Security update for krb5

Announcement ID: SUSE-SU-2018:1425-1
Rating: moderate
References:
Cross-References:
CVSS scores:
  • CVE-2017-7562 ( SUSE ): 6.5 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
  • CVE-2017-7562 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
  • CVE-2017-7562 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Affected Products:
  • SUSE Linux Enterprise Server 12
  • SUSE Linux Enterprise Server 12 LTSS 12
  • SUSE Linux Enterprise Server 12 SP1
  • SUSE Linux Enterprise Server 12 SP1 LTSS 12-SP1
  • SUSE Linux Enterprise Server for SAP Applications 12
  • SUSE Linux Enterprise Server for SAP Applications 12 SP1
  • SUSE OpenStack Cloud 6

An update that solves one vulnerability and has two security fixes can now be installed.

Description:

This update for krb5 provides the following fixes:

Security issues fixed:

  • CVE-2017-7562: Improper validation of certificate EKU and SAN could lead to authentication bypass. (bsc#1055851)

Non-security issues fixed:

  • Set "rdns" and "dns_canonicalize_hostname" to false in krb5.conf in order to improve client security in handling service principle names. (bsc#1054028)
  • Fix a GSS failure in legacy applications by not indicating deprecated GSS mechanisms in gss_indicate_mech() list. (bsc#1081725)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • SUSE OpenStack Cloud 6
    zypper in -t patch SUSE-OpenStack-Cloud-6-2018-983=1
  • SUSE Linux Enterprise Server for SAP Applications 12 SP1
    zypper in -t patch SUSE-SLE-SAP-12-SP1-2018-983=1
  • SUSE Linux Enterprise Server 12 LTSS 12
    zypper in -t patch SUSE-SLE-SERVER-12-2018-983=1
  • SUSE Linux Enterprise Server 12 SP1 LTSS 12-SP1
    zypper in -t patch SUSE-SLE-SERVER-12-SP1-2018-983=1

Package List:

  • SUSE OpenStack Cloud 6 (x86_64)
    • krb5-server-debuginfo-1.12.1-38.5.3
    • krb5-plugin-preauth-otp-debuginfo-1.12.1-38.5.3
    • krb5-client-debuginfo-1.12.1-38.5.3
    • krb5-plugin-kdb-ldap-1.12.1-38.5.3
    • krb5-client-1.12.1-38.5.3
    • krb5-debuginfo-32bit-1.12.1-38.5.3
    • krb5-32bit-1.12.1-38.5.3
    • krb5-debugsource-1.12.1-38.5.3
    • krb5-1.12.1-38.5.3
    • krb5-plugin-preauth-pkinit-debuginfo-1.12.1-38.5.3
    • krb5-plugin-preauth-pkinit-1.12.1-38.5.3
    • krb5-plugin-preauth-otp-1.12.1-38.5.3
    • krb5-server-1.12.1-38.5.3
    • krb5-debuginfo-1.12.1-38.5.3
    • krb5-doc-1.12.1-38.5.3
    • krb5-plugin-kdb-ldap-debuginfo-1.12.1-38.5.3
  • SUSE Linux Enterprise Server for SAP Applications 12 SP1 (ppc64le x86_64)
    • krb5-server-debuginfo-1.12.1-38.5.3
    • krb5-plugin-preauth-otp-debuginfo-1.12.1-38.5.3
    • krb5-client-debuginfo-1.12.1-38.5.3
    • krb5-plugin-kdb-ldap-1.12.1-38.5.3
    • krb5-client-1.12.1-38.5.3
    • krb5-debugsource-1.12.1-38.5.3
    • krb5-1.12.1-38.5.3
    • krb5-plugin-preauth-pkinit-debuginfo-1.12.1-38.5.3
    • krb5-plugin-preauth-pkinit-1.12.1-38.5.3
    • krb5-plugin-preauth-otp-1.12.1-38.5.3
    • krb5-server-1.12.1-38.5.3
    • krb5-debuginfo-1.12.1-38.5.3
    • krb5-doc-1.12.1-38.5.3
    • krb5-plugin-kdb-ldap-debuginfo-1.12.1-38.5.3
  • SUSE Linux Enterprise Server for SAP Applications 12 SP1 (x86_64)
    • krb5-debuginfo-32bit-1.12.1-38.5.3
    • krb5-32bit-1.12.1-38.5.3
  • SUSE Linux Enterprise Server 12 LTSS 12 (ppc64le s390x x86_64)
    • krb5-server-debuginfo-1.12.1-38.5.3
    • krb5-plugin-preauth-otp-debuginfo-1.12.1-38.5.3
    • krb5-client-debuginfo-1.12.1-38.5.3
    • krb5-plugin-kdb-ldap-1.12.1-38.5.3
    • krb5-client-1.12.1-38.5.3
    • krb5-debugsource-1.12.1-38.5.3
    • krb5-1.12.1-38.5.3
    • krb5-plugin-preauth-pkinit-debuginfo-1.12.1-38.5.3
    • krb5-plugin-preauth-pkinit-1.12.1-38.5.3
    • krb5-plugin-preauth-otp-1.12.1-38.5.3
    • krb5-server-1.12.1-38.5.3
    • krb5-debuginfo-1.12.1-38.5.3
    • krb5-doc-1.12.1-38.5.3
    • krb5-plugin-kdb-ldap-debuginfo-1.12.1-38.5.3
  • SUSE Linux Enterprise Server 12 LTSS 12 (s390x x86_64)
    • krb5-debuginfo-32bit-1.12.1-38.5.3
    • krb5-32bit-1.12.1-38.5.3
  • SUSE Linux Enterprise Server 12 SP1 LTSS 12-SP1 (ppc64le s390x x86_64)
    • krb5-server-debuginfo-1.12.1-38.5.3
    • krb5-plugin-preauth-otp-debuginfo-1.12.1-38.5.3
    • krb5-client-debuginfo-1.12.1-38.5.3
    • krb5-plugin-kdb-ldap-1.12.1-38.5.3
    • krb5-client-1.12.1-38.5.3
    • krb5-debugsource-1.12.1-38.5.3
    • krb5-1.12.1-38.5.3
    • krb5-plugin-preauth-pkinit-debuginfo-1.12.1-38.5.3
    • krb5-plugin-preauth-pkinit-1.12.1-38.5.3
    • krb5-plugin-preauth-otp-1.12.1-38.5.3
    • krb5-server-1.12.1-38.5.3
    • krb5-debuginfo-1.12.1-38.5.3
    • krb5-doc-1.12.1-38.5.3
    • krb5-plugin-kdb-ldap-debuginfo-1.12.1-38.5.3
  • SUSE Linux Enterprise Server 12 SP1 LTSS 12-SP1 (s390x x86_64)
    • krb5-debuginfo-32bit-1.12.1-38.5.3
    • krb5-32bit-1.12.1-38.5.3

References: