Issued:

2011-12-06

Updated:

2011-12-06

RHBA-2011:1707 - krb5 bug fix update

Synopsis

krb5 bug fix update

Type/Severity

Bug Fix Advisory (none)

Topic

Updated krb5 packages that fix multiple bugs are now available for Red Hat Enterprise Linux 6.

Description

The Kerberos authentication system allows clients and servers to authenticate to each other using symmetric encryption and the help of a trusted third party, the KDC. This update fixes the following bugs:

• Kerberos version 1.8 and later defaults to disabling support for older encryption types which are no longer believed to be sufficiently strong. When upgrading from older versions of Red Hat Enterprise Linux, a number of services which run at the key distribution center (KDC) need to have their keys reset to include keys for newer encryption types. This update adds a spot-check to the KDC init script which assist in diagnosing this condition. (BZ#651466)

• Previously, a client could fail to connect to a KDC if a sufficiently large number of descriptors was already in use. This update modifies the Kerberos libraries to switch to using poll() instead of select(), which does not suffer from this limitation. (BZ#701446,BZ#746341)

• Previously, the kadmin client could fail to establish a connection with certain older versions of the kadmin daemon. In these situations, the server often logged a diagnostic noting that the client had supplied it with incorrect channel bindings. This update modifies the client to allow it to once again contact those versions of kadmind. (BZ#713252,BZ#729068)

• Previously, a client failed to obtain credentials for authentication from KDCs that rejected requests specifying unrecognized options and that also did not support the canonicalize option. With this update, obtaining credentials also works with these KDCs. (BZ#713518)

• Previously, locally-applied patches, which attempt to ensure that any files created by the Kerberos libraries are given and keep the correct SELinux file labels, did not correctly ensure that replay cache files kept their labels. This update corrects the patch to cover this case. (BZ#714217)

• Previously, the Kerberos client libraries could inadvertently trigger an address-to-name lookup inside of the resolver libraries when attempting to derive a principal name from a combination of a service name and a host name, even if the user disabled them using the "rdns" setting in the krb5.conf file. This update modifies the client library to prevent it from triggering these lookups. (BZ#717378)

• Previously, the kadmind init script could erroneously refuse to start the kadmind server on a KDC, if the realm database was moved to a non-default location, or a non-default kdb backend was in use. This update removes the logic from the init script which caused it to do so. (BZ#724033)

• Previously, the krb5-debuginfo package excluded several source files used to build the package. This update ensures that the affected files are still included. (BZ#729044)

• Previously, obtaining the Kerberos credentials for services could fail fail if the target server was in another trusted realm than the client. This update modifies krb5-libs so that the client obtains the credentials as expected. (BZ#734341)

All Kerberos users are advised to upgrade to these updated packages, which fix these bugs.

Solution

Before applying this update, make sure all previously-released errata relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at This content is not included.https://access.redhat.com/kb/docs/DOC-11259

Affected Products

Updated Packages

• krb5-server-1.9-22.el6.i686.rpm
• krb5-libs-1.9-22.el6.s390.rpm
• krb5-debuginfo-1.9-22.el6.i686.rpm
• krb5-pkinit-openssl-1.9-22.el6.x86_64.rpm
• krb5-debuginfo-1.9-22.el6.s390.rpm
• krb5-server-1.9-22.el6.s390x.rpm
• krb5-workstation-1.9-22.el6.i686.rpm
• krb5-devel-1.9-22.el6.i686.rpm
• krb5-1.9-22.el6.src.rpm
• krb5-server-1.9-22.el6.x86_64.rpm
• krb5-pkinit-openssl-1.9-22.el6.i686.rpm
• krb5-libs-1.9-22.el6.ppc64.rpm
• krb5-server-ldap-1.9-22.el6.ppc64.rpm
• krb5-debuginfo-1.9-22.el6.s390x.rpm
• krb5-devel-1.9-22.el6.s390.rpm
• krb5-libs-1.9-22.el6.x86_64.rpm
• krb5-pkinit-openssl-1.9-22.el6.ppc64.rpm
• krb5-libs-1.9-22.el6.i686.rpm
• krb5-workstation-1.9-22.el6.ppc64.rpm
• krb5-server-1.9-22.el6.ppc64.rpm
• krb5-debuginfo-1.9-22.el6.x86_64.rpm
• krb5-debuginfo-1.9-22.el6.ppc.rpm
• krb5-debuginfo-1.9-22.el6.ppc64.rpm
• krb5-libs-1.9-22.el6.ppc.rpm
• krb5-devel-1.9-22.el6.s390x.rpm
• krb5-server-ldap-1.9-22.el6.x86_64.rpm
• krb5-workstation-1.9-22.el6.x86_64.rpm
• krb5-libs-1.9-22.el6.s390x.rpm
• krb5-pkinit-openssl-1.9-22.el6.s390x.rpm
• krb5-server-ldap-1.9-22.el6.s390.rpm
• krb5-server-ldap-1.9-22.el6.i686.rpm
• krb5-server-ldap-1.9-22.el6.s390x.rpm
• krb5-workstation-1.9-22.el6.s390x.rpm
• krb5-devel-1.9-22.el6.ppc64.rpm
• krb5-server-ldap-1.9-22.el6.ppc.rpm
• krb5-devel-1.9-22.el6.ppc.rpm
• krb5-devel-1.9-22.el6.x86_64.rpm

Fixes

• This content is not included.BZ - 651466
• This content is not included.BZ - 701446
• This content is not included.BZ - 711032
• This content is not included.BZ - 713252
• This content is not included.BZ - 713518
• This content is not included.BZ - 714217
• This content is not included.BZ - 717378
• This content is not included.BZ - 723995
• This content is not included.BZ - 724033
• This content is not included.BZ - 729044
• This content is not included.BZ - 729068
• This content is not included.BZ - 734172
• This content is not included.BZ - 746341

CVEs

(none)

References

(none)

Additional information

• The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
• Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.