Accepted krb5 1.6.dfsg.1-3 (source)

Ubuntu Installer archive at ubuntu.com
Wed May 9 14:21:13 BST 2007 

Accepted:
 OK: krb5_1.6.dfsg.1.orig.tar.gz
 OK: krb5_1.6.dfsg.1-3.diff.gz
 OK: krb5_1.6.dfsg.1-3.dsc
     -> Component: main Section: net

Origin: Debian/unstable
Format: 1.7
Date: Wed,  09 May 2007 14:18:37 +0100
Source: krb5
Binary: krb5-telnetd, krb5-clients, libkrb5-dev, krb5-ftpd, krb5-doc, krb5-user, libkrb5-dbg, libkadm55, libkrb53, krb5-kdc, krb5-rsh-server, krb5-admin-server
Architecture: source
Version: 1.6.dfsg.1-3
Distribution: gutsy
Urgency: critical
Maintainer: Sam Hartman <hartmans at debian.org>
Changed-By: Kees Cook <kees at ubuntu.com>
Closes: 393380 409318 409318 414382 420748 422687
Changes: 
 krb5 (1.6.dfsg.1-3) unstable; urgency=low
 .
   * Upstream bug #5552: krb5_get_init_creds  needs to not dereference
     gic_opts if it is null.  Instead, assume that it is default options,
     Closes: #422687 
 .
 krb5 (1.6.dfsg.1-2) unstable; urgency=low
 .
   * Fix shlibdeps to reflect 1.6.dfsg.1 instead of 1.6.1
   * Upload 1.6 to unstable
 .
 krb5 (1.6.dfsg.1-1) experimental; urgency=low
 .
   * Oops, I failed to understand how the version numbers work.  Since 1.6.1 is less than 1.6.dfsg, the version numbering is going to be a bit screwy for the 1.6 series.  We will use 1.6.dfsg.1 for 1.6.1.
   * Update to update-inetd dependency, Closes: #420748
 .
 krb5 (1.6.1.dfsg-1) experimental; urgency=low
 .
   * Depend on keyutils-lib-dev so we consistently get keyring cache support
   * New Portuguese translation, thanks Miguel Figueiredo , Closes: #409318
   * New Upstream release
       - Update shlibs for new API
   * Fix handling of null realm in krb5_rd_req_decoded; now we treat a null realm as a default realm there.
 .
 krb5 (1.6.dfsg-1) experimental; urgency=low
 .
   * New 1.6 release from upstream.
   * Update copyright
 .
 krb5 (1.6.dfsg~alpha1-1) experimental; urgency=low
 .
   * New upstream release
   * Remove IETF RFCs, Closes: #393380
   * Update copyright file based on new copyrights upstearm
 .
 krb5 (1.4.4-8) unstable; urgency=emergency
 .
   * MIT-SA-2007-1: telnet allows  login as an arbitrary user when
     presented with a specially crafted username; CVE-2007-0956 
   * krb5_klog_syslog has a trivial buffer overflow that can be exploited
     by network data; CVE-2007-0957.  The upstream patch is very intrusive
     because it fixes each call to syslog to have proper length checking as
     well as the actual krb5_klog_syslog internals to use vsnprintf rather
     than vsprintf.  I have chosen to only include the change to
     krb5_klog_syslog for sarge.  This is sufficient to fix the problem but
     is much smaller and less intrusive.   (MIT-SA-2007-2)
   * MIT-SA-2007-3: The GSS-API library can cause a double free if
     applications treat certain errors decoding a message as errors that
     require freeing the output buffer.  At least the gssapi rpc library
     does this, so kadmind is vulnerable.    Fix the gssapi library because
     the spec allows applications to treat errors this way.  CVE-2007-1216 
   * New Japanese translation, thanks TANAKA Atushi, Closes: #414382
 .
 krb5 (1.4.4-7) unstable; urgency=low
 .
   * Translation updates:
     - New Portuguese translation, thanks Rui Branco.  (Closes: #409318)
 .
 .
 krb5 (1.4.4-6) unstable; urgency=emergency
 .
   * MIT-SA-2006-2: kadmind and rpc library call through function pointer
     to freed memory (CVE-2006-6143).  Null out xp_auth unless it is
     associated with an rpcsec_gss connection.
Files: 
 8f8d6a494380f01a7a0a9236162afa52 14474321 net standard krb5_1.6.dfsg.1.orig.tar.gz
 3149b3aa316cada5bf8665eaa8b9dcff 1654954 net standard krb5_1.6.dfsg.1-3.diff.gz
 dd2cff628f829e79b77888285fc18ff0 898 net standard krb5_1.6.dfsg.1-3.dsc

More information about the gutsy-changes mailing list