krb5 (1.13.2+dfsg-5ubuntu2) xenial; urgency=medium * Fix segfault in context_handle (LP: #1648901). - d/p/check_internal_context_on_init_context_errors.patch: Cherry picked patch from upstream VCS. -- Eric Desrochers Mon, 16 Jan 2017 15:06:57 +0100 krb5 (1.13.2+dfsg-5ubuntu1) xenial; urgency=medium * d/p/upstream/0001-Add-SPNEGO-special-case-for-NTLMSSP-MechListMIC.patch: Cherry-pick from upstream to add SPNEGO special case for NTLMSSP+MechListMIC. LP: #1643708. -- Steve Langasek Mon, 21 Nov 2016 17:28:15 -0800 krb5 (1.13.2+dfsg-5) unstable; urgency=high * Security Update * Verify decoded kadmin C strings [CVE-2015-8629] CVE-2015-8629: An authenticated attacker can cause kadmind to read beyond the end of allocated memory by sending a string without a terminating zero byte. Information leakage may be possible for an attacker with permission to modify the database. (Closes: #813296) * Check for null kadm5 policy name [CVE-2015-8630] CVE-2015-8630: An authenticated attacker with permission to modify a principal entry can cause kadmind to dereference a null pointer by supplying a null policy value but including KADM5_POLICY in the mask. (Closes: #813127) * Fix leaks in kadmin server stubs [CVE-2015-8631] CVE-2015-8631: An authenticated attacker can cause kadmind to leak memory by supplying a null principal name in a request which uses one. Repeating these requests will eventually cause kadmind to exhaust all available memory. (Closes: #813126) -- Sam Hartman Tue, 23 Feb 2016 08:54:09 -0500 krb5 (1.13.2+dfsg-4) unstable; urgency=high * Import upstream patches fixing regressions in the previous upload: - CVE-2015-2698: the patch for CVE-2015-2696 caused memory corruption for applications calling gss_export_sec_context() on contexts established using the IAKERB mechanism. - Supply gss_import_sec_context implementations for SPNEGO and IAKERB, which were not implemented due to the erroneous belief that the exported context tokens would be tagged with the underlying context's mechanism. -- Benjamin Kaduk Wed, 04 Nov 2015 22:47:22 -0500 krb5 (1.13.2+dfsg-3) unstable; urgency=high * Import upstream patches for three CVEs: - CVE-2015-2695: SPNEGO context aliasing during establishment - CVE-2015-2696: IAKERB context aliasing during establishment - CVE-2015-2697: unsafe string handling in TGS processing -- Benjamin Kaduk Mon, 26 Oct 2015 14:03:52 -0400 krb5 (1.13.2+dfsg-2) unstable; urgency=medium * No-change rebuild to target unstable -- Benjamin Kaduk Thu, 25 Jun 2015 17:10:03 -0400 krb5 (1.13.2+dfsg-1) experimental; urgency=medium * New upstream release: - Fix importing GSS composite export names - Fix kadm5.acl wildcard matching when early lines have partial matches - Disable principal renames for LDAP; they do not work properly and are hard to fix - Fix LDAP ticket policies on big-endian LP64 systems - Fix memory leak in DB2 iteration - Prevent requires_preauth bypass (CVE-2015-2694), Closes: #783557 * Add python to build-depends-indep, since we call it manually during the documentation build, Closes: #746395 -- Benjamin Kaduk Thu, 14 May 2015 13:38:58 -0400 krb5 (1.13.1+dfsg-1) experimental; urgency=low * New upstream release: - Make the KDC default to listening on TCP (as well as UDP) - Bump DAL major version for krb5_db_iterate() API change; KDB modules will need to be rebuilt - Let ksu use any keytab entry to verify the obtained TGT - Improve kadm5_randkey_principal interop with Solaris KDCs - Export symbols for some public gss interfaces - Allow the logger to work with redirected stderr - Remove length limit on PKINIT PKCS#12 prompts -- Benjamin Kaduk Mon, 16 Mar 2015 14:23:06 -0400 krb5 (1.12.1+dfsg-20) unstable; urgency=high * Import upstream patch for CVE-2015-2694, Closes: #783557 * Bump Standards-Version to 3.9.6 (no changes needed) -- Benjamin Kaduk Wed, 13 May 2015 14:40:36 -0400 krb5 (1.12.1+dfsg-19) unstable; urgency=medium * mark systemd unit directories as optional, Closes: #780831 -- Sam Hartman Fri, 20 Mar 2015 16:22:33 -0400 # For older changelog entries, run 'apt-get changelog krb5-locales'