Bug#327233: marked as done (CAN-2005-2798: GSSAPI credentials inadvertantly exposed through improper delegation)

To: Russ Allbery <rra@debian.org>
Subject: Bug#327233: marked as done (CAN-2005-2798: GSSAPI credentials inadvertantly exposed through improper delegation)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Mon, 17 Nov 2008 21:47:46 +0000
Message-id: <[🔎] handler.327233.D327233.122695838919787.ackdone@bugs.debian.org>
References: <877i72qbjd.fsf@windlord.stanford.edu> <20050908151154.8EA2289C@yar>

Your message dated Mon, 17 Nov 2008 13:37:26 -0800
with message-id <877i72qbjd.fsf@windlord.stanford.edu>
and subject line Re: Bug#327233: CAN-2005-2798: GSSAPI credentials inadvertantly exposed through improper delegation
has caused the Debian Bug report #327233,
regarding CAN-2005-2798: GSSAPI credentials inadvertantly exposed through improper delegation
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
327233: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=327233
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CAN-2005-2798: GSSAPI credentials inadvertantly exposed through improper delegation
From: Micah Anderson <micah@riseup.net>
Date: Thu, 08 Sep 2005 10:11:53 -0500
Message-id: <20050908151154.8EA2289C@yar>

Package: openssh-krb5
Severity: important
Tags: security

CAN-2005-2798[1] reads:

sshd in OpenSSH before 4.2, when GSSAPIDelegateCredentials is enabled,
allows GSSAPI credentials to be delegated to clients who log in using
non-GSSAPI methods, which could cause those credentials to be exposed to
untrusted users or hosts.

Since GASSAPI features are enabled in openssh-krb5/ssh-krb5 and the source
package tends to use older gassapi source, so it is likely these binaries
are vulnerable. 

GSSAPI is disabled in the main openssh binary packages, but the bug is still
present in the source (see #326065), so this separate bug is filed against
this package.

Please mention this CAN number in any changelog entries that fix this issue.

1. http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2798


-- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.8-2-686
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

--- End Message ---

--- Begin Message ---

To: 327233-done@bugs.debian.org

Subject: Re: Bug#327233: CAN-2005-2798: GSSAPI credentials inadvertantly exposed through improper delegation

From: Russ Allbery <rra@debian.org>

Date: Mon, 17 Nov 2008 13:37:26 -0800

Message-id: <877i72qbjd.fsf@windlord.stanford.edu>
Version: 1:4.3p2-7

The separate openssh-krb5 package was made obsolete by including the
GSSAPI support in the regular openssh builds as of 1:4.3p2-7, and the code
included there had a patch for this bug.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>
--- End Message ---

Reply to:

Prev by Date: Bug#505995: openssh-server: openssh server fails on reboot
Next by Date: Bug#312486: marked as done (openssh-krb5: update for openssh client/server split)
Previous by thread: Bug#505995: openssh-server: openssh server fails on reboot
Next by thread: Bug#312486: marked as done (openssh-krb5: update for openssh client/server split)
Index(es):
- Date
- Thread