Accepted heimdal 7.5.0+dfsg-3+deb10u1 (source) into oldstable
- To: dispatch@tracker.debian.org, debian-lts-changes@lists.debian.org
- Subject: Accepted heimdal 7.5.0+dfsg-3+deb10u1 (source) into oldstable
- From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
- Date: Sat, 26 Nov 2022 17:30:19 +0000
- Debian: DAK
- Debian-architecture: source
- Debian-archive-action: accept
- Debian-changes: heimdal_7.5.0+dfsg-3+deb10u1_source.changes
- Debian-source: heimdal
- Debian-suite: oldstable
- Debian-version: 7.5.0+dfsg-3+deb10u1
- Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ftp-master.debian.org; s=smtpauto.seger; h=Date:Message-Id: Content-Transfer-Encoding:Content-Type:Subject:MIME-Version:To:Reply-To:From: Cc:Content-ID:Content-Description:In-Reply-To:References; bh=H8j+bx6lPLHjZYrPvffukgx1vm6MbwM9vjJDYYrcQDY=; b=sXRlYeaurKwNs8bZbKRcFVfeHJ pFE6pIEMRQL+nmY9HLyPDoyvPtg73uzE4VM60ItDo6tHebAZSM/uSR7kUmLcbn0i4ZuZpByGGUwMq SoSfsMFI+pCUf1u7LwCT6KRcZcpB7JmhAZRhnYF6WwUSaT1fstOo72B0KcQj661IHUHD8SyFMFq4o nhiiTjrhU/WAHNslECFTbSHzSl0FQWYOgmcLEXn57qKq1Amp3uPDdlWhLQSbjw+winzt8XpO90DKk CMOdjdTAlqMGi5vHCdxZKPwRgnu2bxUjU0jVuBa5OP9F1r4f5nhOp1BtarHeOR4uBdEpsVW+vCyrZ tMdZpEjA==;
- Mail-followup-to: debian-lts@lists.debian.org
- Message-id: <E1oyz0N-001qj9-81@seger.debian.org>
- Reply-to: debian-lts@lists.debian.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 26 Nov 2022 17:00:54 +0100
Source: heimdal
Architecture: source
Version: 7.5.0+dfsg-3+deb10u1
Distribution: buster-security
Urgency: high
Maintainer: Brian May <bam@debian.org>
Changed-By: Guilhem Moulin <guilhem@debian.org>
Closes: 946786 996586 1024187
Changes:
heimdal (7.5.0+dfsg-3+deb10u1) buster-security; urgency=high
.
* Non-maintainer upload by the LTS Security Team, with fixes for:
+ CVE-2019-14870: The AD KDC before 7.7.1/7.8 does not apply
delegation_not_allowed (aka not-delegated) user attributes for S4U2Self;
instead the forwardable flag is set even if the impersonated client has
the not-delegated flag set. Closes: #946786.
+ CVE-2021-3671: A NULL dereference was found in the way the server
handled a missing sname in TGS-REQ, leading to denial of service of the
KDC before 7.7.1/7.8. Closes: #996586.
+ CVE-2021-44758: An initial SPNEGO token that has no acceptable
mechanisms causes a NULL dereference in acceptors. Closes: #1024187.
- Follow-up regression (FTBFS) fix: gss: Remove useless grep from
check-context.
+ CVE-2022-3437: RC4 (arcfour), 1DES and 3DES3 unwrap didn't use constant
memcmp() and were subject to buffer overflow, potentially leaking secret
keys when using these ciphers. Closes: #1024187.
+ CVE-2022-41916: The KDC and 3rd party applications using Heimdal's
libhx509 before 7.7.1/7.8 is subject to a denial of service
vulnerability due to an out of bound read in the PKI certificate
validation library. Closes: #1024187.
+ CVE-2022-42898: Heimdal before 7.7.1/7.8 suffers from an integer
multiplication overflow when calculating how many bytes to allocate for
a buffer for the parsed Privilege Attribute Certificate (PAC). 64 bits
systems are not exploitable. Closes: #1024187.
- Follow-up regression fix for lib/krb5/store-int.c:_krb5_get_int64() on
32-bit systems.
+ CVE-2022-44640: Invalid free() in ASN.1 codec, potentially allowing
remote code execution against Heimdal KDCs before 7.7.1/7.8.
Closes: #1024187.
Checksums-Sha1:
c502f3e19c0eb1f8f42462023e5226d6272e7c0f 3611 heimdal_7.5.0+dfsg-3+deb10u1.dsc
1ba39f71a5627a23afbc8b987362831bed764f7d 8955005 heimdal_7.5.0+dfsg.orig.tar.gz
c736fa5ce04c0849150a84dc5ad4f3ae8e116ac9 471348 heimdal_7.5.0+dfsg-3+deb10u1.debian.tar.xz
27fb8df5ed76c1114f3f00f45208206d6dbf4cf0 22157 heimdal_7.5.0+dfsg-3+deb10u1_amd64.buildinfo
Checksums-Sha256:
fd39b3cfb931a543f189ecfab730159d2dd8bf9b7fb754ffeab6bbabc6b6326f 3611 heimdal_7.5.0+dfsg-3+deb10u1.dsc
489119b7a1a900b88163765654dc59cba9a321b078fafc76629e2b85ef140867 8955005 heimdal_7.5.0+dfsg.orig.tar.gz
8f8a537dc6d9ca57b20068a2bb32dcf1b54a8dea54e55612395033cd66bbf905 471348 heimdal_7.5.0+dfsg-3+deb10u1.debian.tar.xz
f61f0e7c353fbba24a1f363b4209eef77909f67f15071dd5af0f020d430fcd87 22157 heimdal_7.5.0+dfsg-3+deb10u1_amd64.buildinfo
Files:
1b9ed0d4f5c867496fa1b1b446ac48b9 3611 net optional heimdal_7.5.0+dfsg-3+deb10u1.dsc
b45b9d03cdd4f3288e79feba99e13a51 8955005 net optional heimdal_7.5.0+dfsg.orig.tar.gz
022f7634cfbda46344d98662088b2270 471348 net optional heimdal_7.5.0+dfsg-3+deb10u1.debian.tar.xz
c11c0710edc870c15cc0ae792aa6a545 22157 net optional heimdal_7.5.0+dfsg-3+deb10u1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmOCOt4ACgkQ05pJnDwh
pVJMhA//QQYq0gkY5Gmaoj6hcFnU/reGm2An3W0bL76HWhsJTGt8TAr3a/uimD0N
mVnVHQfhCzcSN6fS4DxReGK0x7RPQ+pJiXTvOEkw5OJeW177ZGsMyGzaJM0hSIZt
9kkONPj/9hpdE7KzyJ4b2yURijgXZL1J5+aHnFQv1GZpoftu+wQpXL86v3XpxCj2
FlxW9BoyBfeOrruziJmyi2YQswISO3TuviWYK1Pw8g71vqc+r+YEjxmNl4wk9VPT
N9WDeFLWJwJ4xq8htZJzR6ml89GhxHsqX6lgCSpTOjcIVNof2Y36wU4R8QQKyh1I
SxQGe59/Z09xUqjlg60PTUO5PzynBb+8Hq+naIL6VPeiCHucu/ZwVjkPtnzlTOnD
zRMBejQxaCQvtAol6SwwxsFWEgdJvaM+hdebn746y4XKm/Zs/zy60Tu8ekEANdLI
lxbZXA1cD1prjMNrIZJqdurJ3qtGr5nKutC2GsxSog0ys35tHMjlOeBC7D2ZiQfw
4rG1ijocDDGq7PnUjX/Jj0gPnjSAaOuJoD2N/SjNRP2RhCYfxkdUyciPOW1+DXvI
ae+uWecHES1w2+tjzAyF6BaW9bzMWOzWejZlP18MtBCmgU034Bc10Zrpt4o32/rI
CdrLvJ5KCAwrOhLDtgbQuZwrvSoAKprT79hEkQ6WbStiUuB/9MA=
=2f9Z
-----END PGP SIGNATURE-----