[krbdev.mit.edu #6837] SVN Commit
Tom Yu via RT
rt-comment at krbdev.mit.edu
Mon Dec 6 18:23:18 EST 2010
Apply patch for MITKRB5-SA-2010-007.
Fix multiple checksum handling bugs, as described in:
CVE-2010-1324
CVE-2010-1323
CVE-2010-4020
CVE-2010-4021
* Return the correct (keyed) checksums as the mandatory checksum type
for DES enctypes.
* Restrict simplified-profile checksums to their corresponding etypes.
* Add internal checks to reduce the risk of stream ciphers being used
with simplified-profile key derivation or other algorithms relying
on the block encryption primitive.
* Use the mandatory checksum type for the PKINIT KDC signature,
instead of the first-listed keyed checksum.
* Use the mandatory checksum type when sending KRB-SAFE messages by
default, instead of the first-listed keyed checksum.
* Use the mandatory checksum type for the t_kperf test program.
* Use the mandatory checksum type (without additional logic) for the
FAST request checksum.
* Preserve the existing checksum choices (unkeyed checksums for DES
enctypes) for the authenticator checksum, using explicit logic.
* Ensure that SAM checksums received from the KDC are keyed.
* Ensure that PAC checksums are keyed.
http://src.mit.edu/fisheye/changelog/krb5/?cs=24562
Commit By: tlyu
Revision: 24562
Changed Files:
U branches/krb5-1-7/src/lib/crypto/dk/derive.c
U branches/krb5-1-7/src/lib/crypto/keyed_checksum_types.c
U branches/krb5-1-7/src/lib/gssapi/krb5/util_crypt.c
U branches/krb5-1-7/src/lib/krb5/krb/mk_safe.c
U branches/krb5-1-7/src/lib/krb5/krb/pac.c
U branches/krb5-1-7/src/lib/krb5/krb/preauth2.c
U branches/krb5-1-7/src/plugins/preauth/pkinit/pkinit_srv.c
More information about the krb5-bugs
mailing list