Re: [SRM] update request for krb5 for significant interop and security issues
- To: "Adam D. Barratt" <firstname.lastname@example.org>
- Cc: email@example.com
- Subject: Re: [SRM] update request for krb5 for significant interop and security issues
- From: Sam Hartman <firstname.lastname@example.org>
- Date: Thu, 02 Jun 2011 14:02:30 -0400
- Message-id: <[🔎] email@example.com>
- In-reply-to: <firstname.lastname@example.org> (Adam D. Barratt's message of "Tue, 22 Mar 2011 21:29:43 +0000")
- References: <email@example.com> <firstname.lastname@example.org>
>>>>> "Adam" == Adam D Barratt <email@example.com> writes:
Adam> On Wed, 2011-03-16 at 11:58 -0400, Sam Hartman wrote:
>> I'd like permission to upload the following patch to s-p-u. I've
>> coordinated with the security team for the security issues and
>> our mutual agreement is that they should be addressed in a point
Adam> Apologies for the slightly delay in getting back to you while
Adam> we were getting the point release finalised and, well,
And sorry for my time in getting back to you.
I've just uploaded to stable.
I've included one additional fix to src/kadmin/server/schpw.c
This fixes an invalid free that was crashing kadmind.
>> +krb5 (1.8.3+dfsg-4squeeze1) stable; urgency=low + + * Fix double
>> free with pkinit on KDC, CVE-2011-0284, Closes: #618517 + *
>> Updated Danish debconf translations, thanks Joe Dalton, Closes: +
>> #584282 + * KDC/LDAP DOS (CVE-2010-4022, CVE-2011-0281, and
>> CVE-2011-0282, + Closes: #613487 + * Fix delegation of
>> credentials against Windows servers; significant +
>> interoperability issue, Closes: #611906
Adam> Based on a process of elimination, this is the changes to
Adam> lib/crypto/krb/checksum/hmac_md5.c and
Adam> lib/gssapi/krb5/init_sec_context.c ?
>> +# Dansih translation krb5.
>> +"Content-Type: text/plain; charset=ISO-8859-1\n" +"Content-Type:
>> text/plain; charset=UTF-8\n"
>> -msgstr "SÃ¦tter et Kerberos-rige op" +msgstr
>> "SÃ?Â¦tter et Kerberos-rige op"
Adam> The encoding here (and in a few other places) looks broken,
Adam> although I note that the equivalent sections of the file in
Adam> unstable seem okay. Is this purely a mail transmission issue,
Adam> or with the .po file itself in the proposed package?