diff options
| author | Nalin Dahyabhai <nalin@redhat.com> | 2014-08-07 19:31:10 -0400 |
|---|---|---|
| committer | Nalin Dahyabhai <nalin@redhat.com> | 2014-08-07 19:31:10 -0400 |
| commit | 49317b192b9f29145a427dc7de21faf0aa1a3baf (patch) | |
| tree | 44c3e9e2ac1d961adcacf326075bdf8bd53883ff | |
| parent | 67709ed0a8ae20c2b27a7e4e73e2101b9c24fcec (diff) | |
| download | krb5-49317b192b9f29145a427dc7de21faf0aa1a3baf.tar.gz krb5-49317b192b9f29145a427dc7de21faf0aa1a3baf.tar.xz krb5-49317b192b9f29145a427dc7de21faf0aa1a3baf.zip | |
fix MITKRB5-SA-2014-001 (CVE-2014-4345)krb5-1.11.5-11.fc20
- incorporate fix for MITKRB5-SA-2014-001 (CVE-2014-4345)
| -rw-r--r-- | 2014-001-patch.txt | 14 | ||||
| -rw-r--r-- | 2014-001-patch.txt.asc | bin | 0 -> 419 bytes | |||
| -rw-r--r-- | krb5.spec | 10 |
3 files changed, 23 insertions, 1 deletions
diff --git a/2014-001-patch.txt b/2014-001-patch.txt new file mode 100644 index 0000000..19ea866 --- /dev/null +++ b/2014-001-patch.txt @@ -0,0 +1,14 @@ +diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c +index ce851ea..df5934c 100644 +--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c ++++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c +@@ -456,7 +456,8 @@ krb5_encode_krbsecretkey(krb5_key_data *key_data_in, int n_key_data, + j++; + last = i + 1; + +- currkvno = key_data[i].key_data_kvno; ++ if (i < n_key_data - 1) ++ currkvno = key_data[i + 1].key_data_kvno; + } + } + ret[num_versions] = NULL; diff --git a/2014-001-patch.txt.asc b/2014-001-patch.txt.asc Binary files differnew file mode 100644 index 0000000..adefc75 --- /dev/null +++ b/2014-001-patch.txt.asc @@ -41,7 +41,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.11.5 -Release: 10%{?dist} +Release: 11%{?dist} # Maybe we should explode from the now-available-to-everybody tarball instead? # http://web.mit.edu/kerberos/dist/krb5/1.11/krb5-1.11.5-signed.tar Source0: krb5-%{version}.tar.gz @@ -130,6 +130,9 @@ Patch163: krb5-1.11-CVE-2014-4341_4342-tests.patch Patch164: krb5-gssapi-mech-doublefree.patch Patch165: krb5-gssapi-spnego-deref.patch +Patch166: http://web.mit.edu/kerberos/advisories/2014-001-patch.txt +Patch167: http://web.mit.edu/kerberos/advisories/2014-001-patch.txt.asc + # Patches for otp plugin backport Patch201: krb5-1.11.2-keycheck.patch Patch202: krb5-1.11.2-otp.patch @@ -419,6 +422,8 @@ ln -s NOTICE LICENSE %patch164 -p1 -b .gssapi-mech-doublefree %patch165 -p1 -b .gssapi-spnego-deref +%patch166 -p1 -b .2014-001 + %patch201 -p1 -b .keycheck %patch202 -p1 -b .otp %patch203 -p1 -b .otp2 @@ -1091,6 +1096,9 @@ exit 0 %{_sbindir}/uuserver %changelog +* Thu Aug 7 2014 Nalin Dahyabhai <nalin@redhat.com> - 1.11.5-11 +- incorporate fix for MITKRB5-SA-2014-001 (CVE-2014-4345) + * Mon Jul 21 2014 Nalin Dahyabhai <nalin@redhat.com> - 1.11.5-10 - gssapi: pull in upstream fix for a possible NULL dereference in spnego (CVE-2014-4344) |