Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 2 Jul 2010 22:29:27 GMT
From:      Bill Cole <bill_cole@cipherspace.com>
To:        freebsd-gnats-submit@FreeBSD.org
Subject:   ports/148335: security/krb5 needs a patch or update
Message-ID:  <201007022229.o62MTRtG089142@www.freebsd.org>
Resent-Message-ID: <201007022230.o62MU2u8087948@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         148335
>Category:       ports
>Synopsis:       security/krb5 needs a patch or update
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          update
>Submitter-Id:   current-users
>Arrival-Date:   Fri Jul 02 22:30:01 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator:     Bill Cole
>Release:        8.0
>Organization:
CipherSpace, LLC
>Environment:
FreeBSD MUNGE 8.0-RELEASE-p2 FreeBSD 8.0-RELEASE-p2 #2: Tue Mar  2 19:18:36 UTC 2010     root@MUNGE:/usr/obj/usr/src/sys/MUNGE  amd64

>Description:
krb5 has been flagged by portaudit for many weeks due to a vulnerability which could be fixed by either updating the port to 1.8.2 or including the upstream  patch for 1.8.1. 

MIT vulnerability info: http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-004.txt

>How-To-Repeat:
Attempt to fetch the krb5 port:

# cd /usr/ports/security/krb5
# make fetch
===>  krb5-1.8.1_1 has known vulnerabilities:
=> krb5 -- KDC double free vulnerability.
   Reference: <http://portaudit.FreeBSD.org/86b8b655-4d1a-11df-83fb-0015587e2cc1.html>;
=> krb5 -- KDC double free vulnerability.
   Reference: <http://portaudit.FreeBSD.org/86b8b655-4d1a-11df-83fb-0015587e2cc1.html>;
=> Please update your ports tree and try again.
*** Error code 1

>Fix:
MIT patch against  1.8.1 to fix the specific vulnerability: 
   <http://web.mit.edu/kerberos/advisories/2010-004-patch.txt>;
MIT release page for 1.8.2: 
   <http://web.mit.edu/kerberos/krb5-1.8/krb5-1.8.2.html>;

The port already includes a MIT patch for a different vulnerability of close vintage: 2010-005

Presumably adding the patch would be a quicker simpler fix, updating to 1.8.2 the long-term choice. 1.8.2 does not appear to me to have break-inducing changes, but I'm no kerberos guru. 

>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201007022229.o62MTRtG089142>