[debian-edu-commits] [Git][debian-edu/debian-edu-config][buster] 10 commits: share/debian-edu-config/tools/kerberos-kdc-init:

Dominik George gitlab at salsa.debian.org
Tue Dec 17 17:29:52 GMT 2019



Dominik George pushed to branch buster at Debian Edu / debian-edu-config


Commits:
69dd3cf2 by Wolfgang Schweer at 2019-12-16T15:27:57Z
share/debian-edu-config/tools/kerberos-kdc-init:
Set proper rights for users in kadm5.acl file. (Closes: #946797)

Adjust debian/debian-edu-config.postinst to fix kadm5.acl upon upgrades.

Signed-off-by: Wolfgang Schweer <wschweer at arcor.de>

- - - - -
6640e4d6 by Wolfgang Schweer at 2019-12-16T15:28:21Z
Improve kadm5.acl bug fix.

share/debian-edu-config/tools/kerberos-kdc-init:
Also disable inquiries to the Kerberos database for ordinary users.

debian/debian-edu-config.postinst:
Restart krb5-admin-server if the fix gets applied via upgrades.

Signed-off-by: Wolfgang Schweer <wschweer at arcor.de>

- - - - -
774f126b by Wolfgang Schweer at 2019-12-16T15:28:33Z
Improve kadm5.acl bug fix further.

debian/debian-edu-config.postinst:
Avoid messing up possible local additions, thanks to Dominik George.

Signed-off-by: Wolfgang Schweer <wschweer at arcor.de>

- - - - -
c464ef0c by Dominik George at 2019-12-16T15:29:39Z
Adjsut changelog for buster-security

- - - - -
8a9b73cf by Dominik George at 2019-12-16T15:40:43Z
Add NEWS.Debian for kadm5.acl change

- - - - -
91322195 by Holger Levsen at 2019-12-16T16:07:27Z
Improve debian/debian-edu-config.postinst fix to only run once on upgrades.

Signed-off-by: Holger Levsen <holger at layer-acht.org>

- - - - -
6f0ae527 by Dominik George at 2019-12-16T16:35:16Z
Amend version comparison for buster

- - - - -
1f6c7101 by Dominik George at 2019-12-16T21:29:21Z
Add CVE reference to changelog

- - - - -
70f9a0ad by Dominik George at 2019-12-16T21:33:38Z
Fix name of NEWS file

- - - - -
dcb17206 by Dominik George at 2019-12-16T21:37:55Z
Add changelog about NEWS file

- - - - -


4 changed files:

- + debian/NEWS
- debian/changelog
- debian/debian-edu-config.postinst
- share/debian-edu-config/tools/kerberos-kdc-init


Changes:

=====================================
debian/NEWS
=====================================
@@ -0,0 +1,12 @@
+debian-edu-config (2.10.65+deb10u3) buster-security; urgency=high
+
+    The Kerberos kadm ACLs in /etc/krb5kdc/kadm5.acl contained an insecure
+    setting allowing all authenticated users in the network to change the
+    credentials of everyone else, thus impersonating other users and gaining
+    their privileges.
+
+    If you never changed these ACLs, the package update fixes the issue
+    automatically. If you did, please double-check that no unexpected
+    principal has the c ACL (lower-case!) set.
+
+ -- Dominik George <natureshadow at debian.org>  Mon, 16 Dec 2019 16:29:19 +0100


=====================================
debian/changelog
=====================================
@@ -1,3 +1,21 @@
+debian-edu-config (2.10.65+deb10u3) buster-security; urgency=high
+
+  * Security fix for CVE-2019-3467
+
+  [ Wolfgang Schweer ]
+  * share/debian-edu-config/tools/kerberos-kdc-init:
+    - Set proper rights for users in kadm5.acl file. (Closes: #946797)
+  * Adjust debian/debian-edu-config.postinst to fix kadm5.acl upon upgrades.
+
+  [ Holger Levsen ]
+  * Improve debian/debian-edu-config.postinst fix to only run once on
+    upgrades.
+
+  [ Dominik George ]
+  * Add NEWS to warn administrators with possible local changes.
+
+ -- Dominik George <natureshadow at debian.org>  Mon, 16 Dec 2019 16:29:19 +0100
+
 debian-edu-config (2.10.65+deb10u2) buster; urgency=medium
 
   [ Wolfgang Schweer ]


=====================================
debian/debian-edu-config.postinst
=====================================
@@ -256,6 +256,14 @@ configure)
         cp /etc/cfengine3/debian-edu/edu.cf /var/lib/cfengine3/inputs/debian-edu
         cp /etc/cfengine3/debian-edu/promises.cf /var/lib/cfengine3/inputs
     fi
+
+    # Set proper rights for users - see #946797
+    if dpkg --compare-versions "$2" le "2.10.65+deb10u2" ; then
+        if [ -f /etc/krb5kdc/kadm5.acl ] ; then
+            sed -i 's/\(\*@INTERN[[:space:]]*\)cil/\1CIl/' /etc/krb5kdc/kadm5.acl
+            service krb5-admin-server restart
+        fi
+    fi
     ;;
 esac
 


=====================================
share/debian-edu-config/tools/kerberos-kdc-init
=====================================
@@ -187,7 +187,7 @@ EOF
     if [ ! -f /etc/krb5kdc/kadm5.acl ] ; then
 	cat > /etc/krb5kdc/kadm5.acl <<EOF
 root/admin at INTERN *
-*@INTERN cil
+*@INTERN CIl
 */*@INTERN i
 EOF
     chmod 644 /etc/krb5kdc/kadm5.acl



View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/compare/cfebd1b56c213e80776aba862ef0f9cda521aa48...dcb17206dd02413007133e115f9241fdcca1b6b8

-- 
View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/compare/cfebd1b56c213e80776aba862ef0f9cda521aa48...dcb17206dd02413007133e115f9241fdcca1b6b8
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-edu-commits/attachments/20191217/d78c2559/attachment-0001.html>


More information about the debian-edu-commits mailing list