Headline
RHSA-2023:2570: Red Hat Security Advisory: krb5 security, bug fix, and enhancement update
An update for krb5 is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2020-17049: It was found that the Kerberos Key Distribution Center (KDC) delegation feature, Service for User (S4U), did not sufficiently protect the tickets it’s providing from tempering. A malicious, authenticated service principal allowed to delegate could use this flaw to impersonate a non-forwardable user.
Synopsis
Moderate: krb5 security, bug fix, and enhancement update
Type/Severity
Security Advisory: Moderate
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
View affected systems
Topic
An update for krb5 is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
Kerberos is a network authentication system, which can improve the security of your network by eliminating the insecure practice of sending passwords over the network in unencrypted form. It allows clients and servers to authenticate to each other with the help of a trusted third party, the Kerberos key distribution center (KDC).
The following packages have been upgraded to a later upstream version: krb5 (1.20.1). (BZ#2016312)
Security Fix(es):
- Kerberos: delegation constrain bypass in S4U2Proxy (CVE-2020-17049)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 9.2 Release Notes linked from the References section.
Solution
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
After installing the updated packages, running Kerberos services (krb5kdc, kadmin, and kprop) will be restarted automatically.
Affected Products
- Red Hat Enterprise Linux for x86_64 9 x86_64
- Red Hat Enterprise Linux for IBM z Systems 9 s390x
- Red Hat Enterprise Linux for Power, little endian 9 ppc64le
- Red Hat Enterprise Linux for ARM 64 9 aarch64
Fixes
- BZ - 1956994 - CVE-2020-17049 krb5: Kerberos: delegation constrain bypass in S4U2Proxy [rhel-9]
- BZ - 2016312 - Rebase krb5 to latest upstream release 1.20 [rhel-9]
- BZ - 2025721 - CVE-2020-17049 Kerberos: delegation constrain bypass in S4U2Proxy
- BZ - 2063838 - Mishandling of CMS_verify() errors in PKINIT plugin
- BZ - 2068535 - Modify supported_enctypes (kdc.conf) and add aes256/128-sha2 enctypes due to FIPS
- BZ - 2121099 - Incorrect password expiration handling [rhel-9]
- BZ - 2151513 - upstream test t_discover_uri.py failed [rhel-9.2]
- BZ - 2159643 - Cannot set root as file owner using install in Mock build environment
- BZ - 2162461 - creating of user principal failed with Cryptosystem internal error when the aes256-cts is used (FIPS)
- BZ - 2165827 - CVE-2022-37967: MS-PAC extended KDC signature [rhel-9]
- BZ - 2166603 - KDB: double free in kdb5_create.c:add_principal()
- BZ - 2169985 - add krb5 principal failed with specific datetime string in pwexpire option (s390x, coredump)
References
- https://access.redhat.com/security/updates/classification/#moderate
- https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/9.2_release_notes/index
Red Hat Enterprise Linux for x86_64 9
SRPM
krb5-1.20.1-8.el9.src.rpm
SHA-256: 3ae5b5d755f3069aaad03cf709ec2ea892b95c50d26ff9aad903fa96035a93c7
x86_64
krb5-debuginfo-1.20.1-8.el9.i686.rpm
SHA-256: 6a7174eb17f450a1863b8b15ce3e742c6996cdbe0f01133c602c310960b63868
krb5-debuginfo-1.20.1-8.el9.x86_64.rpm
SHA-256: 4c780fca77eae2467453ed9ba5d2e4207abdb6da11df7bb3bd880a4d303d2bdc
krb5-debugsource-1.20.1-8.el9.i686.rpm
SHA-256: 28e8e453a82727071cc484a0d43a9d3a0a8d52badda3b5d775cf4755baa692f0
krb5-debugsource-1.20.1-8.el9.x86_64.rpm
SHA-256: 1ad8d501ef18715b722551e1b22de5ec7031b05868435f70cb68999a4112c597
krb5-devel-1.20.1-8.el9.i686.rpm
SHA-256: 9a5ec8494401038802e65429665c7c31d8b8571a29fb696ec2f3c2f4f3f21334
krb5-devel-1.20.1-8.el9.x86_64.rpm
SHA-256: 197b909036a1350c38209f8c7d2b0f39d08e801240c7c636c96d640dc2b73287
krb5-libs-1.20.1-8.el9.i686.rpm
SHA-256: e8f0491fc4e9a4f80359ecdff0c25980b360e3dc4ebdde0e6ca4a9ee6d37e673
krb5-libs-1.20.1-8.el9.x86_64.rpm
SHA-256: 9f9f48e04a21927168765e5cccde575f06f42143d5300b7de870ab034c7a4361
krb5-libs-debuginfo-1.20.1-8.el9.i686.rpm
SHA-256: a9af1a362d51f581d8e7914c2e3590cd989f36eac7c049deed4a862d6f659011
krb5-libs-debuginfo-1.20.1-8.el9.x86_64.rpm
SHA-256: dd67056db6fa79cbfaea12c3a5b6c27cdae0dff8ffa7180a0da36a353d18ebed
krb5-pkinit-1.20.1-8.el9.i686.rpm
SHA-256: f7d547d29e1f22982518a29a9dcaab3d62e25194be38b55d61218b30004aa309
krb5-pkinit-1.20.1-8.el9.x86_64.rpm
SHA-256: 019cea93d6a03d746b62c793dfe1a2bebc065b49fae4327b00c3fd648a6d30bb
krb5-pkinit-debuginfo-1.20.1-8.el9.i686.rpm
SHA-256: 1db62a9cd81daf9adc52f260aba00091e8fc7d95ff2f0a9040da2878277a3deb
krb5-pkinit-debuginfo-1.20.1-8.el9.x86_64.rpm
SHA-256: d1144ffdbbe5cda3df16405ddfacce8840f44dbb0ea6d56aafe70260864b8cd0
krb5-server-1.20.1-8.el9.i686.rpm
SHA-256: 091cf156f8faeec9d210ebd0eb82edf0fae46fc98100553798aff76a00cad39f
krb5-server-1.20.1-8.el9.x86_64.rpm
SHA-256: 5eafee4472a94552d1a595699b148adc60dd499c4cd662f0292bf4fe38e147fb
krb5-server-debuginfo-1.20.1-8.el9.i686.rpm
SHA-256: fd051bcae9fedee5582a3f3c2d5b35d4f1d8a8cfc149c594d622832d32c34bb7
krb5-server-debuginfo-1.20.1-8.el9.x86_64.rpm
SHA-256: eabe41fe7174562d86cc58deadcf5927b5f80457c1ef7b49140e0719c321f167
krb5-server-ldap-1.20.1-8.el9.i686.rpm
SHA-256: dd551a932f7b943dc93bc07ab02f955a7110b42614b7db33c6f8d7a63fd899d4
krb5-server-ldap-1.20.1-8.el9.x86_64.rpm
SHA-256: dd297f18336a23bc912cd22be424f1ab7b9ca4d1d82f727d6d4d2927dca8c8cb
krb5-server-ldap-debuginfo-1.20.1-8.el9.i686.rpm
SHA-256: 10a888a0274b2461e7e91ce1909642130e17c3ed3ad2d75e40855e11ff7f6aba
krb5-server-ldap-debuginfo-1.20.1-8.el9.x86_64.rpm
SHA-256: c6f654419fe00b64c113be927b55599caa71c849f944d5b2147a52626d269ad1
krb5-workstation-1.20.1-8.el9.x86_64.rpm
SHA-256: c0b21c2cc16e37455b1abba8a4466412934693dc650cf6b0188294b14477da06
krb5-workstation-debuginfo-1.20.1-8.el9.x86_64.rpm
SHA-256: ce8c16da65fbfa14da1570829ada80cc973ca11451217621536d921eab7fa2e8
libkadm5-1.20.1-8.el9.i686.rpm
SHA-256: 48e0b788f0158f2888f03fcac92c61e7dca35dd136f6dd644fa610d173093541
libkadm5-1.20.1-8.el9.x86_64.rpm
SHA-256: 070a15b3c55105d360095669a3d8ea532e371cf7afa6b873007fcdf877813d1c
libkadm5-debuginfo-1.20.1-8.el9.i686.rpm
SHA-256: 28e6144016a4dc8f920a4d90e59ed03d7410342763f479c432c00d05ed6b0585
libkadm5-debuginfo-1.20.1-8.el9.x86_64.rpm
SHA-256: a317c9f4015d52d72ee2f1653306c0a239754784fc219ab09b71058f6871eb80
Red Hat Enterprise Linux for IBM z Systems 9
SRPM
krb5-1.20.1-8.el9.src.rpm
SHA-256: 3ae5b5d755f3069aaad03cf709ec2ea892b95c50d26ff9aad903fa96035a93c7
s390x
krb5-debuginfo-1.20.1-8.el9.s390x.rpm
SHA-256: ba668d128c85d8d7ea55b616f861cbc94eac61cb27683d9ef09b370ad83db61c
krb5-debugsource-1.20.1-8.el9.s390x.rpm
SHA-256: 12786ad138ad27f1634c53c7648b22a806b9f93c1e31f2d884a6722681b66b76
krb5-devel-1.20.1-8.el9.s390x.rpm
SHA-256: 9aff39ffdc1fc758c638b5b562e45aef837fe21dd9ab71b65f333903fd4ed6ca
krb5-libs-1.20.1-8.el9.s390x.rpm
SHA-256: a7aeca4a76edc3c3d83afdafd5e2934bb35508d4d3f117a8b8a4280e8f7157bf
krb5-libs-debuginfo-1.20.1-8.el9.s390x.rpm
SHA-256: fbd680903ff13f8ece7f7e0ac3f150fbee817a103c35ef09bfdef229848d267b
krb5-pkinit-1.20.1-8.el9.s390x.rpm
SHA-256: e973abd4ff968796bbb1c0e14b3a2c3919bacca1bbe20ed10715a0c64857b856
krb5-pkinit-debuginfo-1.20.1-8.el9.s390x.rpm
SHA-256: 18347959b55099b0f7f478366aff531b5cc846b6b4a537a5808ac20acb1e9b82
krb5-server-1.20.1-8.el9.s390x.rpm
SHA-256: 4962b4d721191a7ab12dbc1c9c140a58e14b1da1292adf3ef3e402adb0cc986e
krb5-server-debuginfo-1.20.1-8.el9.s390x.rpm
SHA-256: 504b1ede244907c79294dd5c1a05559aa2db54c4a451ff88a3e678e7e8b50d0e
krb5-server-ldap-1.20.1-8.el9.s390x.rpm
SHA-256: f165c2e6788d80b896fefad8e3dbf5254b95aeb952da2e6c92647e626c4f34f9
krb5-server-ldap-debuginfo-1.20.1-8.el9.s390x.rpm
SHA-256: 037a26ebfac7247d47aa25da62c0166924a2a202b8de658d3ce4b3080e3fc29d
krb5-workstation-1.20.1-8.el9.s390x.rpm
SHA-256: fe3f591675c5c0fbf86730e94d00199e859ea41473265aed1ea9fd2df206517a
krb5-workstation-debuginfo-1.20.1-8.el9.s390x.rpm
SHA-256: bc65c02e00a9f0e7a49b2e92584e2ed12d0d668c3a07a738a2db187144eb06a3
libkadm5-1.20.1-8.el9.s390x.rpm
SHA-256: fbf45b94865a2796d4e5e24cdd25f097d0df1f724f7bcf4db30f912d4d13b7ab
libkadm5-debuginfo-1.20.1-8.el9.s390x.rpm
SHA-256: 61266326c2d72f8bc38104cd9fdcf76a4ca0ff36820b98dc648fd55eef8f3db8
Red Hat Enterprise Linux for Power, little endian 9
SRPM
krb5-1.20.1-8.el9.src.rpm
SHA-256: 3ae5b5d755f3069aaad03cf709ec2ea892b95c50d26ff9aad903fa96035a93c7
ppc64le
krb5-debuginfo-1.20.1-8.el9.ppc64le.rpm
SHA-256: 8d1a80088b70b19c845c0cace8e0535d61fc345f6f7ffe803f07e92f96e466df
krb5-debugsource-1.20.1-8.el9.ppc64le.rpm
SHA-256: 2d0125db8bd8b58b6cff23022628806662f333df869fbf1215cbb84b923d58bb
krb5-devel-1.20.1-8.el9.ppc64le.rpm
SHA-256: 51b77986fcdd8fb6737c225f1bf6ba35226a380eceed236fca22d84261143f4c
krb5-libs-1.20.1-8.el9.ppc64le.rpm
SHA-256: e0e8795f7ce5646a452a1caca2c5a041deedfe29ea89035e3b0a0ff6c9373501
krb5-libs-debuginfo-1.20.1-8.el9.ppc64le.rpm
SHA-256: 8af5e6ed6dc80d1226269161c3b262f75e09f49e0e0a861bbfa8d93fb1041ee9
krb5-pkinit-1.20.1-8.el9.ppc64le.rpm
SHA-256: 1dfec8f0b54986c15f3ac69775a86531b7893c4befae7a05065e77ce5d0aca11
krb5-pkinit-debuginfo-1.20.1-8.el9.ppc64le.rpm
SHA-256: d9d8694babb01b9f2ea8703d15ee57e75a09c48d64b4ded40d1ae44b9476b24e
krb5-server-1.20.1-8.el9.ppc64le.rpm
SHA-256: 10d4133b6e1a2f1b72a758b7a2a2428ebeef78e684faa91139531a520423af98
krb5-server-debuginfo-1.20.1-8.el9.ppc64le.rpm
SHA-256: 11952df50804218a701cd1cf219eb68ecdd2641b973d88364c2c3c6f6ed152c3
krb5-server-ldap-1.20.1-8.el9.ppc64le.rpm
SHA-256: c454b3ebff1c9725f19c58fb70b32bb0b05f937f4c42f1d9f3746c95a1844904
krb5-server-ldap-debuginfo-1.20.1-8.el9.ppc64le.rpm
SHA-256: dea278af81c225f056c848eb976454278cd104c74df8a058bb695c010464abc8
krb5-workstation-1.20.1-8.el9.ppc64le.rpm
SHA-256: 29723c6918dcfb6261ef40e9e2d0a4b600c70ba257ad185ea091a61a3006ccf0
krb5-workstation-debuginfo-1.20.1-8.el9.ppc64le.rpm
SHA-256: b7791812b3cdbaa9fbbb06c6aefd229abbcc813f040b0f496eae31423c31750d
libkadm5-1.20.1-8.el9.ppc64le.rpm
SHA-256: a929ca981f302ad178cc76a29bd48471aa9898e284741f99b752f6fb2fe6f3bb
libkadm5-debuginfo-1.20.1-8.el9.ppc64le.rpm
SHA-256: 9c5fa95be046622530f24ca54d23df58e6919c232e9a288c7f559f2c73e55b42
Red Hat Enterprise Linux for ARM 64 9
SRPM
krb5-1.20.1-8.el9.src.rpm
SHA-256: 3ae5b5d755f3069aaad03cf709ec2ea892b95c50d26ff9aad903fa96035a93c7
aarch64
krb5-debuginfo-1.20.1-8.el9.aarch64.rpm
SHA-256: 411d4d4976c77b583afddc289a2e64d31f0755ded1f664de5b6693a622de8ee2
krb5-debugsource-1.20.1-8.el9.aarch64.rpm
SHA-256: af0c152ba082bcec9fde6a26463afb34c7e199f30162d9b40ecff65024e7d8c3
krb5-devel-1.20.1-8.el9.aarch64.rpm
SHA-256: 88f48ed7d914e639b864f59ed221faa9687dae6ee076472f45117c276fa5ffc1
krb5-libs-1.20.1-8.el9.aarch64.rpm
SHA-256: c3064afeb5e7a01bb38324c842a56a5f798b8ef83885604c2b5f0f3de7fbdc68
krb5-libs-debuginfo-1.20.1-8.el9.aarch64.rpm
SHA-256: 0bf8e80fd1acbdc82d3fbdd1008cddbefc1e1e19f7ea9655e206dad088e43ff8
krb5-pkinit-1.20.1-8.el9.aarch64.rpm
SHA-256: 44e306ae17f0fe81f35356a4ce1d2df957c45f5963411108cf1b812180e66f6f
krb5-pkinit-debuginfo-1.20.1-8.el9.aarch64.rpm
SHA-256: e61db4a240e09754bbfe3b432bc743aea2c98d89815ef6e765ba7169185da086
krb5-server-1.20.1-8.el9.aarch64.rpm
SHA-256: 7281fd95424fb90662ec26f1534d2ff874c4f125f8d30d054214142c1dae4adb
krb5-server-debuginfo-1.20.1-8.el9.aarch64.rpm
SHA-256: 9c0230b69a1fedea96c63d589c80d0e05b291bbdcb261333311846b050511c2d
krb5-server-ldap-1.20.1-8.el9.aarch64.rpm
SHA-256: 8b78dba4749884769ab81e2f2c4c2b5070e59cc97c5535c02b8c6dff382e8b5a
krb5-server-ldap-debuginfo-1.20.1-8.el9.aarch64.rpm
SHA-256: 9eca767917a16ae3cb8b4d3c38e59db475611950ad07c50b1d499f51f9b007eb
krb5-workstation-1.20.1-8.el9.aarch64.rpm
SHA-256: 393818f9aaf87aa1e781800d5362bafe2923b9bb895358aaf2f383999a9aac20
krb5-workstation-debuginfo-1.20.1-8.el9.aarch64.rpm
SHA-256: d8c42f688247ad4b87ffbaff5bd72b4299aab692ac408adc751dc74c051b04c1
libkadm5-1.20.1-8.el9.aarch64.rpm
SHA-256: c5be7a2121454c625278bdac5fb9a92596d628a711e3d60078b104edef8e8d10
libkadm5-debuginfo-1.20.1-8.el9.aarch64.rpm
SHA-256: 7647fcd8ec855b56d85856ec6525a8449cca44826fe7b0cc7c4be8e4d6a581d1
Related news
Red Hat Security Advisory 2024-0252-03 - An update for krb5 is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Issues addressed include bypass and cross site request forgery vulnerabilities.
Gentoo Linux Security Advisory 202309-6 - Multiple vulnerabilities have been discovered in Samba, the worst of which could result in root remote code execution. Versions greater than or equal to 4.18.4 are affected.
Red Hat Security Advisory 2023-3742-02 - Red Hat OpenShift Data Foundation is software-defined storage integrated with and optimized for the Red Hat OpenShift Container Platform. Red Hat OpenShift Data Foundation is a highly scalable, production-grade persistent storage for stateful applications running in the Red Hat OpenShift Container Platform. Issues addressed include bypass, denial of service, and remote SQL injection vulnerabilities.
Updated images that include numerous enhancements, security, and bug fixes are now available in Red Hat Container Registry for Red Hat OpenShift Data Foundation 4.13.0 on Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-16250: A flaw was found in Vault and Vault Enterprise (“Vault”). In the affected versions of Vault, with the AWS Auth Method configured and under certain circumstances, the values relied upon by Vault to validate AWS IAM ident...
Ubuntu Security Notice 5936-1 - Evgeny Legerov discovered that Samba incorrectly handled buffers in certain GSSAPI routines of Heimdal. A remote attacker could possibly use this issue to cause Samba to crash, resulting in a denial of service. Tom Tervoort discovered that Samba incorrectly used weak rc4-hmac Kerberos keys. A remote attacker could possibly use this issue to elevate privileges.
Ubuntu Security Notice 5822-1 - It was discovered that Samba incorrectly handled the bad password count logic. A remote attacker could possibly use this issue to bypass bad passwords lockouts. This issue was only addressed in Ubuntu 22.10. Evgeny Legerov discovered that Samba incorrectly handled buffers in certain GSSAPI routines of Heimdal. A remote attacker could possibly use this issue to cause Samba to crash, resulting in a denial of service.
Samba has released software updates to remediate multiple vulnerabilities that, if successfully exploited, could allow an attacker to take control of affected systems. The high-severity flaws, tracked as CVE-2022-38023, CVE-2022-37966, CVE-2022-37967, and CVE-2022-45141, have been patched in versions 4.17.4, 4.16.8 and 4.15.13 released on December 15, 2022. Samba is an open source Windows
Hello everyone! This episode will be about Microsoft Patch Tuesday for November 2022, including vulnerabilities that were added between October and November Patch Tuesdays. As usual, I use my open source Vulristics project to create the report. Alternative video link (for Russia): https://vk.com/video-149273431_456239107 The most important news of this Patch Tuesday was a release of patches […]
<p><span><span><span><span><span><span>On November 8th, 2022, Microsoft released a series of security updates for various Windows operating systems to fix two security issues:</span></span></span></span></span></span></p> <ul> <li aria-level="1"><a href="https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-37966"&
Windows Kerberos Elevation of Privilege Vulnerability.
Windows Kerberos Elevation of Privilege Vulnerability
By Deeba Ahmed Microsoft has urged Windows Administrators to install the updates urgently so make sure you have the latest patches installed! This is a post from HackRead.com Read the original post: Microsoft Issues Patches to Fix 6 Active 0-Day Windows Vulnerabilities
Microsoft's latest round of monthly security updates has been released with fixes for 68 vulnerabilities spanning its software portfolio, including patches for six actively exploited zero-days. 12 of the issues are rated Critical, two are rated High, and 55 are rated Important in severity. This also includes the weaknesses that were closed out by OpenSSL the previous week. Also separately
Long-awaited security fixes for ProxyNotShell and Mark of the Web bypasses are part of a glut of actively exploited zero-day vulnerabilities and other critical flaws that admins need to prioritize in the coming hours.
Microsoft released its monthly security update on Tuesday, disclosing 62 vulnerabilities. Of these vulnerabilities, 8 are classified as “Critical” and the rest are classified as “Important.”
Hi Folks, We want to continue to highlight changes we’ve made to our Security Update Guide. We have received a lot of feedback, much of which has been very positive. We acknowledge there have been some stability problems and we are actively working through reports of older browsers not being able to run the new application.