Security update for krb5

Announcement ID:	SUSE-SU-2015:0290-1
Rating:	important
References:	bsc#897874 bsc#898439 bsc#912002
Cross-References:	CVE-2014-5351 CVE-2014-5352 CVE-2014-9421 CVE-2014-9422 CVE-2014-9423
CVSS scores:
Affected Products:	SUSE Linux Enterprise Desktop 12 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Server for SAP Applications 12 SUSE Linux Enterprise Software Bootstrap Kit 12 SUSE Linux Enterprise Software Development Kit 12

An update that solves five vulnerabilities can now be installed.

Description:

MIT kerberos krb5 was updated to fix several security issues and bugs.

Security issues fixed: CVE-2014-5351: The kadm5_randkey_principal_3 function in lib/kadm5/srv/svr_principal.c in kadmind in MIT Kerberos 5 (aka krb5) sent old keys in a response to a -randkey -keepold request, which allowed remote authenticated users to forge tickets by leveraging administrative access.

CVE-2014-5352: In the MIT krb5 libgssapi_krb5 library, after gss_process_context_token() is used to process a valid context deletion token, the caller was left with a security context handle containing a dangling pointer. Further uses of this handle would have resulted in use-after-free and double-free memory access violations. libgssrpc server applications such as kadmind were vulnerable as they can be instructed to call gss_process_context_token().

CVE-2014-9421: If the MIT krb5 kadmind daemon receives invalid XDR data from an authenticated user, it may have performed use-after-free and double-free memory access violations while cleaning up the partial deserialization results. Other libgssrpc server applications might also been vulnerable if they contain insufficiently defensive XDR functions.

CVE-2014-9422: The MIT krb5 kadmind daemon incorrectly accepted authentications to two-component server principals whose first component is a left substring of "kadmin" or whose realm is a left prefix of the default realm.

CVE-2014-9423: libgssrpc applications including kadmind output four or eight bytes of uninitialized memory to the network as part of an unused "handle" field in replies to clients.

Bugs fixed: - Work around replay cache creation race; (bnc#898439).

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Software Bootstrap Kit 12
  zypper in -t patch SUSE-SLE-BSK-12-2015-74=1
• SUSE Linux Enterprise Desktop 12
  zypper in -t patch SUSE-SLE-DESKTOP-12-2015-74=1
• SUSE Linux Enterprise Software Development Kit 12
  zypper in -t patch SUSE-SLE-SDK-12-2015-74=1
• SUSE Linux Enterprise Server 12
  zypper in -t patch SUSE-SLE-SERVER-12-2015-74=1
• SUSE Linux Enterprise Server for SAP Applications 12
  zypper in -t patch SUSE-SLE-SERVER-12-2015-74=1

Package List:

• SUSE Linux Enterprise Software Bootstrap Kit 12 (ppc64le s390x x86_64)
  • krb5-mini-debugsource-1.12.1-9.1
  • krb5-mini-1.12.1-9.1
  • krb5-mini-debuginfo-1.12.1-9.1
  • krb5-mini-devel-1.12.1-9.1
• SUSE Linux Enterprise Desktop 12 (x86_64)
  • krb5-debuginfo-32bit-1.12.1-9.1
  • krb5-client-1.12.1-9.1
  • krb5-debuginfo-1.12.1-9.1
  • krb5-32bit-1.12.1-9.1
  • krb5-client-debuginfo-1.12.1-9.1
  • krb5-1.12.1-9.1
  • krb5-debugsource-1.12.1-9.1
• SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x x86_64)
  • krb5-devel-1.12.1-9.1
  • krb5-debuginfo-1.12.1-9.1
  • krb5-debugsource-1.12.1-9.1
• SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64)
  • krb5-client-1.12.1-9.1
  • krb5-server-1.12.1-9.1
  • krb5-plugin-preauth-pkinit-debuginfo-1.12.1-9.1
  • krb5-plugin-kdb-ldap-1.12.1-9.1
  • krb5-debuginfo-1.12.1-9.1
  • krb5-plugin-preauth-pkinit-1.12.1-9.1
  • krb5-plugin-kdb-ldap-debuginfo-1.12.1-9.1
  • krb5-doc-1.12.1-9.1
  • krb5-server-debuginfo-1.12.1-9.1
  • krb5-plugin-preauth-otp-debuginfo-1.12.1-9.1
  • krb5-client-debuginfo-1.12.1-9.1
  • krb5-1.12.1-9.1
  • krb5-plugin-preauth-otp-1.12.1-9.1
  • krb5-debugsource-1.12.1-9.1
• SUSE Linux Enterprise Server 12 (s390x x86_64)
  • krb5-debuginfo-32bit-1.12.1-9.1
  • krb5-32bit-1.12.1-9.1
• SUSE Linux Enterprise Server for SAP Applications 12 (x86_64)
  • krb5-debuginfo-32bit-1.12.1-9.1
  • krb5-client-1.12.1-9.1
  • krb5-server-1.12.1-9.1
  • krb5-plugin-preauth-pkinit-debuginfo-1.12.1-9.1
  • krb5-plugin-kdb-ldap-1.12.1-9.1
  • krb5-debuginfo-1.12.1-9.1
  • krb5-plugin-preauth-pkinit-1.12.1-9.1
  • krb5-32bit-1.12.1-9.1
  • krb5-plugin-kdb-ldap-debuginfo-1.12.1-9.1
  • krb5-doc-1.12.1-9.1
  • krb5-server-debuginfo-1.12.1-9.1
  • krb5-plugin-preauth-otp-debuginfo-1.12.1-9.1
  • krb5-client-debuginfo-1.12.1-9.1
  • krb5-1.12.1-9.1
  • krb5-plugin-preauth-otp-1.12.1-9.1
  • krb5-debugsource-1.12.1-9.1

References:

• https://www.suse.com/security/cve/CVE-2014-5351.html
• https://www.suse.com/security/cve/CVE-2014-5352.html
• https://www.suse.com/security/cve/CVE-2014-9421.html
• https://www.suse.com/security/cve/CVE-2014-9422.html
• https://www.suse.com/security/cve/CVE-2014-9423.html
• https://bugzilla.suse.com/show_bug.cgi?id=897874
• https://bugzilla.suse.com/show_bug.cgi?id=898439
• https://bugzilla.suse.com/show_bug.cgi?id=912002