[debian-edu-commits] [Git][debian-edu/debian-edu-config][buster] 10 commits: share/debian-edu-config/tools/kerberos-kdc-init:
Dominik George
gitlab at salsa.debian.org
Tue Dec 17 17:29:52 GMT 2019
Dominik George pushed to branch buster at Debian Edu / debian-edu-config
Commits:
69dd3cf2 by Wolfgang Schweer at 2019-12-16T15:27:57Z
share/debian-edu-config/tools/kerberos-kdc-init:
Set proper rights for users in kadm5.acl file. (Closes: #946797)
Adjust debian/debian-edu-config.postinst to fix kadm5.acl upon upgrades.
Signed-off-by: Wolfgang Schweer <wschweer at arcor.de>
- - - - -
6640e4d6 by Wolfgang Schweer at 2019-12-16T15:28:21Z
Improve kadm5.acl bug fix.
share/debian-edu-config/tools/kerberos-kdc-init:
Also disable inquiries to the Kerberos database for ordinary users.
debian/debian-edu-config.postinst:
Restart krb5-admin-server if the fix gets applied via upgrades.
Signed-off-by: Wolfgang Schweer <wschweer at arcor.de>
- - - - -
774f126b by Wolfgang Schweer at 2019-12-16T15:28:33Z
Improve kadm5.acl bug fix further.
debian/debian-edu-config.postinst:
Avoid messing up possible local additions, thanks to Dominik George.
Signed-off-by: Wolfgang Schweer <wschweer at arcor.de>
- - - - -
c464ef0c by Dominik George at 2019-12-16T15:29:39Z
Adjsut changelog for buster-security
- - - - -
8a9b73cf by Dominik George at 2019-12-16T15:40:43Z
Add NEWS.Debian for kadm5.acl change
- - - - -
91322195 by Holger Levsen at 2019-12-16T16:07:27Z
Improve debian/debian-edu-config.postinst fix to only run once on upgrades.
Signed-off-by: Holger Levsen <holger at layer-acht.org>
- - - - -
6f0ae527 by Dominik George at 2019-12-16T16:35:16Z
Amend version comparison for buster
- - - - -
1f6c7101 by Dominik George at 2019-12-16T21:29:21Z
Add CVE reference to changelog
- - - - -
70f9a0ad by Dominik George at 2019-12-16T21:33:38Z
Fix name of NEWS file
- - - - -
dcb17206 by Dominik George at 2019-12-16T21:37:55Z
Add changelog about NEWS file
- - - - -
4 changed files:
- + debian/NEWS
- debian/changelog
- debian/debian-edu-config.postinst
- share/debian-edu-config/tools/kerberos-kdc-init
Changes:
=====================================
debian/NEWS
=====================================
@@ -0,0 +1,12 @@
+debian-edu-config (2.10.65+deb10u3) buster-security; urgency=high
+
+ The Kerberos kadm ACLs in /etc/krb5kdc/kadm5.acl contained an insecure
+ setting allowing all authenticated users in the network to change the
+ credentials of everyone else, thus impersonating other users and gaining
+ their privileges.
+
+ If you never changed these ACLs, the package update fixes the issue
+ automatically. If you did, please double-check that no unexpected
+ principal has the c ACL (lower-case!) set.
+
+ -- Dominik George <natureshadow at debian.org> Mon, 16 Dec 2019 16:29:19 +0100
=====================================
debian/changelog
=====================================
@@ -1,3 +1,21 @@
+debian-edu-config (2.10.65+deb10u3) buster-security; urgency=high
+
+ * Security fix for CVE-2019-3467
+
+ [ Wolfgang Schweer ]
+ * share/debian-edu-config/tools/kerberos-kdc-init:
+ - Set proper rights for users in kadm5.acl file. (Closes: #946797)
+ * Adjust debian/debian-edu-config.postinst to fix kadm5.acl upon upgrades.
+
+ [ Holger Levsen ]
+ * Improve debian/debian-edu-config.postinst fix to only run once on
+ upgrades.
+
+ [ Dominik George ]
+ * Add NEWS to warn administrators with possible local changes.
+
+ -- Dominik George <natureshadow at debian.org> Mon, 16 Dec 2019 16:29:19 +0100
+
debian-edu-config (2.10.65+deb10u2) buster; urgency=medium
[ Wolfgang Schweer ]
=====================================
debian/debian-edu-config.postinst
=====================================
@@ -256,6 +256,14 @@ configure)
cp /etc/cfengine3/debian-edu/edu.cf /var/lib/cfengine3/inputs/debian-edu
cp /etc/cfengine3/debian-edu/promises.cf /var/lib/cfengine3/inputs
fi
+
+ # Set proper rights for users - see #946797
+ if dpkg --compare-versions "$2" le "2.10.65+deb10u2" ; then
+ if [ -f /etc/krb5kdc/kadm5.acl ] ; then
+ sed -i 's/\(\*@INTERN[[:space:]]*\)cil/\1CIl/' /etc/krb5kdc/kadm5.acl
+ service krb5-admin-server restart
+ fi
+ fi
;;
esac
=====================================
share/debian-edu-config/tools/kerberos-kdc-init
=====================================
@@ -187,7 +187,7 @@ EOF
if [ ! -f /etc/krb5kdc/kadm5.acl ] ; then
cat > /etc/krb5kdc/kadm5.acl <<EOF
root/admin at INTERN *
-*@INTERN cil
+*@INTERN CIl
*/*@INTERN i
EOF
chmod 644 /etc/krb5kdc/kadm5.acl
View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/compare/cfebd1b56c213e80776aba862ef0f9cda521aa48...dcb17206dd02413007133e115f9241fdcca1b6b8
--
View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/compare/cfebd1b56c213e80776aba862ef0f9cda521aa48...dcb17206dd02413007133e115f9241fdcca1b6b8
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-edu-commits/attachments/20191217/d78c2559/attachment-0001.html>
More information about the debian-edu-commits
mailing list