[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#327233: marked as done (CAN-2005-2798: GSSAPI credentials inadvertantly exposed through improper delegation)

Your message dated Mon, 17 Nov 2008 13:37:26 -0800
with message-id <877i72qbjd.fsf@windlord.stanford.edu>
and subject line Re: Bug#327233: CAN-2005-2798: GSSAPI credentials inadvertantly exposed through improper delegation
has caused the Debian Bug report #327233,
regarding CAN-2005-2798: GSSAPI credentials inadvertantly exposed through improper delegation
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org

327233: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=327233
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: openssh-krb5
Severity: important
Tags: security

CAN-2005-2798[1] reads:

sshd in OpenSSH before 4.2, when GSSAPIDelegateCredentials is enabled,
allows GSSAPI credentials to be delegated to clients who log in using
non-GSSAPI methods, which could cause those credentials to be exposed to
untrusted users or hosts.

Since GASSAPI features are enabled in openssh-krb5/ssh-krb5 and the source
package tends to use older gassapi source, so it is likely these binaries
are vulnerable. 

GSSAPI is disabled in the main openssh binary packages, but the bug is still
present in the source (see #326065), so this separate bug is filed against
this package.

Please mention this CAN number in any changelog entries that fix this issue.

1. http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2798

-- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.8-2-686
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

--- End Message ---
--- Begin Message ---
Version: 1:4.3p2-7

The separate openssh-krb5 package was made obsolete by including the
GSSAPI support in the regular openssh builds as of 1:4.3p2-7, and the code
included there had a patch for this bug.

Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

--- End Message ---

Reply to: