Security update for krb5 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2016:0429-1 Final 1 1 2016-02-11T10:51:55Z current 2016-02-11T10:51:55Z 2016-02-11T10:51:55Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for krb5 This update for krb5 fixes the following issues: - CVE-2015-8629: Information leak authenticated attackers with permissions to modify the database (bsc#963968) - CVE-2015-8630: An authenticated attacker with permission to modify a principal entry may have caused kadmind to crash (bsc#963964) - CVE-2015-8631: An authenticated attacker could have caused a memory leak in auditd by supplying a null principal name in request (bsc#963975) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-DESKTOP-12-2016-243,SUSE-SLE-DESKTOP-12-SP1-2016-243,SUSE-SLE-SDK-12-2016-243,SUSE-SLE-SDK-12-SP1-2016-243,SUSE-SLE-SERVER-12-2016-243,SUSE-SLE-SERVER-12-SP1-2016-243 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2016/suse-su-20160429-1/ Link for SUSE-SU-2016:0429-1 https://lists.suse.com/pipermail/sle-security-updates/2016-February/001870.html E-Mail link for SUSE-SU-2016:0429-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/963964 SUSE Bug 963964 https://bugzilla.suse.com/963968 SUSE Bug 963968 https://bugzilla.suse.com/963975 SUSE Bug 963975 https://www.suse.com/security/cve/CVE-2015-8629/ SUSE CVE CVE-2015-8629 page https://www.suse.com/security/cve/CVE-2015-8630/ SUSE CVE CVE-2015-8630 page https://www.suse.com/security/cve/CVE-2015-8631/ SUSE CVE CVE-2015-8631 page SUSE Linux Enterprise Desktop 12 SUSE Linux Enterprise Desktop 12 SP1 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Server 12 SP1 SUSE Linux Enterprise Server for SAP Applications 12 SUSE Linux Enterprise Server for SAP Applications 12 SP1 SUSE Linux Enterprise Software Development Kit 12 SUSE Linux Enterprise Software Development Kit 12 SP1 krb5-1.12.1-25.1 krb5-32bit-1.12.1-25.1 krb5-client-1.12.1-25.1 krb5-devel-1.12.1-25.1 krb5-doc-1.12.1-25.1 krb5-plugin-kdb-ldap-1.12.1-25.1 krb5-plugin-preauth-otp-1.12.1-25.1 krb5-plugin-preauth-pkinit-1.12.1-25.1 krb5-server-1.12.1-25.1 krb5-1.12.1-25.1 as a component of SUSE Linux Enterprise Desktop 12 krb5-32bit-1.12.1-25.1 as a component of SUSE Linux Enterprise Desktop 12 krb5-client-1.12.1-25.1 as a component of SUSE Linux Enterprise Desktop 12 krb5-1.12.1-25.1 as a component of SUSE Linux Enterprise Desktop 12 SP1 krb5-32bit-1.12.1-25.1 as a component of SUSE Linux Enterprise Desktop 12 SP1 krb5-client-1.12.1-25.1 as a component of SUSE Linux Enterprise Desktop 12 SP1 krb5-1.12.1-25.1 as a component of SUSE Linux Enterprise Server 12 krb5-32bit-1.12.1-25.1 as a component of SUSE Linux Enterprise Server 12 krb5-client-1.12.1-25.1 as a component of SUSE Linux Enterprise Server 12 krb5-doc-1.12.1-25.1 as a component of SUSE Linux Enterprise Server 12 krb5-plugin-kdb-ldap-1.12.1-25.1 as a component of SUSE Linux Enterprise Server 12 krb5-plugin-preauth-otp-1.12.1-25.1 as a component of SUSE Linux Enterprise Server 12 krb5-plugin-preauth-pkinit-1.12.1-25.1 as a component of SUSE Linux Enterprise Server 12 krb5-server-1.12.1-25.1 as a component of SUSE Linux Enterprise Server 12 krb5-1.12.1-25.1 as a component of SUSE Linux Enterprise Server 12 SP1 krb5-32bit-1.12.1-25.1 as a component of SUSE Linux Enterprise Server 12 SP1 krb5-client-1.12.1-25.1 as a component of SUSE Linux Enterprise Server 12 SP1 krb5-doc-1.12.1-25.1 as a component of SUSE Linux Enterprise Server 12 SP1 krb5-plugin-kdb-ldap-1.12.1-25.1 as a component of SUSE Linux Enterprise Server 12 SP1 krb5-plugin-preauth-otp-1.12.1-25.1 as a component of SUSE Linux Enterprise Server 12 SP1 krb5-plugin-preauth-pkinit-1.12.1-25.1 as a component of SUSE Linux Enterprise Server 12 SP1 krb5-server-1.12.1-25.1 as a component of SUSE Linux Enterprise Server 12 SP1 krb5-1.12.1-25.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 krb5-32bit-1.12.1-25.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 krb5-client-1.12.1-25.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 krb5-doc-1.12.1-25.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 krb5-plugin-kdb-ldap-1.12.1-25.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 krb5-plugin-preauth-otp-1.12.1-25.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 krb5-plugin-preauth-pkinit-1.12.1-25.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 krb5-server-1.12.1-25.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 krb5-1.12.1-25.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP1 krb5-32bit-1.12.1-25.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP1 krb5-client-1.12.1-25.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP1 krb5-doc-1.12.1-25.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP1 krb5-plugin-kdb-ldap-1.12.1-25.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP1 krb5-plugin-preauth-otp-1.12.1-25.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP1 krb5-plugin-preauth-pkinit-1.12.1-25.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP1 krb5-server-1.12.1-25.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP1 krb5-devel-1.12.1-25.1 as a component of SUSE Linux Enterprise Software Development Kit 12 krb5-devel-1.12.1-25.1 as a component of SUSE Linux Enterprise Software Development Kit 12 SP1 The xdr_nullstring function in lib/kadm5/kadm_rpc_xdr.c in kadmind in MIT Kerberos 5 (aka krb5) before 1.13.4 and 1.14.x before 1.14.1 does not verify whether '\0' characters exist as expected, which allows remote authenticated users to obtain sensitive information or cause a denial of service (out-of-bounds read) via a crafted string. CVE-2015-8629 SUSE Linux Enterprise Desktop 12 SP1:krb5-1.12.1-25.1 SUSE Linux Enterprise Desktop 12 SP1:krb5-32bit-1.12.1-25.1 SUSE Linux Enterprise Desktop 12 SP1:krb5-client-1.12.1-25.1 SUSE Linux Enterprise Desktop 12:krb5-1.12.1-25.1 SUSE Linux Enterprise Desktop 12:krb5-32bit-1.12.1-25.1 SUSE Linux Enterprise Desktop 12:krb5-client-1.12.1-25.1 SUSE Linux Enterprise Server 12 SP1:krb5-1.12.1-25.1 SUSE Linux Enterprise Server 12 SP1:krb5-32bit-1.12.1-25.1 SUSE Linux Enterprise Server 12 SP1:krb5-client-1.12.1-25.1 SUSE Linux Enterprise Server 12 SP1:krb5-doc-1.12.1-25.1 SUSE Linux Enterprise Server 12 SP1:krb5-plugin-kdb-ldap-1.12.1-25.1 SUSE Linux Enterprise Server 12 SP1:krb5-plugin-preauth-otp-1.12.1-25.1 SUSE Linux Enterprise Server 12 SP1:krb5-plugin-preauth-pkinit-1.12.1-25.1 SUSE Linux Enterprise Server 12 SP1:krb5-server-1.12.1-25.1 SUSE Linux Enterprise Server 12:krb5-1.12.1-25.1 SUSE Linux Enterprise Server 12:krb5-32bit-1.12.1-25.1 SUSE Linux Enterprise Server 12:krb5-client-1.12.1-25.1 SUSE Linux Enterprise Server 12:krb5-doc-1.12.1-25.1 SUSE Linux Enterprise Server 12:krb5-plugin-kdb-ldap-1.12.1-25.1 SUSE Linux Enterprise Server 12:krb5-plugin-preauth-otp-1.12.1-25.1 SUSE Linux Enterprise Server 12:krb5-plugin-preauth-pkinit-1.12.1-25.1 SUSE Linux Enterprise Server 12:krb5-server-1.12.1-25.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:krb5-1.12.1-25.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:krb5-32bit-1.12.1-25.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:krb5-client-1.12.1-25.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:krb5-doc-1.12.1-25.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:krb5-plugin-kdb-ldap-1.12.1-25.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:krb5-plugin-preauth-otp-1.12.1-25.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:krb5-plugin-preauth-pkinit-1.12.1-25.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:krb5-server-1.12.1-25.1 SUSE Linux Enterprise Server for SAP Applications 12:krb5-1.12.1-25.1 SUSE Linux Enterprise Server for SAP Applications 12:krb5-32bit-1.12.1-25.1 SUSE Linux Enterprise Server for SAP Applications 12:krb5-client-1.12.1-25.1 SUSE Linux Enterprise Server for SAP Applications 12:krb5-doc-1.12.1-25.1 SUSE Linux Enterprise Server for SAP Applications 12:krb5-plugin-kdb-ldap-1.12.1-25.1 SUSE Linux Enterprise Server for SAP Applications 12:krb5-plugin-preauth-otp-1.12.1-25.1 SUSE Linux Enterprise Server for SAP Applications 12:krb5-plugin-preauth-pkinit-1.12.1-25.1 SUSE Linux Enterprise Server for SAP Applications 12:krb5-server-1.12.1-25.1 SUSE Linux Enterprise Software Development Kit 12 SP1:krb5-devel-1.12.1-25.1 SUSE Linux Enterprise Software Development Kit 12:krb5-devel-1.12.1-25.1 moderate 2.1 AV:N/AC:H/Au:S/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20160429-1/ https://www.suse.com/security/cve/CVE-2015-8629.html CVE-2015-8629 https://bugzilla.suse.com/770172 SUSE Bug 770172 https://bugzilla.suse.com/963968 SUSE Bug 963968 The (1) kadm5_create_principal_3 and (2) kadm5_modify_principal functions in lib/kadm5/srv/svr_principal.c in kadmind in MIT Kerberos 5 (aka krb5) 1.12.x and 1.13.x before 1.13.4 and 1.14.x before 1.14.1 allow remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) by specifying KADM5_POLICY with a NULL policy name. CVE-2015-8630 SUSE Linux Enterprise Desktop 12 SP1:krb5-1.12.1-25.1 SUSE Linux Enterprise Desktop 12 SP1:krb5-32bit-1.12.1-25.1 SUSE Linux Enterprise Desktop 12 SP1:krb5-client-1.12.1-25.1 SUSE Linux Enterprise Desktop 12:krb5-1.12.1-25.1 SUSE Linux Enterprise Desktop 12:krb5-32bit-1.12.1-25.1 SUSE Linux Enterprise Desktop 12:krb5-client-1.12.1-25.1 SUSE Linux Enterprise Server 12 SP1:krb5-1.12.1-25.1 SUSE Linux Enterprise Server 12 SP1:krb5-32bit-1.12.1-25.1 SUSE Linux Enterprise Server 12 SP1:krb5-client-1.12.1-25.1 SUSE Linux Enterprise Server 12 SP1:krb5-doc-1.12.1-25.1 SUSE Linux Enterprise Server 12 SP1:krb5-plugin-kdb-ldap-1.12.1-25.1 SUSE Linux Enterprise Server 12 SP1:krb5-plugin-preauth-otp-1.12.1-25.1 SUSE Linux Enterprise Server 12 SP1:krb5-plugin-preauth-pkinit-1.12.1-25.1 SUSE Linux Enterprise Server 12 SP1:krb5-server-1.12.1-25.1 SUSE Linux Enterprise Server 12:krb5-1.12.1-25.1 SUSE Linux Enterprise Server 12:krb5-32bit-1.12.1-25.1 SUSE Linux Enterprise Server 12:krb5-client-1.12.1-25.1 SUSE Linux Enterprise Server 12:krb5-doc-1.12.1-25.1 SUSE Linux Enterprise Server 12:krb5-plugin-kdb-ldap-1.12.1-25.1 SUSE Linux Enterprise Server 12:krb5-plugin-preauth-otp-1.12.1-25.1 SUSE Linux Enterprise Server 12:krb5-plugin-preauth-pkinit-1.12.1-25.1 SUSE Linux Enterprise Server 12:krb5-server-1.12.1-25.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:krb5-1.12.1-25.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:krb5-32bit-1.12.1-25.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:krb5-client-1.12.1-25.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:krb5-doc-1.12.1-25.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:krb5-plugin-kdb-ldap-1.12.1-25.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:krb5-plugin-preauth-otp-1.12.1-25.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:krb5-plugin-preauth-pkinit-1.12.1-25.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:krb5-server-1.12.1-25.1 SUSE Linux Enterprise Server for SAP Applications 12:krb5-1.12.1-25.1 SUSE Linux Enterprise Server for SAP Applications 12:krb5-32bit-1.12.1-25.1 SUSE Linux Enterprise Server for SAP Applications 12:krb5-client-1.12.1-25.1 SUSE Linux Enterprise Server for SAP Applications 12:krb5-doc-1.12.1-25.1 SUSE Linux Enterprise Server for SAP Applications 12:krb5-plugin-kdb-ldap-1.12.1-25.1 SUSE Linux Enterprise Server for SAP Applications 12:krb5-plugin-preauth-otp-1.12.1-25.1 SUSE Linux Enterprise Server for SAP Applications 12:krb5-plugin-preauth-pkinit-1.12.1-25.1 SUSE Linux Enterprise Server for SAP Applications 12:krb5-server-1.12.1-25.1 SUSE Linux Enterprise Software Development Kit 12 SP1:krb5-devel-1.12.1-25.1 SUSE Linux Enterprise Software Development Kit 12:krb5-devel-1.12.1-25.1 moderate 2.1 AV:N/AC:H/Au:S/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20160429-1/ https://www.suse.com/security/cve/CVE-2015-8630.html CVE-2015-8630 https://bugzilla.suse.com/963964 SUSE Bug 963964 Multiple memory leaks in kadmin/server/server_stubs.c in kadmind in MIT Kerberos 5 (aka krb5) before 1.13.4 and 1.14.x before 1.14.1 allow remote authenticated users to cause a denial of service (memory consumption) via a request specifying a NULL principal name. CVE-2015-8631 SUSE Linux Enterprise Desktop 12 SP1:krb5-1.12.1-25.1 SUSE Linux Enterprise Desktop 12 SP1:krb5-32bit-1.12.1-25.1 SUSE Linux Enterprise Desktop 12 SP1:krb5-client-1.12.1-25.1 SUSE Linux Enterprise Desktop 12:krb5-1.12.1-25.1 SUSE Linux Enterprise Desktop 12:krb5-32bit-1.12.1-25.1 SUSE Linux Enterprise Desktop 12:krb5-client-1.12.1-25.1 SUSE Linux Enterprise Server 12 SP1:krb5-1.12.1-25.1 SUSE Linux Enterprise Server 12 SP1:krb5-32bit-1.12.1-25.1 SUSE Linux Enterprise Server 12 SP1:krb5-client-1.12.1-25.1 SUSE Linux Enterprise Server 12 SP1:krb5-doc-1.12.1-25.1 SUSE Linux Enterprise Server 12 SP1:krb5-plugin-kdb-ldap-1.12.1-25.1 SUSE Linux Enterprise Server 12 SP1:krb5-plugin-preauth-otp-1.12.1-25.1 SUSE Linux Enterprise Server 12 SP1:krb5-plugin-preauth-pkinit-1.12.1-25.1 SUSE Linux Enterprise Server 12 SP1:krb5-server-1.12.1-25.1 SUSE Linux Enterprise Server 12:krb5-1.12.1-25.1 SUSE Linux Enterprise Server 12:krb5-32bit-1.12.1-25.1 SUSE Linux Enterprise Server 12:krb5-client-1.12.1-25.1 SUSE Linux Enterprise Server 12:krb5-doc-1.12.1-25.1 SUSE Linux Enterprise Server 12:krb5-plugin-kdb-ldap-1.12.1-25.1 SUSE Linux Enterprise Server 12:krb5-plugin-preauth-otp-1.12.1-25.1 SUSE Linux Enterprise Server 12:krb5-plugin-preauth-pkinit-1.12.1-25.1 SUSE Linux Enterprise Server 12:krb5-server-1.12.1-25.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:krb5-1.12.1-25.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:krb5-32bit-1.12.1-25.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:krb5-client-1.12.1-25.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:krb5-doc-1.12.1-25.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:krb5-plugin-kdb-ldap-1.12.1-25.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:krb5-plugin-preauth-otp-1.12.1-25.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:krb5-plugin-preauth-pkinit-1.12.1-25.1 SUSE Linux Enterprise Server for SAP Applications 12 SP1:krb5-server-1.12.1-25.1 SUSE Linux Enterprise Server for SAP Applications 12:krb5-1.12.1-25.1 SUSE Linux Enterprise Server for SAP Applications 12:krb5-32bit-1.12.1-25.1 SUSE Linux Enterprise Server for SAP Applications 12:krb5-client-1.12.1-25.1 SUSE Linux Enterprise Server for SAP Applications 12:krb5-doc-1.12.1-25.1 SUSE Linux Enterprise Server for SAP Applications 12:krb5-plugin-kdb-ldap-1.12.1-25.1 SUSE Linux Enterprise Server for SAP Applications 12:krb5-plugin-preauth-otp-1.12.1-25.1 SUSE Linux Enterprise Server for SAP Applications 12:krb5-plugin-preauth-pkinit-1.12.1-25.1 SUSE Linux Enterprise Server for SAP Applications 12:krb5-server-1.12.1-25.1 SUSE Linux Enterprise Software Development Kit 12 SP1:krb5-devel-1.12.1-25.1 SUSE Linux Enterprise Software Development Kit 12:krb5-devel-1.12.1-25.1 moderate 6.3 AV:N/AC:M/Au:S/C:N/I:N/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20160429-1/ https://www.suse.com/security/cve/CVE-2015-8631.html CVE-2015-8631 https://bugzilla.suse.com/963975 SUSE Bug 963975