Bug 698471 - VUL-1: krb5 ftpd unauthorized file access
VUL-1: krb5 ftpd unauthorized file access
Status: RESOLVED FIXED
: 698384 (view as bug list)
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: General
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
. maint:released:11.3:44740 maint:rel...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2011-06-07 09:38 UTC by Ludwig Nussel
Modified: 2012-01-04 18:33 UTC (History)
4 users (show)

See Also:
Found By: Other
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ludwig Nussel 2011-06-07 09:38:44 UTC
Your friendly security team received the following report via security@suse.de.
Please respond ASAP.
This issue is not public yet, please keep any information about it inside SUSE.
Note that build.opensuse.org *cannot* be used to prepare embargoed updates.

It was found that the ftp daemon included in krb5 did not properly drop it's privileges. This allowed users to potentially access files that are normally only accessible to the gid the daemon was started with.

CVE-2011-1526
Comment 5 Bernhard Wiedemann 2011-07-06 14:00:28 UTC
This is an autogenerated message for OBS integration:
This bug (698471) was mentioned in
https://build.opensuse.org/request/show/75531 11.3 / krb5-appl
https://build.opensuse.org/request/show/75532 11.4 / krb5-appl
Comment 6 Michael Calmer 2011-07-06 14:12:47 UTC
I have suibmitted this fix to 

SLES10 SP4
SLES11 SP1
openSUSE 11.3
openSUSE 11.4
openSUSE Factory

In case we want to release this update you can provide a patchinfo.
Comment 7 Bernhard Wiedemann 2011-07-06 15:00:20 UTC
This is an autogenerated message for OBS integration:
This bug (698471) was mentioned in
https://build.opensuse.org/request/show/75536 11.3 / krb5-appl
https://build.opensuse.org/request/show/75537 11.4 / krb5-appl
https://build.opensuse.org/request/show/75538 Factory / krb5-appl
Comment 8 Sebastian Krahmer 2011-07-11 14:09:02 UTC
*** Bug 698384 has been marked as a duplicate of this bug. ***
Comment 9 Swamp Workflow Management 2011-12-30 17:19:21 UTC
Update released for: krb5-appl, krb5-appl-clients, krb5-appl-clients-debuginfo, krb5-appl-debugsource, krb5-appl-servers, krb5-appl-servers-debuginfo
Products:
openSUSE 11.3 (debug, i586, x86_64)
openSUSE 11.4 (debug, i586, x86_64)
Comment 10 Swamp Workflow Management 2011-12-30 20:33:25 UTC
Update released for: krb5, krb5-32bit, krb5-appl, krb5-apps-clients, krb5-apps-servers, krb5-client, krb5-debuginfo, krb5-debuginfo-32bit, krb5-debuginfo-x86, krb5-debugsource, krb5-devel, krb5-devel-32bit, krb5-server, krb5-x86
Products:
SLE-DEBUGINFO 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP1 (i386, x86_64)
SLE-SDK 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP1-TERADATA (x86_64)
SLES4VMWARE 11-SP1 (i386, x86_64)
Comment 11 Swamp Workflow Management 2011-12-30 21:34:32 UTC
Update released for: krb5, krb5-32bit, krb5-64bit, krb5-appl, krb5-apps-clients, krb5-apps-servers, krb5-client, krb5-debuginfo, krb5-devel, krb5-devel-32bit, krb5-devel-64bit, krb5-server, krb5-x86
Products:
SLE-DEBUGINFO 10-SP4 (i386, ia64, ppc, s390x, x86_64)
SLE-DESKTOP 10-SP4 (i386, x86_64)
SLE-SDK 10-SP4 (i386, ia64, ppc, s390x, x86_64)
SLE-SERVER 10-SP4 (i386, ia64, ppc, s390x, x86_64)
Comment 12 Swamp Workflow Management 2011-12-31 10:37:42 UTC
Update released for: krb5, krb5-32bit, krb5-appl, krb5-apps-clients, krb5-apps-servers, krb5-client, krb5-debuginfo, krb5-devel, krb5-devel-32bit, krb5-server
Products:
SLE-SERVER 10-SP3-TERADATA (x86_64)
Comment 13 Marcus Meissner 2012-01-04 16:30:46 UTC
released now
Comment 14 Swamp Workflow Management 2012-01-04 18:13:43 UTC
Update released for: krb5, krb5-32bit, krb5-apps-clients, krb5-apps-servers, krb5-client, krb5-debuginfo, krb5-devel, krb5-devel-32bit, krb5-server
Products:
SLE-SERVER 10-SP3-LTSS (i386, s390x, x86_64)
Comment 15 Swamp Workflow Management 2012-01-04 18:33:32 UTC
Update released for: krb5, krb5-apps-clients, krb5-apps-servers, krb5-client, krb5-devel, krb5-server
Products:
SLE-DEBUGINFO 10-SP2 (i386, s390x, x86_64)
SLE-SERVER 10-SP2-LTSS (i386, s390x, x86_64)