Date: Fri, 2 Jul 2010 22:29:27 GMT From: Bill Cole <bill_cole@cipherspace.com> To: freebsd-gnats-submit@FreeBSD.org Subject: ports/148335: security/krb5 needs a patch or update Message-ID: <201007022229.o62MTRtG089142@www.freebsd.org> Resent-Message-ID: <201007022230.o62MU2u8087948@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 148335 >Category: ports >Synopsis: security/krb5 needs a patch or update >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: update >Submitter-Id: current-users >Arrival-Date: Fri Jul 02 22:30:01 UTC 2010 >Closed-Date: >Last-Modified: >Originator: Bill Cole >Release: 8.0 >Organization: CipherSpace, LLC >Environment: FreeBSD MUNGE 8.0-RELEASE-p2 FreeBSD 8.0-RELEASE-p2 #2: Tue Mar 2 19:18:36 UTC 2010 root@MUNGE:/usr/obj/usr/src/sys/MUNGE amd64 >Description: krb5 has been flagged by portaudit for many weeks due to a vulnerability which could be fixed by either updating the port to 1.8.2 or including the upstream patch for 1.8.1. MIT vulnerability info: http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-004.txt >How-To-Repeat: Attempt to fetch the krb5 port: # cd /usr/ports/security/krb5 # make fetch ===> krb5-1.8.1_1 has known vulnerabilities: => krb5 -- KDC double free vulnerability. Reference: <http://portaudit.FreeBSD.org/86b8b655-4d1a-11df-83fb-0015587e2cc1.html> => krb5 -- KDC double free vulnerability. Reference: <http://portaudit.FreeBSD.org/86b8b655-4d1a-11df-83fb-0015587e2cc1.html> => Please update your ports tree and try again. *** Error code 1 >Fix: MIT patch against 1.8.1 to fix the specific vulnerability: <http://web.mit.edu/kerberos/advisories/2010-004-patch.txt> MIT release page for 1.8.2: <http://web.mit.edu/kerberos/krb5-1.8/krb5-1.8.2.html> The port already includes a MIT patch for a different vulnerability of close vintage: 2010-005 Presumably adding the patch would be a quicker simpler fix, updating to 1.8.2 the long-term choice. 1.8.2 does not appear to me to have break-inducing changes, but I'm no kerberos guru. >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201007022229.o62MTRtG089142>