[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DSA 4589-1] Critical security fix for Debian Edu 8, 9, 10 and 11 update]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi,

a security issue was discovered in Debian Edu (Skolelinux)
installations. It was possible for users savvy about the used Kerberos
user backend to change the passwords of other users.

While the bug was not exposed through the usual user interfaces
advertised for managing passwords in Debian Edu, any authenticated user
on the local network could use the kadmin utility to change other users'
passwords.

The issue was reported on Sunday night and was by now fixed in all
supported versions of Debian Edu:

 - Debian Edu 8 (jessie, LTS)
 - Debian Edu 9 (stretch, oldstable)
 - Debian Edu 10 (buster, stable)

(…and also in the current development version 11 (bullseye))

You can find the original Debian advisory, including links to
documentation on how to apply the fix, below (tl;dr: apt update && apt
upgrade on the main server).

The buggy code was very old, and by now, Debian Edu is using a far
better change and review process. Yet, we will discuss measures to
further prevent such situations in the future.

Kind regards,
Nik

- ----- Forwarded message from Moritz Muehlenhoff <jmm@debian.org> -----

Date: Wed, 18 Dec 2019 22:41:36 +0000
From: Moritz Muehlenhoff <jmm@debian.org>
To: debian-security-announce@lists.debian.org
User-Agent: NeoMutt/20170113 (1.7.2)
Subject: [SECURITY] [DSA 4589-1] debian-edu-config security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-4589-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
December 18, 2019                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : debian-edu-config
CVE ID         : CVE-2019-3467
Debian Bug     : 946797

It was discovered that debian-edu-config, a set of configuration files
used for the Debian Edu blend, configured too permissive ACLs for the
Kerberos admin server, which allowed password changes for other user
principals.

For the oldstable distribution (stretch), this problem has been fixed
in version 1.929+deb9u4.

For the stable distribution (buster), this problem has been fixed in
version 2.10.65+deb10u3.

We recommend that you upgrade your debian-edu-config packages.

For the detailed security status of debian-edu-config please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/debian-edu-config

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org


- ----- End forwarded message -----
-----BEGIN PGP SIGNATURE-----

iQJlBAEBCgBPFiEEPJ1UpHV1wCb7F/0mt5o8FqDE8pYFAl37XRQxGmh0dHBzOi8v
d3d3LmRvbWluaWstZ2VvcmdlLmRlL2dwZy1wb2xpY3kudHh0LmFzYwAKCRC3mjwW
oMTylkmLEACmxZa9heLepQXyM36Kl4KVVwbzAx3nDe0Fe5ZC9WDmqopDk53MXfdt
dxjMd0IIAw7MNuJSxtN5RXEZ2vQYx25/lazWLnYWJrVi+yiR0NCgc6RKopEndN71
DE3WQbJSCuqX3Uvgzk+1xmtY78FKCAQg/LBSj2MFqp0nC/OhZ61nnCG3/2W0TgFm
TUw8cLl99w3E0OyCU4aOtHlJYPfdbvOnvWN4HWftHbuJFfReuCufnniJSOsyE2oS
a3BIhpVZ3caF/70VAuE/B84yt/fLZF5sBwlhMm7JI0Ws/H9FaSGjotzCysX1y0gZ
uA/9nXrndOSOXQ4TMwPfAl8Fx0rVtQVDK1yRkKCFY2ghB0ktLp3ElpsV0f7wvbNb
m2woeSyDaDQMQR+V42qe0RHjonzryt+e+Mi670KdfE0AJ+CpUt6/lowCBkuahWv2
VZtImVsPsMdy3FkeWYlO7XiDA+lqnHD12dUY+sZclzUuppIUSvU+QSdZ1rygN5vM
X3l3aK5fmN2NNkz8L8cBvCNSm+7HQK5qrKgse17CN4pW4VjQjYqwI6Guz/4Mz6OT
OF2dQpsPJ3zFnRh+eUeBky90j2O5iVOHTLVauQjItruVH6oaA0NexOr8zoknLSLh
lGs9eKLbUDxxu8QF7QTnRwedkwAVyB09dEyL3GTz3YCCQ9WPpHbMPw==
=CHiM
-----END PGP SIGNATURE-----
Reply to: