE Bug 912002 The auth_gssapi_unwrap_data function in lib/rpc/auth_gssapi_misc.c in MIT Kerberos 5 (aka krb5) through 1.11.5, 1.12.x through 1.12.2, and 1.13.x before 1.13.1 does not properly handle partial XDR deserialization, which allows remote authenticated users to cause a denial of service (use-after-free and double free, and daemon crash) or possibly execute arbitrary code via malformed XDR data, as demonstrated by data sent to kadmind. CVE-2014-9421 SUSE Linux Enterprise Desktop 12:krb5-1.12.1-9.1 SUSE Linux Enterprise Desktop 12:krb5-32bit-1.12.1-9.1 SUSE Linux Enterprise Desktop 12:krb5-client-1.12.1-9.1 SUSE Linux Enterprise Server 12:krb5-1.12.1-9.1 SUSE Linux Enterprise Server 12:krb5-32bit-1.12.1-9.1 SUSE Linux Enterprise Server 12:krb5-client-1.12.1-9.1 SUSE Linux Enterprise Server 12:krb5-doc-1.12.1-9.1 SUSE Linux Enterprise Server 12:krb5-plugin-kdb-ldap-1.12.1-9.1 SUSE Linux Enterprise Server 12:krb5-plugin-preauth-otp-1.12.1-9.1 SUSE Linux Enterprise Server 12:krb5-plugin-preauth-pkinit-1.12.1-9.1 SUSE Linux Enterprise Server 12:krb5-server-1.12.1-9.1 SUSE Linux Enterprise Server for SAP Applications 12:krb5-1.12.1-9.1 SUSE Linux Enterprise Server for SAP Applications 12:krb5-32bit-1.12.1-9.1 SUSE Linux Enterprise Server for SAP Applications 12:krb5-client-1.12.1-9.1 SUSE Linux Enterprise Server for SAP Applications 12:krb5-doc-1.12.1-9.1 SUSE Linux Enterprise Server for SAP Applications 12:krb5-plugin-kdb-ldap-1.12.1-9.1 SUSE Linux Enterprise Server for SAP Applications 12:krb5-plugin-preauth-otp-1.12.1-9.1 SUSE Linux Enterprise Server for SAP Applications 12:krb5-plugin-preauth-pkinit-1.12.1-9.1 SUSE Linux Enterprise Server for SAP Applications 12:krb5-server-1.12.1-9.1 SUSE Linux Enterprise Software Development Kit 12:krb5-devel-1.12.1-9.1 moderate 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2015/suse-su-20150290-2/ https://www.suse.com/security/cve/CVE-2014-9421.html CVE-2014-9421 https://bugzilla.suse.com/1005509 SUSE Bug 1005509 https://bugzilla.suse.com/770172 SUSE Bug 770172 https://bugzilla.suse.com/912002 SUSE Bug 912002 The check_rpcsec_auth function in kadmin/server/kadm_rpc_svc.c in kadmind in MIT Kerberos 5 (aka krb5) through 1.11.5, 1.12.x through 1.12.2, and 1.13.x before 1.13.1 allows remote authenticated users to bypass a kadmin/* authorization check and obtain administrative access by leveraging access to a two-component principal with an initial "kadmind" substring, as demonstrated by a "ka/x" principal. CVE-2014-9422 SUSE Linux Enterprise Desktop 12:krb5-1.12.1-9.1 SUSE Linux Enterprise Desktop 12:krb5-32bit-1.12.1-9.1 SUSE Linux Enterprise Desktop 12:krb5-client-1.12.1-9.1 SUSE Linux Enterprise Server 12:krb5-1.12.1-9.1 SUSE Linux Enterprise Server 12:krb5-32bit-1.12.1-9.1 SUSE Linux Enterprise Server 12:krb5-client-1.12.1-9.1 SUSE Linux Enterprise Server 12:krb5-doc-1.12.1-9.1 SUSE Linux Enterprise Server 12:krb5-plugin-kdb-ldap-1.12.1-9.1 SUSE Linux Enterprise Server 12:krb5-plugin-preauth-otp-1.12.1-9.1 SUSE Linux Enterprise Server 12:krb5-plugin-preauth-pkinit-1.12.1-9.1 SUSE Linux Enterprise Server 12:krb5-server-1.12.1-9.1 SUSE Linux Enterprise Server for SAP Applications 12:krb5-1.12.1-9.1 SUSE Linux Enterprise Server for SAP Applications 12:krb5-32bit-1.12.1-9.1 SUSE Linux Enterprise Server for SAP Applications 12:krb5-client-1.12.1-9.1 SUSE Linux Enterprise Server for SAP Applications 12:krb5-doc-1.12.1-9.1 SUSE Linux Enterprise Server for SAP Applications 12:krb5-plugin-kdb-ldap-1.12.1-9.1 SUSE Linux Enterprise Server for SAP Applications 12:krb5-plugin-preauth-otp-1.12.1-9.1 SUSE Linux Enterprise Server for SAP Applications 12:krb5-plugin-preauth-pkinit-1.12.1-9.1 SUSE Linux Enterprise Server for SAP Applications 12:krb5-server-1.12.1-9.1 SUSE Linux Enterprise Software Development Kit 12:krb5-devel-1.12.1-9.1 moderate 4.6 AV:N/AC:H/Au:S/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2015/suse-su-20150290-2/ https://www.suse.com/security/cve/CVE-2014-9422.html CVE-2014-9422 https://bugzilla.suse.com/1005509 SUSE Bug 1005509 https://bugzilla.suse.com/770172 SUSE Bug 770172 https://bugzilla.suse.com/912002 SUSE Bug 912002 The svcauth_gss_accept_sec_context function in lib/rpc/svc_auth_gss.c in MIT Kerberos 5 (aka krb5) 1.11.x through 1.11.5, 1.12.x through 1.12.2, and 1.13.x before 1.13.1 transmits uninitialized interposer data to clients, which allows remote attackers to obtain sensitive information from process heap memory by sniffing the network for data in a handle field. CVE-2014-9423 SUSE Linux Enterprise Desktop 12:krb5-1.12.1-9.1 SUSE Linux Enterprise Desktop 12:krb5-32bit-1.12.1-9.1 SUSE Linux Enterprise Desktop 12:krb5-client-1.12.1-9.1 SUSE Linux Enterprise Server 12:krb5-1.12.1-9.1 SUSE Linux Enterprise Server 12:krb5-32bit-1.12.1-9.1 SUSE Linux Enterprise Server 12:krb5-client-1.12.1-9.1 SUSE Linux Enterprise Server 12:krb5-doc-1.12.1-9.1 SUSE Linux Enterprise Server 12:krb5-plugin-kdb-ldap-1.12.1-9.1 SUSE Linux Enterprise Server 12:krb5-plugin-preauth-otp-1.12.1-9.1 SUSE Linux Enterprise Server 12:krb5-plugin-preauth-pkinit-1.12.1-9.1 SUSE Linux Enterprise Server 12:krb5-server-1.12.1-9.1 SUSE Linux Enterprise Server for SAP Applications 12:krb5-1.12.1-9.1 SUSE Linux Enterprise Server for SAP Applications 12:krb5-32bit-1.12.1-9.1 SUSE Linux Enterprise Server for SAP Applications 12:krb5-client-1.12.1-9.1 SUSE Linux Enterprise Server for SAP Applications 12:krb5-doc-1.12.1-9.1 SUSE Linux Enterprise Server for SAP Applications 12:krb5-plugin-kdb-ldap-1.12.1-9.1 SUSE Linux Enterprise Server for SAP Applications 12:krb5-plugin-preauth-otp-1.12.1-9.1 SUSE Linux Enterprise Server for SAP Applications 12:krb5-plugin-preauth-pkinit-1.12.1-9.1 SUSE Linux Enterprise Server for SAP Applications 12:krb5-server-1.12.1-9.1 SUSE Linux Enterprise Software Development Kit 12:krb5-devel-1.12.1-9.1 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2015/suse-su-20150290-2/ https://www.suse.com/security/cve/CVE-2014-9423.html CVE-2014-9423 https://bugzilla.suse.com/1005509 SUSE Bug 1005509 https://bugzilla.suse.com/912002 SUSE Bug 912002