Bug 2920 - [UPDATE REQUEST] [UPSTREAM UPDATE] krb5
: [UPDATE REQUEST] [UPSTREAM UPDATE] krb5
Status: RESOLVED FIXED
Product: Server Bugs
Classification: ROSA Server
Component: Main Packages
: unspecified
: All Linux
: Normal normal
: ---
Assigned To: Andrew Lukoshko
: ROSA Server Bugs
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-10-18 14:33 MSD by Andrew Lukoshko
Modified: 2013-11-19 12:19 MSK (History)
1 user (show)

See Also:
RPM Package:
ISO-related:
Bad POT generating:
Upstream:
vladimir.potapov: qa_verified+
andrew.lukoshko: published_server+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andrew Lukoshko 2013-10-18 14:33:36 MSD
* In the simplest configuration, an organization establishes a single Kerberos
realm, in which all of its clients and servers trust the same KDC. Clients from
one realm can authenticate to services in another realm if their respective KDCs
are properly configured for cross-realm authentication. Cross-realm
authentication can also be performed transitively, allowing clients from one
realm to authenticate first to the KDC of an intermediate realm, possibly
continuing along a path containing multiple intermediate realms, and then
finally to a service in yet another realm. When a service accepts authentication
using GSSAPI, if the client is a member of a different realm, the server will
check the client's ticket for a list of the intermediate realms whose KDCs the
client contacted in order to obtain a ticket for the service. If the list
contains any entries which the service does not expect to be in that path, the
ticket is considered invalid and authentication is rejected. In certain
configurations, due to a bug introduced while adding support for the
"ignore_acceptor_hostname" option, this test failed unconditionally. This update
corrects the issue with the "ignore_acceptor_hostname" option, and failures no
longer occur in the described scenario.

* When processing client requests transmitted to it using the flexible
authentication secure tunneling (FAST) facility, the KDC would lose track of the
type of the request that the client supplied, potentially causing it to fail to
include authorization data in the ticket it would later issue in response to the
request. In some environments, this would result in authorization to resources
being incorrectly denied. This update sets the msg_type option when decoding
FAST requests, and access control no longer fails in the described scenario.

http://rhn.redhat.com/errata/RHBA-2013-1222.html

https://abf.rosalinux.ru/build_lists/1335774
https://abf.rosalinux.ru/build_lists/1335775
Comment 1 Vladimir Potapov 2013-10-25 13:46:56 MSD
error 404
Comment 3 Vladimir Potapov 2013-11-16 11:44:41 MSK
krb5-workstation-1.10.3-10.res6.6
*************************** RHEL Advisory **************************
* In the simplest configuration, an organization establishes a single Kerberos
realm, in which all of its clients and servers trust the same KDC. Clients from
one realm can authenticate to services in another realm if their respective KDCs
are properly configured for cross-realm authentication. Cross-realm
authentication can also be performed transitively, allowing clients from one
realm to authenticate first to the KDC of an intermediate realm, possibly
continuing along a path containing multiple intermediate realms, and then
finally to a service in yet another realm. When a service accepts authentication
using GSSAPI, if the client is a member of a different realm, the server will
check the client's ticket for a list of the intermediate realms whose KDCs the
client contacted in order to obtain a ticket for the service. If the list
contains any entries which the service does not expect to be in that path, the
ticket is considered invalid and authentication is rejected. In certain
configurations, due to a bug introduced while adding support for the
"ignore_acceptor_hostname" option, this test failed unconditionally. This update
corrects the issue with the "ignore_acceptor_hostname" option, and failures no
longer occur in the described scenario.

* When processing client requests transmitted to it using the flexible
authentication secure tunneling (FAST) facility, the KDC would lose track of the
type of the request that the client supplied, potentially causing it to fail to
include authorization data in the ticket it would later issue in response to the
request. In some environments, this would result in authorization to resources
being incorrectly denied. This update sets the msg_type option when decoding
FAST requests, and access control no longer fails in the described scenario.
***********************************************************
QA Verified