[debian-edu-commits] [Git][debian-edu/debian-edu-config][stretch] 12 commits: share/debian-edu-config/tools/kerberos-kdc-init:

Dominik George gitlab at salsa.debian.org
Tue Dec 17 17:44:04 GMT 2019 


Dominik George pushed to branch stretch at Debian Edu / debian-edu-config


Commits:
1d2e2b93 by Wolfgang Schweer at 2019-12-17T17:35:39Z
share/debian-edu-config/tools/kerberos-kdc-init:
Set proper rights for users in kadm5.acl file. (Closes: #946797)

Adjust debian/debian-edu-config.postinst to fix kadm5.acl upon upgrades.

Signed-off-by: Wolfgang Schweer <wschweer at arcor.de>

- - - - -
4ed1e3b0 by Wolfgang Schweer at 2019-12-17T17:36:27Z
Improve kadm5.acl bug fix.

share/debian-edu-config/tools/kerberos-kdc-init:
Also disable inquiries to the Kerberos database for ordinary users.

debian/debian-edu-config.postinst:
Restart krb5-admin-server if the fix gets applied via upgrades.

Signed-off-by: Wolfgang Schweer <wschweer at arcor.de>

- - - - -
de6e47f2 by Wolfgang Schweer at 2019-12-17T17:36:28Z
Improve kadm5.acl bug fix further.

debian/debian-edu-config.postinst:
Avoid messing up possible local additions, thanks to Dominik George.

Signed-off-by: Wolfgang Schweer <wschweer at arcor.de>

- - - - -
20c571bf by Dominik George at 2019-12-17T17:37:05Z
Adjsut changelog for buster-security

- - - - -
71de5761 by Dominik George at 2019-12-17T17:37:14Z
Add NEWS.Debian for kadm5.acl change

- - - - -
8719a1a4 by Holger Levsen at 2019-12-17T17:37:15Z
Improve debian/debian-edu-config.postinst fix to only run once on upgrades.

Signed-off-by: Holger Levsen <holger at layer-acht.org>

- - - - -
31a2b820 by Dominik George at 2019-12-17T17:37:16Z
Amend version comparison for buster

- - - - -
58317c31 by Dominik George at 2019-12-17T17:37:17Z
Add CVE reference to changelog

- - - - -
506e25f8 by Dominik George at 2019-12-17T17:37:18Z
Fix name of NEWS file

- - - - -
5294349d by Dominik George at 2019-12-17T17:37:18Z
Add changelog about NEWS file

- - - - -
b2146085 by Dominik George at 2019-12-17T17:38:37Z
Amend versions for stretch

- - - - -
de13e932 by Dominik George at 2019-12-17T17:39:09Z
Update changelog timestamp

- - - - -


4 changed files:

- + debian/NEWS
- debian/changelog
- debian/debian-edu-config.postinst
- share/debian-edu-config/tools/kerberos-kdc-init


Changes:

=====================================
debian/NEWS
=====================================
@@ -0,0 +1,12 @@
+debian-edu-config (1.929+deb9u4) stretch-security; urgency=high
+
+    The Kerberos kadm ACLs in /etc/krb5kdc/kadm5.acl contained an insecure
+    setting allowing all authenticated users in the network to change the
+    credentials of everyone else, thus impersonating other users and gaining
+    their privileges.
+
+    If you never changed these ACLs, the package update fixes the issue
+    automatically. If you did, please double-check that no unexpected
+    principal has the c ACL (lower-case!) set.
+
+ -- Dominik George <natureshadow at debian.org>  Mon, 16 Dec 2019 16:29:19 +0100


=====================================
debian/changelog
=====================================
@@ -1,3 +1,21 @@
+debian-edu-config (1.929+deb9u4) stretch-security; urgency=high
+
+  * Security fix for CVE-2019-3467
+
+  [ Wolfgang Schweer ]
+  * share/debian-edu-config/tools/kerberos-kdc-init:
+    - Set proper rights for users in kadm5.acl file. (Closes: #946797)
+  * Adjust debian/debian-edu-config.postinst to fix kadm5.acl upon upgrades.
+
+  [ Holger Levsen ]
+  * Improve debian/debian-edu-config.postinst fix to only run once on
+    upgrades.
+
+  [ Dominik George ]
+  * Add NEWS to warn administrators with possible local changes.
+
+ -- Dominik George <natureshadow at debian.org>  Tue, 17 Dec 2019 18:38:50 +0100
+
 debian-edu-config (1.929+deb9u3) stretch; urgency=medium
 
   [ Wolfgang Schweer ]


=====================================
debian/debian-edu-config.postinst
=====================================
@@ -179,6 +179,13 @@ configure)
     chown root:root /var/lib/dovecot
     touch /var/lib/dovecot/auth_success
 
+    # Set proper rights for users - see #946797
+    if dpkg --compare-versions "$2" le "1.929+deb9u3" ; then
+        if [ -f /etc/krb5kdc/kadm5.acl ] ; then
+            sed -i 's/\(\*@INTERN[[:space:]]*\)cil/\1CIl/' /etc/krb5kdc/kadm5.acl
+            service krb5-admin-server restart
+        fi
+    fi
     ;;
 esac
 


=====================================
share/debian-edu-config/tools/kerberos-kdc-init
=====================================
@@ -192,7 +192,7 @@ EOF
     if [ ! -f /etc/krb5kdc/kadm5.acl ] ; then
 	cat > /etc/krb5kdc/kadm5.acl <<EOF
 root/admin at INTERN *
-*@INTERN cil
+*@INTERN CIl
 */*@INTERN i
 EOF
     chmod 644 /etc/krb5kdc/kadm5.acl



View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/compare/25340fb13d8a64a3adeb118429c660864cc96a33...de13e932de6041e5cce344ce7d47c0a6b53f01ca

-- 
View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/compare/25340fb13d8a64a3adeb118429c660864cc96a33...de13e932de6041e5cce344ce7d47c0a6b53f01ca
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-edu-commits/attachments/20191217/739a4d62/attachment-0001.html>

More information about the debian-edu-commits mailing list