Security update for krb5 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2018:1425-1 Final 1 1 2018-05-25T13:05:54Z current 2018-05-25T13:05:54Z 2018-05-25T13:05:54Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for krb5 This update for krb5 provides the following fixes: Security issues fixed: - CVE-2017-7562: Improper validation of certificate EKU and SAN could lead to authentication bypass. (bsc#1055851) Non-security issues fixed: - Set 'rdns' and 'dns_canonicalize_hostname' to false in krb5.conf in order to improve client security in handling service principle names. (bsc#1054028) - Fix a GSS failure in legacy applications by not indicating deprecated GSS mechanisms in gss_indicate_mech() list. (bsc#1081725) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-SAP-12-SP1-2018-983,SUSE-SLE-SERVER-12-2018-983,SUSE-SLE-SERVER-12-SP1-2018-983 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2018/suse-su-20181425-1/ Link for SUSE-SU-2018:1425-1 https://lists.suse.com/pipermail/sle-security-updates/2018-May/004088.html E-Mail link for SUSE-SU-2018:1425-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1054028 SUSE Bug 1054028 https://bugzilla.suse.com/1055851 SUSE Bug 1055851 https://bugzilla.suse.com/1081725 SUSE Bug 1081725 https://www.suse.com/security/cve/CVE-2017-7562/ SUSE CVE CVE-2017-7562 page SUSE Linux Enterprise Server 12 SP1-LTSS SUSE Linux Enterprise Server 12-LTSS SUSE Linux Enterprise Server for SAP Applications 12 SP1 krb5-1.12.1-38.5.3 krb5-32bit-1.12.1-38.5.3 krb5-client-1.12.1-38.5.3 krb5-doc-1.12.1-38.5.3 krb5-plugin-kdb-ldap-1.12.1-38.5.3 krb5-plugin-preauth-otp-1.12.1-38.5.3 krb5-plugin-preauth-pkinit-1.12.1-38.5.3 krb5-server-1.12.1-38.5.3 krb5-1.12.1-38.5.3 as a component of SUSE Linux Enterprise Server 12 SP1-LTSS krb5-32bit-1.12.1-38.5.3 as a component of SUSE Linux Enterprise Server 12 SP1-LTSS krb5-client-1.12.1-38.5.3 as a component of SUSE Linux Enterprise Server 12 SP1-LTSS krb5-doc-1.12.1-38.5.3 as a component of SUSE Linux Enterprise Server 12 SP1-LTSS krb5-plugin-kdb-ldap-1.12.1-38.5.3 as a component of SUSE Linux Enterprise Server 12 SP1-LTSS krb5-plugin-preauth-otp-1.12.1-38.5.3 as a component of SUSE Linux Enterprise Server 12 SP1-LTSS krb5-plugin-preauth-pkinit-1.12.1-38.5.3 as a component of SUSE Linux Enterprise Server 12 SP1-LTSS krb5-server-1.12.1-38.5.3 as a component of SUSE Linux Enterprise Server 12 SP1-LTSS krb5-1.12.1-38.5.3 as a component of SUSE Linux Enterprise Server 12-LTSS krb5-32bit-1.12.1-38.5.3 as a component of SUSE Linux Enterprise Server 12-LTSS krb5-client-1.12.1-38.5.3 as a component of SUSE Linux Enterprise Server 12-LTSS krb5-doc-1.12.1-38.5.3 as a component of SUSE Linux Enterprise Server 12-LTSS krb5-plugin-kdb-ldap-1.12.1-38.5.3 as a component of SUSE Linux Enterprise Server 12-LTSS krb5-plugin-preauth-otp-1.12.1-38.5.3 as a component of SUSE Linux Enterprise Server 12-LTSS krb5-plugin-preauth-pkinit-1.12.1-38.5.3 as a component of SUSE Linux Enterprise Server 12-LTSS krb5-server-1.12.1-38.5.3 as a component of SUSE Linux Enterprise Server 12-LTSS krb5-1.12.1-38.5.3 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP1 krb5-32bit-1.12.1-38.5.3 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP1 krb5-client-1.12.1-38.5.3 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP1 krb5-doc-1.12.1-38.5.3 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP1 krb5-plugin-kdb-ldap-1.12.1-38.5.3 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP1 krb5-plugin-preauth-otp-1.12.1-38.5.3 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP1 krb5-plugin-preauth-pkinit-1.12.1-38.5.3 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP1 krb5-server-1.12.1-38.5.3 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP1 An authentication bypass flaw was found in the way krb5's certauth interface before 1.16.1 handled the validation of client certificates. A remote attacker able to communicate with the KDC could potentially use this flaw to impersonate arbitrary principals under rare and erroneous circumstances. CVE-2017-7562 SUSE Linux Enterprise Server 12 SP1-LTSS:krb5-1.12.1-38.5.3 SUSE Linux Enterprise Server 12 SP1-LTSS:krb5-32bit-1.12.1-38.5.3 SUSE Linux Enterprise Server 12 SP1-LTSS:krb5-client-1.12.1-38.5.3 SUSE Linux Enterprise Server 12 SP1-LTSS:krb5-doc-1.12.1-38.5.3 SUSE Linux Enterprise Server 12 SP1-LTSS:krb5-plugin-kdb-ldap-1.12.1-38.5.3 SUSE Linux Enterprise Server 12 SP1-LTSS:krb5-plugin-preauth-otp-1.12.1-38.5.3 SUSE Linux Enterprise Server 12 SP1-LTSS:krb5-plugin-preauth-pkinit-1.12.1-38.5.3 SUSE Linux Enterprise Server 12 SP1-LTSS:krb5-server-1.12.1-38.5.3 SUSE Linux Enterprise Server 12-LTSS:krb5-1.12.1-38.5.3 SUSE Linux Enterprise Server 12-LTSS:krb5-32bit-1.12.1-38.5.3 SUSE Linux Enterprise Server 12-LTSS:krb5-client-1.12.1-38.5.3 SUSE Linux Enterprise Server 12-LTSS:krb5-doc-1.12.1-38.5.3 SUSE Linux Enterprise Server 12-LTSS:krb5-plugin-kdb-ldap-1.12.1-38.5.3 SUSE Linux Enterprise Server 12-LTSS:krb5-plugin-preauth-otp-1.12.1-38.5.3 SUSE Linux Enterprise Server 12-LTSS:krb5-plugin-preauth-pkinit-1.12.1-38.5.3 SUSE Linux Enterprise Server 12-LTSS:krb5-server-1.12.1-38.5.3 SUSE Linux Enterprise Server for SAP Applications 12 SP1:krb5-1.12.1-38.5.3 SUSE Linux Enterprise Server for SAP Applications 12 SP1:krb5-32bit-1.12.1-38.5.3 SUSE Linux Enterprise Server for SAP Applications 12 SP1:krb5-client-1.12.1-38.5.3 SUSE Linux Enterprise Server for SAP Applications 12 SP1:krb5-doc-1.12.1-38.5.3 SUSE Linux Enterprise Server for SAP Applications 12 SP1:krb5-plugin-kdb-ldap-1.12.1-38.5.3 SUSE Linux Enterprise Server for SAP Applications 12 SP1:krb5-plugin-preauth-otp-1.12.1-38.5.3 SUSE Linux Enterprise Server for SAP Applications 12 SP1:krb5-plugin-preauth-pkinit-1.12.1-38.5.3 SUSE Linux Enterprise Server for SAP Applications 12 SP1:krb5-server-1.12.1-38.5.3 moderate 6.3 AV:N/AC:M/Au:S/C:N/I:C/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2018/suse-su-20181425-1/ https://www.suse.com/security/cve/CVE-2017-7562.html CVE-2017-7562 https://bugzilla.suse.com/1055851 SUSE Bug 1055851 https://bugzilla.suse.com/1056995 SUSE Bug 1056995