krb5-1.10.3-10.AXS4.1

Kerberos V5 is a trusted-third-party network authentication system, which can improve your network's security by eliminating the insecure practice of cleartext passwords.

Security issues fixed with this release:

• CVE-2012-1016
The pkinit_server_return_padata function in plugins/preauth/pkinit/pkinit_srv.c in the PKINIT implementation in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.10.4 attempts to find an agility KDF identifier in inappropriate circumstances, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted Draft 9 request.

• CVE-2013-1415
The pkinit_check_kdc_pkid function in plugins/preauth/pkinit/pkinit_crypto_openssl.c in the PKINIT implementation in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.10.4 and 1.11.x before 1.11.1 does not properly handle errors during extraction of fields from an X.509 certificate, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a malformed KRB5_PADATA_PK_AS_REQ AS-REQ request.

Fixed bugs:

• Upgraded to upstream version 1.10.3; in particular, better support of cross-domain trust functionality in other packages.

• Previous versions of libsmbclient depended on the krb5_locate_kdc() function. As it is no longer supported, older version of libsmbclient did not function after updating Kerberos. To fix this, an explicit conflict with older versions of libsmbclient has been added, which prevents incompatible combinations.

• Leaving the krb5-auth-dialog application prompter hanging for a long period of time triggered a large clock drift that was applied at the next kinit session. This has been fixed.

• Previously, certain KDC implementations omitted some KDC's certificates contained in a PKINIT list of trusted roots and the client failed to verify the signature on the data. This has been fixed, the client can now use its own copies for the relevant certificates and verification works as expected.

• Previously, when a client's libraries and the KDC supported AES and if a keytab file did not contain the AES keys, using the kinit command with this file failed because the strongest encryption (AES) was used. This has been fixed: the encryption in the keytab file is now used, if supported.

• Fixed krb5 entering a loop because of timeout variable mishandling.

• Previously, passwd failed with the "token manipulation error" error message if used by an Identity Management client. This has been fixed.

• Fixed some performance issue related to repeated SELinux file context configuration being reloaded every time the replay cached was flushed.