ports/148335: security/krb5 needs a patch or update
Bill Cole
bill_cole at cipherspace.com
Fri Jul 2 22:30:02 UTC 2010
>Number: 148335
>Category: ports
>Synopsis: security/krb5 needs a patch or update
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: update
>Submitter-Id: current-users
>Arrival-Date: Fri Jul 02 22:30:01 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator: Bill Cole
>Release: 8.0
>Organization:
CipherSpace, LLC
>Environment:
FreeBSD MUNGE 8.0-RELEASE-p2 FreeBSD 8.0-RELEASE-p2 #2: Tue Mar 2 19:18:36 UTC 2010 root at MUNGE:/usr/obj/usr/src/sys/MUNGE amd64
>Description:
krb5 has been flagged by portaudit for many weeks due to a vulnerability which could be fixed by either updating the port to 1.8.2 or including the upstream patch for 1.8.1.
MIT vulnerability info: http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-004.txt
>How-To-Repeat:
Attempt to fetch the krb5 port:
# cd /usr/ports/security/krb5
# make fetch
===> krb5-1.8.1_1 has known vulnerabilities:
=> krb5 -- KDC double free vulnerability.
Reference: <http://portaudit.FreeBSD.org/86b8b655-4d1a-11df-83fb-0015587e2cc1.html>
=> krb5 -- KDC double free vulnerability.
Reference: <http://portaudit.FreeBSD.org/86b8b655-4d1a-11df-83fb-0015587e2cc1.html>
=> Please update your ports tree and try again.
*** Error code 1
>Fix:
MIT patch against 1.8.1 to fix the specific vulnerability:
<http://web.mit.edu/kerberos/advisories/2010-004-patch.txt>
MIT release page for 1.8.2:
<http://web.mit.edu/kerberos/krb5-1.8/krb5-1.8.2.html>
The port already includes a MIT patch for a different vulnerability of close vintage: 2010-005
Presumably adding the patch would be a quicker simpler fix, updating to 1.8.2 the long-term choice. 1.8.2 does not appear to me to have break-inducing changes, but I'm no kerberos guru.
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list