diff options
Diffstat (limited to 'website/static/security/advisories/FreeBSD-EN-22:28.heimdal.asc')
-rw-r--r-- | website/static/security/advisories/FreeBSD-EN-22:28.heimdal.asc | 158 |
1 files changed, 158 insertions, 0 deletions
diff --git a/website/static/security/advisories/FreeBSD-EN-22:28.heimdal.asc b/website/static/security/advisories/FreeBSD-EN-22:28.heimdal.asc new file mode 100644 index 0000000000..e8fef4cc8a --- /dev/null +++ b/website/static/security/advisories/FreeBSD-EN-22:28.heimdal.asc @@ -0,0 +1,158 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-EN-22:28.heimdal Errata Notice + The FreeBSD Project + +Topic: Regression in Heimdal KDC + +Category: contrib +Module: heimdal +Announced: 2022-11-29 +Affects: All supported versions of FreeBSD. +Corrected: 2022-11-18 01:09:42 UTC (stable/13, 13.1-STABLE) + 2022-11-29 23:04:48 UTC (releng/13.1, 13.1-RELEASE-p5) + 2022-11-18 01:10:53 UTC (stable/12, 12.4-STABLE) + 2022-11-29 23:19:12 UTC (releng/12.4, 12.4-RC2-p2) + 2022-11-29 23:16:21 UTC (releng/12.3, 12.3-RELEASE-p10) + +For general information regarding FreeBSD Errata Notices and Security +Advisories, including descriptions of the fields above, security +branches, and the following sections, please visit +<URL:https://security.FreeBSD.org/>. + +I. Background + +Heimdal implements the Kerberos 5 network authentication protocols. + +A Key Distribution Center (KDC) is trusted by all principals registered +in that administrative "realm" to store a secret key in confidence, of +which, the proof of knowledge is used to verify the authenticity of a +principal. + +FreeBSD-SA-22:14.heimdal corrected multiple vulnerabilities in the Heimdal +implementation of the Kerberos 5 network authentication protocols and KDC +included as part of the FreeBSD base system. + +II. Problem Description + +The patch released with FreeBSD-SA-22:14.heimdal included an inadvertently +merged block of code which prevents the KDC from issuing valid tickets. + +III. Impact + +A system patched with FreeBSD-SA-22:14.heimdal will have a defective KDC. + +IV. Workaround + +No workaround is available. Systems that were not updated with the patch from +FreeBSD-SA-22:14.heimdal are not affected. Note that unpatched systems are +vulnerable to multiple security issues. + +V. Solution + +Upgrade your system to a supported FreeBSD stable or release / security +branch (releng) dated after the correction date. + +A reboot is recommended. + +Perform one of the following: + +1) To update your system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the amd64, i386, or +(on FreeBSD 13 and later) arm64 platforms can be updated via the +freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +A reboot is recommended. + +2) To update your system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch https://security.FreeBSD.org/patches/EN-22:28/heimdal.patch +# fetch https://security.FreeBSD.org/patches/EN-22:28/heimdal.patch.asc +# gpg --verify heimdal.patch.asc + +b) Apply the patch. Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile the operating system using buildworld and installworld as +described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. + +Restart all daemons that use Kerberos, or reboot the system. + +VI. Correction details + +This issue is corrected by the corresponding Git commit hash or Subversion +revision number in the following stable and release branches: + +Branch/path Hash Revision +- ------------------------------------------------------------------------- +stable/13/ b23fe6badeba stable/13-n253102 +releng/13.1/ 10571c04c9dd releng/13.1-n250173 +stable/12/ r372759 +releng/12.4/ r372779 +releng/12.3/ r372776 +- ------------------------------------------------------------------------- + +For FreeBSD 13 and later: + +Run the following command to see which files were modified by a +particular commit: + +# git show --stat <commit hash> + +Or visit the following URL, replacing NNNNNN with the hash: + +<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN> + +To determine the commit count in a working tree (for comparison against +nNNNNNN in the table above), run: + +# git rev-list --count --first-parent HEAD + +For FreeBSD 12 and earlier: + +Run the following command to see which files were modified by a particular +revision, replacing NNNNNN with the revision number: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-22:14.heimdal.asc> +<URL:https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=267827> + +The latest revision of this advisory is available at +<URL:https://security.FreeBSD.org/advisories/FreeBSD-EN-22:28.heimdal.asc> +-----BEGIN PGP SIGNATURE----- + +iQIzBAEBCgAdFiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAmOGlvgACgkQ05eS9J6n +5cISog/8DVRGrMXWSdmaqa5KpO3SZ1o5mmhZDWYKRxDQZv0puJ6lTus44VtixzM6 +ft1zRe2yQy3YoTtcxho2jY8zppcdg5r4rIR4rXsxIAjufxd53hxmWYXjN6zObxTB +Owebw+xvJSG5ls020iRECI+YjE32ssXLBI7XkqOVnErF/UmxkTQM86VPHene3WwU +EhwwM1i7ZUdl/11tGPft975u5waKUFxeRF4jpFLu/pbDqHBoFgY4AT2ivs+6jwaO +o4X0gBDKDh/xXU7yFSdPfF09PRgSCosPMr8UNWXBlS6WYEmGPiRlS3NDB8EMFDw/ +AElMEqlT55DzdFi4qD91x+FPeIQ+NbJCNjFuZDXv4lZtAvGF/ue4wfxH/ZNcAo06 +SH1tJolwu0l6Q7e/6a+cU7RsonVhv7K2j5DKddoNSZcla/kg9z1IkYGgt0OrtOWn +eMhuiLNsBZwebWsYWT/MG5nHaL79jWKPy69c+b8yXcpdrpfC4DNVmnTiiHzpus46 +9K4X5aOgCMW6C19hIWvH74s6sWo8ZoEz4BaslJZ7AeHSv6HPGfUZBygtYm739a/J +U8WN+rRIzsaxHQXts6LF8xroJtUvxQ76TZgK58k/Pma+Xa0vdYLcyqd/XEaFm1CW +7rLqVzTsHTlOz7JaMLnNm1aY6KKyERnJ94ii+LOjeldCAVWMNE0= +=aUbR +-----END PGP SIGNATURE----- |