Security update for krb5 SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2018:0854-1 Final 1 1 2018-03-30T07:30:06Z current 2018-03-30T07:30:06Z 2018-03-30T07:30:06Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for krb5 This update for krb5 provides the following fixes: Security issues fixed: - CVE-2018-5730: DN container check bypass by supplying special crafted data (bsc#1083927). - CVE-2018-5729: Null pointer dereference in kadmind or DN container check bypass by supplying special crafted data (bsc#1083926). Non-security issues fixed: - Make it possible for legacy applications (e.g. SAP Netweaver) to remain compatible with newer Kerberos. System administrators who are experiencing this kind of compatibility issues may set the environment variable GSSAPI_ASSUME_MECH_MATCH to a non-empty value, and make sure the environment variable is visible and effective to the application startup script. (bsc#1057662) - Fix a GSS failure in legacy applications by not indicating deprecated GSS mechanisms in gss_indicate_mech() list. (bsc#1081725) This update was imported from the SUSE:SLE-12-SP2:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-updates/2018-03/msg00116.html E-Mail link for openSUSE-SU-2018:0854-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.3 krb5-1.12.5-16.1 krb5-32bit-1.12.5-16.1 krb5-client-1.12.5-16.1 krb5-devel-1.12.5-16.1 krb5-devel-32bit-1.12.5-16.1 krb5-doc-1.12.5-16.1 krb5-mini-1.12.5-16.1 krb5-mini-devel-1.12.5-16.1 krb5-plugin-kdb-ldap-1.12.5-16.1 krb5-plugin-preauth-otp-1.12.5-16.1 krb5-plugin-preauth-pkinit-1.12.5-16.1 krb5-server-1.12.5-16.1 krb5-1.12.5-16.1 as a component of openSUSE Leap 42.3 krb5-32bit-1.12.5-16.1 as a component of openSUSE Leap 42.3 krb5-client-1.12.5-16.1 as a component of openSUSE Leap 42.3 krb5-devel-1.12.5-16.1 as a component of openSUSE Leap 42.3 krb5-devel-32bit-1.12.5-16.1 as a component of openSUSE Leap 42.3 krb5-doc-1.12.5-16.1 as a component of openSUSE Leap 42.3 krb5-mini-1.12.5-16.1 as a component of openSUSE Leap 42.3 krb5-mini-devel-1.12.5-16.1 as a component of openSUSE Leap 42.3 krb5-plugin-kdb-ldap-1.12.5-16.1 as a component of openSUSE Leap 42.3 krb5-plugin-preauth-otp-1.12.5-16.1 as a component of openSUSE Leap 42.3 krb5-plugin-preauth-pkinit-1.12.5-16.1 as a component of openSUSE Leap 42.3 krb5-server-1.12.5-16.1 as a component of openSUSE Leap 42.3 MIT krb5 1.6 or later allows an authenticated kadmin with permission to add principals to an LDAP Kerberos database to cause a denial of service (NULL pointer dereference) or bypass a DN container check by supplying tagged data that is internal to the database module. CVE-2018-5729 openSUSE Leap 42.3:krb5-1.12.5-16.1 openSUSE Leap 42.3:krb5-32bit-1.12.5-16.1 openSUSE Leap 42.3:krb5-client-1.12.5-16.1 openSUSE Leap 42.3:krb5-devel-1.12.5-16.1 openSUSE Leap 42.3:krb5-devel-32bit-1.12.5-16.1 openSUSE Leap 42.3:krb5-doc-1.12.5-16.1 openSUSE Leap 42.3:krb5-mini-1.12.5-16.1 openSUSE Leap 42.3:krb5-mini-devel-1.12.5-16.1 openSUSE Leap 42.3:krb5-plugin-kdb-ldap-1.12.5-16.1 openSUSE Leap 42.3:krb5-plugin-preauth-otp-1.12.5-16.1 openSUSE Leap 42.3:krb5-plugin-preauth-pkinit-1.12.5-16.1 openSUSE Leap 42.3:krb5-server-1.12.5-16.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2018-03/msg00116.html https://www.suse.com/security/cve/CVE-2018-5729.html CVE-2018-5729 https://bugzilla.suse.com/1076211 SUSE Bug 1076211 https://bugzilla.suse.com/1083926 SUSE Bug 1083926 https://bugzilla.suse.com/1122468 SUSE Bug 1122468 MIT krb5 1.6 or later allows an authenticated kadmin with permission to add principals to an LDAP Kerberos database to circumvent a DN containership check by supplying both a "linkdn" and "containerdn" database argument, or by supplying a DN string which is a left extension of a container DN string but is not hierarchically within the container DN. CVE-2018-5730 openSUSE Leap 42.3:krb5-1.12.5-16.1 openSUSE Leap 42.3:krb5-32bit-1.12.5-16.1 openSUSE Leap 42.3:krb5-client-1.12.5-16.1 openSUSE Leap 42.3:krb5-devel-1.12.5-16.1 openSUSE Leap 42.3:krb5-devel-32bit-1.12.5-16.1 openSUSE Leap 42.3:krb5-doc-1.12.5-16.1 openSUSE Leap 42.3:krb5-mini-1.12.5-16.1 openSUSE Leap 42.3:krb5-mini-devel-1.12.5-16.1 openSUSE Leap 42.3:krb5-plugin-kdb-ldap-1.12.5-16.1 openSUSE Leap 42.3:krb5-plugin-preauth-otp-1.12.5-16.1 openSUSE Leap 42.3:krb5-plugin-preauth-pkinit-1.12.5-16.1 openSUSE Leap 42.3:krb5-server-1.12.5-16.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2018-03/msg00116.html https://www.suse.com/security/cve/CVE-2018-5730.html CVE-2018-5730 https://bugzilla.suse.com/1076211 SUSE Bug 1076211 https://bugzilla.suse.com/1083927 SUSE Bug 1083927 https://bugzilla.suse.com/1122468 SUSE Bug 1122468