Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2019-3467: #946797 - debian-edu-config: kadm5.acl should set proper rights for users

Debian-edu-config all versions < 2.11.10, a set of configuration files used for Debian Edu, and debian-lan-config < 0.26, configured too permissive ACLs for the Kerberos admin server, which allowed password changes for other Kerberos user principals.

CVE
Open in Source
#xss#android#mac#linux#debian#nodejs#js#git#java

Reported by: Wolfgang Schweer [email protected]

Date: Sun, 15 Dec 2019 23:30:05 UTC

Severity: critical

Tags: patch, security

Found in versions debian-edu-config/2.10.65+deb10u2, 1.812+deb8u1, debian-edu-config/1.929+deb9u3, debian-edu-config/2.11.9

Fixed in versions debian-edu-config/2.11.10, debian-edu-config/1.818+deb8u3, debian-edu-config/2.10.65+deb10u3, debian-edu-config/1.929+deb9u4

Done: Dominik George [email protected]

Bug is archived. No further changes may be made.

Toggle useless messages

Report forwarded to [email protected], Debian Edu Developers [email protected]:
Bug#946797; Package debian-edu-config. (Sun, 15 Dec 2019 23:30:08 GMT) (full text, mbox, link).

Message #3 received at [email protected] (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Package: debian-edu-config Version: 1.812+deb8u1 Severity: important

To improve security, settings in kadm5.acl should be adjusted.

The needed fix is minimal:

— a/share/debian-edu-config/tools/kerberos-kdc-init +++ b/share/debian-edu-config/tools/kerberos-kdc-init @@ -187,7 +187,7 @@ EOF if [ ! -f /etc/krb5kdc/kadm5.acl ] ; then cat > /etc/krb5kdc/kadm5.acl <<EOF root/admin@INTERN * -*@INTERN cil +*@INTERN Cil */*@INTERN i EOF chmod 644 /etc/krb5kdc/kadm5.acl

Thanks to Andreas B. Mundt for the hint.

Also, /etc/krb5kdc/kadm5.acl should be fixed accordingly upon upgrades by adding something like this to debian-edu-config.postinst:

[configure case] fi

  • Set proper rights for users.

  • if [ -f /etc/krb5kdc/kadm5.acl ] ; then
  •    sed -i 's/cil/Cil/' /etc/krb5kdc/kadm5.acl
  • fi ;; esac

Wolfgang

[signature.asc (application/pgp-signature, inline)]

Message sent on to Wolfgang Schweer [email protected]:
Bug#946797. (Sun, 15 Dec 2019 23:45:11 GMT) (full text, mbox, link).

Message #6 received at [email protected] (full text, mbox, reply):

Control: tag -1 pending

Hello,

Bug #946797 in debian-edu-config reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at:

https://salsa.debian.org/debian-edu/debian-edu-config/commit/fc5da005cfd6cd71fa6870569351385f527d38ae

share/debian-edu-config/tools/kerberos-kdc-init: Set proper rights for users in kadm5.acl file. (Closes: #946797)

Adjust debian/debian-edu-config.postinst to fix kadm5.acl upon upgrades.

Signed-off-by: Wolfgang Schweer [email protected]

(this message was generated automatically)

Greetings

https://bugs.debian.org/946797

Added tag(s) pending. Request was from WolfgangSchweer [email protected] to [email protected]. (Sun, 15 Dec 2019 23:45:11 GMT) (full text, mbox, link).

Information forwarded to [email protected], Debian Edu Developers [email protected]:
Bug#946797; Package debian-edu-config. (Mon, 16 Dec 2019 10:15:09 GMT) (full text, mbox, link).

Acknowledgement sent to Dominik George [email protected]:
Extra info received and forwarded to list. Copy sent to Debian Edu Developers [email protected]. (Mon, 16 Dec 2019 10:15:09 GMT) (full text, mbox, link).

Message #13 received at [email protected] (full text, mbox, reply):

Hi,

Severity: important

I propose this bug to be set to severity critical and handled by DSA. After all, it is a local impersonation and root privilege escalation bug, if not remote if you consider clients scattered out over a school remote.

To improve security, settings in kadm5.acl should be adjusted.

The needed fix is minimal:

— a/share/debian-edu-config/tools/kerberos-kdc-init +++ b/share/debian-edu-config/tools/kerberos-kdc-init @@ -187,7 +187,7 @@ EOF if [ ! -f /etc/krb5kdc/kadm5.acl ] ; then cat > /etc/krb5kdc/kadm5.acl <<EOF root/admin@INTERN * -*@INTERN cil +*@INTERN Cil */*@INTERN i EOF chmod 644 /etc/krb5kdc/kadm5.acl

Why not just remove that line? Or disallow everything? Disallowing changes fixes the privilege escalation, but it is also questionnable if everyone and their dog need to be allowed to track when which other person used the network. I am pretty certain it is at least a DSGVO violation.

Thanks to Andreas B. Mundt for the hint.

Also, /etc/krb5kdc/kadm5.acl should be fixed accordingly upon upgrades by adding something like this to debian-edu-config.postinst:

[configure case] fi

  • Set proper rights for users.

  • if [ -f /etc/krb5kdc/kadm5.acl ] ; then
  •    sed -i 's/cil/Cil/' /etc/krb5kdc/kadm5.acl
  • fi ;; esac

Probably only if it was unmodified. If not, postinst should issue a warning using debconf, IMHO.

-nik

Sendt fra min Android-enhet med K-9 e-post. Unnskyld min kortfattethet.

Information forwarded to [email protected], Debian Edu Developers [email protected]:
Bug#946797; Package debian-edu-config. (Mon, 16 Dec 2019 10:21:10 GMT) (full text, mbox, link).

Acknowledgement sent to Dominik George [email protected]:
Extra info received and forwarded to list. Copy sent to Debian Edu Developers [email protected]. (Mon, 16 Dec 2019 10:21:10 GMT) (full text, mbox, link).

Message #18 received at [email protected] (full text, mbox, reply):

> handled by DSA.

in a DSA.

(We should disambiguate DSA and DSA ;))

Information forwarded to [email protected], Debian Edu Developers [email protected]:
Bug#946797; Package debian-edu-config. (Mon, 16 Dec 2019 10:27:03 GMT) (full text, mbox, link).

Acknowledgement sent to Wolfgang Schweer [email protected]:
Extra info received and forwarded to list. Copy sent to Debian Edu Developers [email protected]. (Mon, 16 Dec 2019 10:27:03 GMT) (full text, mbox, link).

Message #23 received at [email protected] (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On Mon, Dec 16, 2019 at 11:05:33AM +0100, Dominik George wrote:

root/admin@INTERN * -*@INTERN cil +*@INTERN Cil */*@INTERN i EOF chmod 644 /etc/krb5kdc/kadm5.acl

Why not just remove that line?

The only line needed is: root/admin@INTERN * Intention is to fix the bug, but keep the change as minimal as possible.

Wolfgang

[signature.asc (application/pgp-signature, inline)]

Information forwarded to [email protected], Debian Edu Developers [email protected]:
Bug#946797; Package debian-edu-config. (Mon, 16 Dec 2019 10:36:03 GMT) (full text, mbox, link).

Acknowledgement sent to Dominik George [email protected]:
Extra info received and forwarded to list. Copy sent to Debian Edu Developers [email protected]. (Mon, 16 Dec 2019 10:36:04 GMT) (full text, mbox, link).

Message #28 received at [email protected] (full text, mbox, reply):

>> > root/admin@INTERN *

-*@INTERN cil +*@INTERN Cil */*@INTERN i EOF chmod 644 /etc/krb5kdc/kadm5.acl

Why not just remove that line?

The only line needed is: root/admin@INTERN * Intention is to fix the bug, but keep the change as minimal as possible.

Then it should be CIl in my opinion. Listing principals is the same as getent passwd, so no additional leaks here. The i ACL allows tracking other users’ use of the network. It is thus part of the bug.

Information forwarded to [email protected], Debian Edu Developers [email protected]:
Bug#946797; Package debian-edu-config. (Mon, 16 Dec 2019 11:15:03 GMT) (full text, mbox, link).

Acknowledgement sent to Wolfgang Schweer [email protected]:
Extra info received and forwarded to list. Copy sent to Debian Edu Developers [email protected]. (Mon, 16 Dec 2019 11:15:03 GMT) (full text, mbox, link).

Message #33 received at [email protected] (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On Mon, Dec 16, 2019 at 11:33:28AM +0100, Dominik George wrote:

Why not just remove that line?

The only line needed is: root/admin@INTERN * Intention is to fix the bug, but keep the change as minimal as possible. Then it should be CIl in my opinion. Listing principals is the same as getent passwd, so no additional leaks here. The i ACL allows tracking other users’ use of the network. It is thus part of the bug.

IMO Cil is enough, but better safe than sorry. Just committed like proposed, thanks.

Wolfgang

[signature.asc (application/pgp-signature, inline)]

Information forwarded to [email protected], Debian Edu Developers [email protected]:
Bug#946797; Package debian-edu-config. (Mon, 16 Dec 2019 12:12:03 GMT) (full text, mbox, link).

Acknowledgement sent to Dominik George [email protected]:
Extra info received and forwarded to list. Copy sent to Debian Edu Developers [email protected]. (Mon, 16 Dec 2019 12:12:03 GMT) (full text, mbox, link).

Message #38 received at [email protected] (full text, mbox, reply):

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512

On Mon, Dec 16, 2019 at 12:13:49PM +0100, Wolfgang Schweer wrote:

On Mon, Dec 16, 2019 at 11:33:28AM +0100, Dominik George wrote:

Why not just remove that line?

The only line needed is: root/admin@INTERN * Intention is to fix the bug, but keep the change as minimal as possible. Then it should be CIl in my opinion. Listing principals is the same as getent passwd, so no additional leaks here. The i ACL allows tracking other users’ use of the network. It is thus part of the bug.

IMO Cil is enough, but better safe than sorry. Just committed like proposed, thanks.

Great!

Also, I’d propose to turn the sed command into:

sed -i ‘s/\(\*@INTERN[[:space:]]*\)cil/\1CIl/’ /etc/krb5kdc/kadm5.acl

This way, it will not destroy any legitimate additions a local admin made.

  • -nik -----BEGIN PGP SIGNATURE-----

iQJlBAEBCgBPFiEEPJ1UpHV1wCb7F/0mt5o8FqDE8pYFAl33dBAxGmh0dHBzOi8v d3d3LmRvbWluaWstZ2VvcmdlLmRlL2dwZy1wb2xpY3kudHh0LmFzYwAKCRC3mjwW oMTylvjjD/9Hnfm8DN3+hobIMEsPg8lWXoN4Z90a46Hlfr/DcRGn+ENsbxnXMSBu +Sg8PoomSvvDuW5QWgCXuUmBgS+mBNMOJFlSaT/3tORV8cr4nyq/kmgcU+9AcGBH bmgQ5BvB2Z2eMau7eZvW+GhRA1UA576Luaxw/xl8EvqN5PmfYQgJwPK3aN1oNuJ0 nlR9N4yVbDKuvjLB2olXsO2jYOFKCkVU1QTPKf8Jfhq0usgqVjyv5NRY8ywKlns0 h5H9m1WQ9MdviGFE48YhGfKUSE9lKfFwAL/dnDSmvtzdsTI/HopxYAY9rw/XEi6a S1MgmJQrFeYEGHJ49eLkiOWufG+Q8Z6jeN8LySsRx/17RjX7gMn5SIAvpZbwWuVK h0yB5j6LQ/gfpcYu/N3DAWBW6zgLdxORfSi8IlDqXvJnSJKGlb0uQNBwsb+jT4HY vJnPfE1fBGrgBOqe3BIrVdHE0iUvw9z8R+MaAewIGt4ThhJ7tJaGmROJ1gskQAnE He+7QHRen0+WQxiLTgB03pww88phV7KBXnUQtx/7PlUUaK5AOKo38dtKNOTQo2gM AAdp3OMFTw0f8JLk7uUtA1NEC1DPQvjNvjdQBVxDK7Vw08B1wKyAWTPfKEkYJHWv FyaEwD4JPQySqrukf+RqJ2Pl4ip+PmgTZEYOmu1XpkV+9PRddltE0A== =+c4F -----END PGP SIGNATURE-----

Severity set to ‘critical’ from ‘important’ Request was from Dominik George [email protected] to [email protected]. (Mon, 16 Dec 2019 13:06:06 GMT) (full text, mbox, link).

Added tag(s) patch and security. Request was from Dominik George [email protected] to [email protected]. (Mon, 16 Dec 2019 13:06:07 GMT) (full text, mbox, link).

Information forwarded to [email protected], Debian Edu Developers [email protected]:
Bug#946797; Package debian-edu-config. (Mon, 16 Dec 2019 13:15:07 GMT) (full text, mbox, link).

Acknowledgement sent to Wolfgang Schweer [email protected]:
Extra info received and forwarded to list. Copy sent to Debian Edu Developers [email protected]. (Mon, 16 Dec 2019 13:15:07 GMT) (full text, mbox, link).

Message #47 received at [email protected] (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On Mon, Dec 16, 2019 at 01:09:53PM +0100, Dominik George wrote:

Also, I’d propose to turn the sed command into:

sed -i ‘s/\(\*@INTERN[[:space:]]*\)cil/\1CIl/’ /etc/krb5kdc/kadm5.acl

This way, it will not destroy any legitimate additions a local admin made.

Good point. Thanks, committed.

Wolfgang

[signature.asc (application/pgp-signature, inline)]

Message sent on to Wolfgang Schweer [email protected]:
Bug#946797. (Mon, 16 Dec 2019 15:45:09 GMT) (full text, mbox, link).

Message #50 received at [email protected] (full text, mbox, reply):

Control: tag -1 pending

Hello,

Bug #946797 in debian-edu-config reported by you has been fixed in the Git repository and is awaiting an upload. You can see the commit message below and you can check the diff of the fix at:

https://salsa.debian.org/debian-edu/debian-edu-config/commit/69dd3cf269eaa802f265cdd5b801f111d05731fe

share/debian-edu-config/tools/kerberos-kdc-init: Set proper rights for users in kadm5.acl file. (Closes: #946797)

Adjust debian/debian-edu-config.postinst to fix kadm5.acl upon upgrades.

Signed-off-by: Wolfgang Schweer [email protected]

(this message was generated automatically)

Greetings

https://bugs.debian.org/946797

Information forwarded to [email protected], Debian Edu Developers [email protected]:
Bug#946797; Package debian-edu-config. (Mon, 16 Dec 2019 15:51:03 GMT) (full text, mbox, link).

Acknowledgement sent to Holger Levsen [email protected]:
Extra info received and forwarded to list. Copy sent to Debian Edu Developers [email protected]. (Mon, 16 Dec 2019 15:51:03 GMT) (full text, mbox, link).

Message #55 received at [email protected] (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Hi,

Wolfgang, many thanks for this bug report and the quick fix. I’ll upload to unstable right now and will coordinate with DSA and LTS the fixes for buster, stretch and jessie.

On Mon, Dec 16, 2019 at 11:05:33AM +0100, Dominik George wrote:

Severity: important I propose this bug to be set to severity critical and handled by DSA.

DSA is very happy about maintainers - in coordination with DSA - taking care of ‘their’ security fixes.

– cheers, Holger

           holger@(debian|reproducible-builds|layer-acht).org
   PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C

[signature.asc (application/pgp-signature, inline)]

Information forwarded to [email protected], Debian Edu Developers [email protected]:
Bug#946797; Package debian-edu-config. (Mon, 16 Dec 2019 16:00:04 GMT) (full text, mbox, link).

Acknowledgement sent to Holger Levsen [email protected]:
Extra info received and forwarded to list. Copy sent to Debian Edu Developers [email protected]. (Mon, 16 Dec 2019 16:00:04 GMT) (full text, mbox, link).

Message #60 received at [email protected] (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On Mon, Dec 16, 2019 at 12:26:57AM +0100, Wolfgang Schweer wrote:

Also, /etc/krb5kdc/kadm5.acl should be fixed accordingly upon upgrades by adding something like this to debian-edu-config.postinst:

[configure case] fi

  • Set proper rights for users.

  • if [ -f /etc/krb5kdc/kadm5.acl ] ; then
  •    sed -i 's/cil/Cil/' /etc/krb5kdc/kadm5.acl
  • fi ;;

I’ve made this conditional, so that this is only executed when upgrading from 2.11.9 or before. (Also because the above changes also need a krb5-admin-server service restart…)

– cheers, Holger

           holger@(debian|reproducible-builds|layer-acht).org
   PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C

[signature.asc (application/pgp-signature, inline)]

Information forwarded to [email protected], Debian Edu Developers [email protected]:
Bug#946797; Package debian-edu-config. (Mon, 16 Dec 2019 16:09:02 GMT) (full text, mbox, link).

Acknowledgement sent to Dominik George [email protected]:
Extra info received and forwarded to list. Copy sent to Debian Edu Developers [email protected]. (Mon, 16 Dec 2019 16:09:02 GMT) (full text, mbox, link).

Message #65 received at [email protected] (full text, mbox, reply):

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512

Hi,

Wolfgang, many thanks for this bug report and the quick fix. I’ll upload to unstable right now and will coordinate with DSA and LTS the fixes for buster, stretch and jessie.

Are you aware that, as laid out on IRC, I am already doing that?

  • -nik -----BEGIN PGP SIGNATURE-----

iQJlBAEBCgBPFiEEPJ1UpHV1wCb7F/0mt5o8FqDE8pYFAl33qacxGmh0dHBzOi8v d3d3LmRvbWluaWstZ2VvcmdlLmRlL2dwZy1wb2xpY3kudHh0LmFzYwAKCRC3mjwW oMTylk1KEACs5v3i94+Hopt5NNSRc+nvQTC7I4AIUsbupHWj9EpV/avKXBH5ak2C I+U8H6wtlAXQr1KkQwkKxUQYEyXwVN1swKrqJeb6cqW0jB62QizHxDMlzULh1qBw per1HXYtlK5WcpytkarmOAauWC9Hrh0EIqfQwQxywZSKWbV2IwSj5+LdKW+sVj42 +z8MzO9A+b2UHYo8KWnwq/P48FfFp0bn9unrhiqkLB2OhFsDydF0w7IB8yqecj6x QP177Po3B7Hf1ThDF4cfF/kqZQ0NenWvv7uRwNL/y4wJ7XQ0EtEsMY73iq3E/CXz YRvqttqbnNSQO0xAy8CE9jKHY9vMoL7if4NdvFYlSsJYmg+/Tw5BLaehKQRINvZh pMqDLB4kVi5gpO1Q6qGo/2+SU0+91QbPR6dwQCvcZRQ8v4KqN6GpS00mQX44DFhT S1kOr60rCYYlRtmxeqmHhyv52GRoY8iGq5KuQUnwXAm8buqy4LmzWQhAVrQk30fi oA290vBcXyTvhs8/yKGTvjnJcdmfE9V2QIZ8cA/5WbOBAEiEBtH1PoG87dUTejkD SwEq20DAK8BhCGlWofanEnDygbnvFg/ouHsYQkt6RiP9ocqxXr+J2k5ACOUCWYmo Carf26wfZ8IWPG7zUoaud68YAPSCfHi35rmRNFBt69DFeH66cLYg+Q== =SBC3 -----END PGP SIGNATURE-----

Reply sent to Holger Levsen [email protected]:
You have taken responsibility. (Mon, 16 Dec 2019 16:21:04 GMT) (full text, mbox, link).

Notification sent to Wolfgang Schweer [email protected]:
Bug acknowledged by developer. (Mon, 16 Dec 2019 16:21:04 GMT) (full text, mbox, link).

Message #70 received at [email protected] (full text, mbox, reply):

Source: debian-edu-config Source-Version: 2.11.10

We believe that the bug you reported is fixed in the latest version of debian-edu-config, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is attached.

Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software pp. Holger Levsen [email protected] (supplier of updated debian-edu-config package)

(This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected])

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512

Format: 1.8 Date: Mon, 16 Dec 2019 16:56:24 +0100 Source: debian-edu-config Architecture: source Version: 2.11.10 Distribution: unstable Urgency: medium Maintainer: Debian Edu Developers [email protected] Changed-By: Holger Levsen [email protected] Closes: 946797 Changes: debian-edu-config (2.11.10) unstable; urgency=medium . [ Wolfgang Schweer ] * share/debian-edu-config/tools/kerberos-kdc-init: - Set proper rights for users in kadm5.acl file. (Closes: #946797) * Adjust debian/debian-edu-config.postinst to fix kadm5.acl upon upgrades. * Use secure URI in Homepage field. * Use canonical URL in Vcs-Git. . [ Holger Levsen ] * Improve debian/debian-edu-config.postinst fix to only run once on upgrades. Checksums-Sha1: 5b27f6077b87231c0d18c20a4c32147526e95c8c 1923 debian-edu-config_2.11.10.dsc e44bb8b240fb29ba916c959048ee620ad6d77950 340580 debian-edu-config_2.11.10.tar.xz fdb9ddfea7b236e7f145a9cb24abc8de3dbd5652 5323 debian-edu-config_2.11.10_source.buildinfo Checksums-Sha256: c53a60a14694154a2598060735eaefe631d47b402d464e1d969d1b65873ed614 1923 debian-edu-config_2.11.10.dsc 285930972ed0ef9dc563064f42a3a75c159be2ba942e5d69ca7da64913dea8fb 340580 debian-edu-config_2.11.10.tar.xz 1fb2d212d9fc6a17c66ad51639cccf102d14b4a966138d26f0689750b9722a22 5323 debian-edu-config_2.11.10_source.buildinfo Files: 93d8ea4c7578e37ee8927dafc0ed3209 1923 misc optional debian-edu-config_2.11.10.dsc c698786e25119d7380d25fde242adf7e 340580 misc optional debian-edu-config_2.11.10.tar.xz 3c059ac522cada4d16cf63ffb1a8d015 5323 misc optional debian-edu-config_2.11.10_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEuL9UE3sJ01zwJv6dCRq4VgaaqhwFAl33qaEACgkQCRq4Vgaa qhy3dg/9GNR24sciJDRuKh2pq2ExE1/+flhfnPYcFJkRE+x667FKc0kJgGLkCV4R CLXzHJafRPPMWt/uFjIX0QmhY1kXPyJlTtMCo/QJW8GhIVUSzkjdVn9L3VTr4tcT J9QYI7oXl3CJ+oEbErX8bq4ufifLRKxHoTVKrbPi2JOSD6zoakW6uWRIHNBUWVDz uPxpgeVeT4ePMNyqnVb1360v5Lr3dUm51dCxxIXxD5hCzaDA+Vl8dUWO65BTryRR im5EbjnBwp+wsWNkSAiumhBKdJnoqafsF8bOY9Bb180hPljFeVCvrfdLtuRf5t1k Ky7zZBrhV0z375VxSNj80IqE81A7vzBblngUTrCMzJmnu/GdZwqRBfawgAVronj6 oelLB9EOLn78BK6/84BqAghFDk+tZ8ysE+h6PGYAnTQVF5mfSQjHVcMbyr/YuJzn JAmx0qWhOm1dwkOvd8Gg/9JC5dg5XhZgfnheWkvD5v6V6CxUGHSGKU7+iWppaGkr wawx1K5D07YEeV8gv2xLbkExOeN5NTHDre9Vw2Kam/rpfetv2WHc62gCO9PYr/tE STjag0vENNQhKWVw1wn19kI5TOlQrXFJ7VoMNob4dp6Yjag5YLJlGq1EAFksRCW2 4qgZjEqrG6+MVvno8Px596DsveGkKE3q54ep27zh5vTre8kV0dI= =6zZo -----END PGP SIGNATURE-----

Information forwarded to [email protected], Debian Edu Developers [email protected]:
Bug#946797; Package debian-edu-config. (Mon, 16 Dec 2019 16:24:03 GMT) (full text, mbox, link).

Acknowledgement sent to Holger Levsen [email protected]:
Extra info received and forwarded to list. Copy sent to Debian Edu Developers [email protected]. (Mon, 16 Dec 2019 16:24:03 GMT) (full text, mbox, link).

Message #75 received at [email protected] (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

On Mon, Dec 16, 2019 at 04:58:32PM +0100, Dominik George wrote:

Wolfgang, many thanks for this bug report and the quick fix. I’ll upload to unstable right now and will coordinate with DSA and LTS the fixes for buster, stretch and jessie. Are you aware that, as laid out on IRC, I am already doing that?

no. (best always to inform the bug if you are working on one.) (*)

also I’ve already uploaded to unstable as the fix needs to land there first anyway.

Please also take my additional fix for postinst.

(*) my server had some connectivity issues and I wasnt on irc for 48h… and then I just re-joined #-edu now.

– cheers, Holger

           holger@(debian|reproducible-builds|layer-acht).org
   PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C

[signature.asc (application/pgp-signature, inline)]

Marked as found in versions debian-edu-config/1.929+deb9u3. Request was from Salvatore Bonaccorso [email protected] to [email protected]. (Mon, 16 Dec 2019 20:57:06 GMT) (full text, mbox, link).

Marked as found in versions debian-edu-config/2.10.65+deb10u2. Request was from Salvatore Bonaccorso [email protected] to [email protected]. (Mon, 16 Dec 2019 20:57:07 GMT) (full text, mbox, link).

Marked as found in versions debian-edu-config/2.11.9. Request was from Salvatore Bonaccorso [email protected] to [email protected]. (Mon, 16 Dec 2019 20:57:08 GMT) (full text, mbox, link).

Marked as fixed in versions 1.818+deb8u3. Request was from Dominik George [email protected] to [email protected]. (Wed, 18 Dec 2019 14:30:03 GMT) (full text, mbox, link).

No longer marked as fixed in versions 1.818+deb8u3. Request was from Dominik George [email protected] to [email protected]. (Wed, 18 Dec 2019 14:39:16 GMT) (full text, mbox, link).

Marked as fixed in versions debian-edu-config/1.818+deb8u3. Request was from Dominik George [email protected] to [email protected]. (Wed, 18 Dec 2019 14:39:18 GMT) (full text, mbox, link).

Reply sent to Dominik George [email protected]:
You have taken responsibility. (Sat, 21 Dec 2019 16:36:03 GMT) (full text, mbox, link).

Notification sent to Wolfgang Schweer [email protected]:
Bug acknowledged by developer. (Sat, 21 Dec 2019 16:36:03 GMT) (full text, mbox, link).

Message #92 received at [email protected] (full text, mbox, reply):

Source: debian-edu-config Source-Version: 2.10.65+deb10u3

We believe that the bug you reported is fixed in the latest version of debian-edu-config, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is attached.

Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software pp. Dominik George [email protected] (supplier of updated debian-edu-config package)

(This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected])

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512

Format: 1.8 Date: Mon, 16 Dec 2019 16:29:19 +0100 Source: debian-edu-config Architecture: source Version: 2.10.65+deb10u3 Distribution: buster-security Urgency: high Maintainer: Debian Edu Developers [email protected] Changed-By: Dominik George [email protected] Closes: 946797 Changes: debian-edu-config (2.10.65+deb10u3) buster-security; urgency=high . * Security fix for CVE-2019-3467 . [ Wolfgang Schweer ] * share/debian-edu-config/tools/kerberos-kdc-init: - Set proper rights for users in kadm5.acl file. (Closes: #946797) * Adjust debian/debian-edu-config.postinst to fix kadm5.acl upon upgrades. . [ Holger Levsen ] * Improve debian/debian-edu-config.postinst fix to only run once on upgrades. . [ Dominik George ] * Add NEWS to warn administrators with possible local changes. Checksums-Sha1: c8d1697ca57aa596b5a9be450c5bb01621c6417a 2019 debian-edu-config_2.10.65+deb10u3.dsc fdc366af82ac76bc960faa079885297b52f9d891 345320 debian-edu-config_2.10.65+deb10u3.tar.xz bbba6e68d16e31013ccd37a7faa1c2efe12e11b1 5824 debian-edu-config_2.10.65+deb10u3_amd64.buildinfo Checksums-Sha256: 9993c2b690261ef72409bee9674ec187ad58f41583a0b0a256aa5cc64e8aaf86 2019 debian-edu-config_2.10.65+deb10u3.dsc aaf5a4130d2a032d5e56eac5aa63629d5f9ed08366e6df4f0f95eb8e923aa4ed 345320 debian-edu-config_2.10.65+deb10u3.tar.xz 311b91ce88fd4a26b45f9bb7752257a0de26e03c582c5088039374c867605ec4 5824 debian-edu-config_2.10.65+deb10u3_amd64.buildinfo Files: 0bbc77ad3bfa657431b7216d4c2996cd 2019 misc optional debian-edu-config_2.10.65+deb10u3.dsc d38c7dd2f8ee6f4804f5e177bcbb74cd 345320 misc optional debian-edu-config_2.10.65+deb10u3.tar.xz da0f8ddd45485c45f287201756165264 5824 misc optional debian-edu-config_2.10.65+deb10u3_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJlBAEBCgBPFiEEPJ1UpHV1wCb7F/0mt5o8FqDE8pYFAl35Dx8xGmh0dHBzOi8v d3d3LmRvbWluaWstZ2VvcmdlLmRlL2dwZy1wb2xpY3kudHh0LmFzYwAKCRC3mjwW oMTylim4D/9Nt1XbDfCh3QLu4IFHH87WKqmeJvR/zPWf7Qz3u4jV26TC7KwPwPSA /EInc9VGafb0qPjCv80iVqygLHp5YVKC1K2h4Q7xxNUJz/WktyGM52IJJY83PrfK PWNPCNrJ8WFDR8o2OJhNbchAX8nGvbw/mD7n2Vf4jcTEQrZE8o7ZLeGo2iluPXMf BxPsQtna2tFF0pYgqcNe28hzWqDQurfwKYMRANxWNKbfetqDXgnKqJ6QBokKDGoS VwSMepogM4RqQxPcH1E9/lXPzKYZY1EXqFR+lOWPF9X4LC38oTHQvgwVIAz3Vt93 b0ABi4IwxFKdYWcN/9oaWAyEr0rE3e6Ckpo/dAGBnCXti/homGT/+/XdBS85Vi37 3u5TDqRd3RJmkIQjFvo6bzE5XdNR+CVnh5+ioNsSKmaxsSKBjVAkqCDfowmWZL1B FNKmRpX99cUdsJhGJ2ASyEl148pRxwU9tR8nVU72rx9L1oq3gWGsptYsPoi8LTwM aS+v1qz3eYOrrkpqKv2YL3oSIVnUlxHZnnSzDbj5b7nQjqGnBh2SryXgnlxWfPGw fmlZB8LxtoFxTejb45yz45ciyRNBYeYJX2CHsCx0Vfql/ZMVL9aXfyYgwuCpusuG 2DagMRMNBGV7a/lLVULqoQyyukUfiGNxPTUuM5M3uqPBtox2EQUNww== =/iWq -----END PGP SIGNATURE-----

Reply sent to Dominik George [email protected]:
You have taken responsibility. (Sat, 21 Dec 2019 16:36:05 GMT) (full text, mbox, link).

Notification sent to Wolfgang Schweer [email protected]:
Bug acknowledged by developer. (Sat, 21 Dec 2019 16:36:05 GMT) (full text, mbox, link).

Message #97 received at [email protected] (full text, mbox, reply):

Source: debian-edu-config Source-Version: 1.929+deb9u4

We believe that the bug you reported is fixed in the latest version of debian-edu-config, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is attached.

Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software pp. Dominik George [email protected] (supplier of updated debian-edu-config package)

(This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected])

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512

Format: 1.8 Date: Tue, 17 Dec 2019 18:38:50 +0100 Source: debian-edu-config Binary: debian-edu-config Architecture: source Version: 1.929+deb9u4 Distribution: stretch-security Urgency: high Maintainer: Debian Edu Developers [email protected] Changed-By: Dominik George [email protected] Description: debian-edu-config - Configuration files for Skolelinux systems Closes: 946797 Changes: debian-edu-config (1.929+deb9u4) stretch-security; urgency=high . * Security fix for CVE-2019-3467 . [ Wolfgang Schweer ] * share/debian-edu-config/tools/kerberos-kdc-init: - Set proper rights for users in kadm5.acl file. (Closes: #946797) * Adjust debian/debian-edu-config.postinst to fix kadm5.acl upon upgrades. . [ Holger Levsen ] * Improve debian/debian-edu-config.postinst fix to only run once on upgrades. . [ Dominik George ] * Add NEWS to warn administrators with possible local changes. Checksums-Sha1: 8b729d7257d08386744143610020e874232f61fa 1940 debian-edu-config_1.929+deb9u4.dsc 6bfe3fab7764f30a92e8f05dbc0f0baad0436fc1 386320 debian-edu-config_1.929+deb9u4.tar.xz 8f529c0c287558fb84711bc1bd4f7fa88fbcc43c 6090 debian-edu-config_1.929+deb9u4_amd64.buildinfo Checksums-Sha256: 2ef1f0325d7d5fda92405fcb8d4fd27ca70d6fab87d4953dbbeaab1f35078a38 1940 debian-edu-config_1.929+deb9u4.dsc a9b8d47a36c52d9ddd4b5196dd50ebc4ce10401271589756bc15f369c101a84d 386320 debian-edu-config_1.929+deb9u4.tar.xz bb42c1eb191ad13315c3ee30da6d6f0e570cc4e5bff8f4860fde4b2d471603f1 6090 debian-edu-config_1.929+deb9u4_amd64.buildinfo Files: 034169c8ac0215a3d1911f664835fc39 1940 misc extra debian-edu-config_1.929+deb9u4.dsc da4b1c3cc66f240fa0afe60168c636d7 386320 misc extra debian-edu-config_1.929+deb9u4.tar.xz 1d6246d480b8641ddea6b6dd4faa666b 6090 misc extra debian-edu-config_1.929+deb9u4_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJlBAEBCgBPFiEEPJ1UpHV1wCb7F/0mt5o8FqDE8pYFAl3589cxGmh0dHBzOi8v d3d3LmRvbWluaWstZ2VvcmdlLmRlL2dwZy1wb2xpY3kudHh0LmFzYwAKCRC3mjwW oMTyliVqD/9gftFKEPsLrkqgnkie2d5y/J763Pajao2iHCQnWuvVPgOy3Jkj8Mlg jTbkVpaqkM4lMR5+3xtNViKizsGdRbE3qae/Aij+iEkOQaS97fWjDKjPY9mwHnL9 nHBkEzl3V3aGuIU/eWidsHTQQSNyqulDLKFWAsKvDBJEknR2l/nyVcEdQZcZAP/t LyXrbLY8gEO2hFYPVICLFwkjsty5Guk2LnKsRVbdLRPTQoU89kblhOBAy7Z9JmxB 8E9JzgXYtGjGDUkCGQQohya696ImDL/4vA+gkZZax4i6p46CeLWfPRPmhz755aUD P1PMUVizggigHRtfCWtf1V1xOP5x1zXjIYOWT2XVH6gUiDdMvX05hiGmqq1FkIi7 8tq99IQ+PsJ3WxRA1oKMoWTkfPJBs4aFQtJ0rAfcxcFFESDVPl7tPW8lnz9M647n h73ddyjuzfvRBS3DnPmfs/bKVA1QPK91QBRTlkVnViABLGeGV9DKA9GWyLd89oI8 9WGpXENUnNOY9ppIGjZlRZnkOmlbIVp0C4NwPhuNBtZNX9YtLtxl+86xShDDW06+ VpbaxLaFMDAEUfhW6Q6epfrNX7608oADR15pLBOoHUZcOJD7ycYvt3aCx2/IQElP SKQ3UYUCmuWm+L02tKol7MJBI70B+88AxOyg+GOICEJnWrN8NceMXA== =tMNo -----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request [email protected] to [email protected]. (Sun, 09 Feb 2020 07:32:38 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <[email protected]>. Last modified: Thu Dec 22 20:35:20 2022; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE