Bug 719393 (CVE-2011-1527)

Summary: VUL-0: krb5: kdc remote denial of service
Product: [Novell Products] SUSE Security Incidents Reporter: Ludwig Nussel <lnussel>
Component: GeneralAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Critical    
Priority: P2 - High CC: mc, meissner, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: maint:released:11.3:43730 maint:released:11.4:43730 CVSSv2:NVD:CVE-2011-1528:7.8:(AV:N/AC:L/Au:N/C:N/I:N/A:C) CVSSv2:RedHat:CVE-2011-1528:5.0:(AV:N/AC:L/Au:N/C:N/I:N/A:P)
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Ludwig Nussel 2011-09-21 08:37:53 UTC
Your friendly security team received the following report via security@suse.de.
Please respond ASAP.
This issue is not public yet, please keep any information about it inside SUSE.
Note that build.opensuse.org *cannot* be used to prepare embargoed updates.

CVE-2011-1527: In releases krb5-1.9 and later, the KDC can crash due
to a null pointer dereference if configured to use the LDAP back end.

CVE-2011-1528: In releases krb5-1.8 and later, the KDC can crash due
to an assertion failure.

CVE-2011-1529: In releases krb5-1.8 and later, the KDC can crash due
to a null pointer dereference.

All bugs can be triggered by unauthenticated remote attackers.
Comment 2 Michael Calmer 2011-09-21 08:57:34 UTC
JFYI: SLES10 has 1.4.x and SLES11 has 1.6.x. So both are not affected.

openSUSE 11.3 and 11.4 has krb5-1.8.x So they are affected by CVE-2011-1528 and CVE-2011-1529

Factory aka 12.1 has 1.9.x and is affected by all of these.

I will update openSUSE after 18 October 2011 (CRD)
Comment 3 Michael Calmer 2011-10-17 14:13:11 UTC
Patches ready on my HD.

JFYI: 12.1 not yet released. This means that I will submit the fix to Factory as soon as CRD reached.
Comment 4 Swamp Workflow Management 2011-10-18 08:37:38 UTC
The SWAMPID for this issue is 43703.
This issue was rated as important.
Please submit fixed packages until 2011-10-25.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 5 Sebastian Krahmer 2011-10-18 08:41:25 UTC
There is also bnc#698471 on the planned update list. Can you incorporate these?
Comment 6 Michael Calmer 2011-10-18 09:16:24 UTC
See Bug 698471 Comment #4:

package krb5-appl:

openSUSE 11.3, 11.4, Factory

This means, that a different package is affected. krb5-appl is already submitted to 11.3 and 11.4. If you want to include them too, take care to add the package to the patchinfo file.


In SLES 11 SP1 this fix is part of the main krb5 package which is also submitted, but not checked in yet. But *this* Bug does not affect SLES11 SP1.

What do you want to release?
Comment 7 Sebastian Krahmer 2011-10-18 09:27:57 UTC
I added krb5-appl to the swamp. So, for SLE it seems 698471 stays on
the planned list since we are not doing updates for this one either
as its not affected.

So at the end we just have box updates for both bugs handled by swamp 43703.
Comment 8 Michael Calmer 2011-10-18 09:31:51 UTC
Ok, fine. I will submit krb5 packages tomorrow to OBS after the announcement is out.
Comment 9 Michael Calmer 2011-10-19 08:17:46 UTC
Packages submited.
Comment 10 Bernhard Wiedemann 2011-10-19 09:00:14 UTC
This is an autogenerated message for OBS integration:
This bug (719393) was mentioned in
https://build.opensuse.org/request/show/88659 Factory / krb5
https://build.opensuse.org/request/show/88660 11.3 / krb5
https://build.opensuse.org/request/show/88661 11.4 / krb5
Comment 11 Swamp Workflow Management 2011-10-24 08:17:33 UTC
Update released for: krb5, krb5-appl, krb5-appl-clients, krb5-appl-clients-debuginfo, krb5-appl-debugsource, krb5-appl-servers, krb5-appl-servers-debuginfo, krb5-client, krb5-client-debuginfo, krb5-debuginfo, krb5-debugsource, krb5-devel, krb5-plugin-kdb-ldap, krb5-plugin-kdb-ldap-debuginfo, krb5-plugin-preauth-pkinit, krb5-plugin-preauth-pkinit-debuginfo, krb5-server, krb5-server-debuginfo
Products:
openSUSE 11.3 (debug, i586, x86_64)
openSUSE 11.4 (debug, i586, x86_64)
Comment 12 Sebastian Krahmer 2011-10-24 08:21:01 UTC
done