19:56 Rene Ladan (rene) 

security/krb5-119: Remove expired port

2024-04-15 security/krb5-119: Desupported by MIT following 1.21

    4c14a7fa

17:19 Cy Schubert (cy) 

security/krb5-119: Update to 1.19.4

MFH:		2022Q4
Security:	CVE-2022-42898

    eed9a79

16:37 Cy Schubert (cy) 

security/krb5-*: Address CVE-2022-42898

Topic: Vulnerabilities in PAC parsing

CVE-2022-42898: integer overflow vulnerabilities in PAC parsing

SUMMARY
=======

Three integer overflow vulnerabilities have been discovered in the MIT
krb5 library function krb5_parse_pac().

IMPACT
======

An authenticated attacker may be able to cause a KDC or kadmind
process to crash by reading beyond the bounds of allocated memory,
creating a denial of service.  A privileged attacker may similarly be
able to cause a Kerberos or GSS application service to crash.

On a 32-bit platform, an authenticated attacker may be able to cause
heap corruption in a KDC or kadmind process, possibly leading to
remote code execution.  A privileged attacker may similarly be able to
cause heap corruption in a Kerberos or GSS application service running
on a 32-bit platform.

An attacker with the privileges of a cross-realm KDC may be able to
extract secrets from a KDC process's memory by having them copied into
the PAC of a new ticket.

AFFECTED SOFTWARE
=================

Kerberos and GSS application services using krb5-1.8 or later are
affected.  kadmind in krb5-1.8 or later is affected.  The krb5-1.20
KDC is affected.  The krb5-1.8 through krb5-1.19 KDC is affected when
using the Samba or FreeIPA KDB modules.

REFERENCES
==========

This announcement is posted at:

  https://web.mit.edu/kerberos/advisories/MITKRB5-SA-2022-001.txt

This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:

        https://web.mit.edu/kerberos/advisories/index.html

The main MIT Kerberos web page is at:

        https://web.mit.edu/kerberos/index.html

CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42898

MFH:		2022Q4
Security:	CVE-2022-42898

    de40003

16:59 Cy Schubert (cy) 

security/krb5-119: Update to 1.19.3

    f47c333

19:55 Cy Schubert (cy) 

security/krb5-119: Update to 1.19.2

The announcement as follows:

The MIT Kerberos Team announces the availability of MIT Kerberos 5
Releases 1.19.2 and 1.18.4.  Please see below for a list of some major
changes included, or consult the README file in the source tree for a
more detailed list of significant changes.

Retrieving krb5-1.19.2 and krb5-1.18.4
======================================

You may retrieve the krb5-1.19.2 and krb5-1.18.4 sources from the
following URL:

        https://kerberos.org/dist/

The homepage for the krb5-1.19.2 and krb5-1.18.4 releases are:

        https://web.mit.edu/kerberos/krb5-1.19/
        https://web.mit.edu/kerberos/krb5-1.18/

Further information about Kerberos 5 may be found at the following
URL:

        https://web.mit.edu/kerberos/

Triple-DES transition
=====================

Beginning with the krb5-1.19 release, a warning will be issued if
initial credentials are acquired using the des3-cbc-sha1 encryption
type.  In future releases, this encryption type will be disabled by
default and eventually removed.

Beginning with the krb5-1.18 release, single-DES encryption types have
been removed.

Major changes in 1.19.2 and 1.18.4 (2021-07-22)
===============================================

These are bug fix releases.

* Fix a denial of service attack against the KDC encrypted challenge
  code [CVE-2021-36222].

* Fix a memory leak when gss_inquire_cred() is called without a
  credential handle.

MFH:		2021Q3
Security:	CVE-2021-36222

    f6f818b

15:31 cy 

security/krb5: update 1.19 --> 1.19.1.

 

05:01 cy 

Welcome the new KRB5 1.19 (krb5-119)

In addition, deprecate krb5-117 to retire one year after the release
of krb5-119: Feb 1, 2022.

krb5-119 becomes the default krb5 port.