Richard A Nelson
2009-Feb-23 06:52 UTC
[Secure-testing-team] Bug#516695: libpam-heimdal: new version (3.13) fixing two security issues
Package: libpam-heimdal
Version: 3.10-2.1
Severity: critical
Tags: security
Justification: root security hole
libpam-heimdal needs to be braought upto curent libpam-krb5
I know this was all stalled by the freeze, but ''tis time now
------------------------------------------------------------------------
Date: Tue, 17 Feb 2009 16:32:07 +0000
...
libpam-krb5 (3.13-2) unstable; urgency=low
.
* Upload to unstable.
.
libpam-krb5 (3.13-1) experimental; urgency=high
.
* New upstream release.
- SECURITY (CVE-2009-0360): If invoked in a setuid context, ignore
user environment variables that specify the local keytab and
Kerberos configuration. Protects against a privilege escalation
vulnerability.
- SECURITY (CVE-2009-0361): Protect against applications calling
pam_setcred with PAM_REINITIALIZE_CREDS as root in a setuid
context. This API call is designed to reinitialize an existing
Kerberos ticket cache and therefore trusts the KRB5CCNAME
environment variable, but in a setuid context, this may allow
overwriting arbitrary files.
-------------------------------------------------------------------------
-- System Information:
Debian Release: 5.0
APT prefers testing-proposed-updates
APT policy: (500, ''testing-proposed-updates''), (500,
''proposed-updates''), (500, ''unstable''),
(500, ''testing''), (500, ''stable''), (1,
''experimental'')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.27.15 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages libpam-heimdal depends on:
ii libc6 2.9-3 GNU C Library: Shared libraries
ii libkrb5-25-heimdal 1.2.dfsg.1-2.1 Heimdal Kerberos - libraries
ii libpam0g 1.0.1-5 Pluggable Authentication Modules l
libpam-heimdal recommends no packages.
libpam-heimdal suggests no packages.
-- no debconf information