Debian 9844 Published by

The following Debian updates has been released today:

[DLA 265-1] pykerberos security update
[DLA 266-1] libxml2 security update
[DSA 3300-1] iceweasel security update



[DLA 265-1] pykerberos security update

Package : pykerberos
Version : 1.1+svn4895-1+deb6u1
CVE ID : CVE-2015-3206

Martin Prpic has reported the possibility of a man-in-the-middle attack
in the pykerberos code to the Red Hat Bugzilla (Fedora bug tracker). The
original issue has earlier been reported upstream [1]. We are quoting the
upstream bug reported partially below:

The python-kerberos checkPassword() method has been badly insecure in
previous releases. It used to do (and still does by default) a kinit
(AS-REQ) to ask a KDC for a TGT for the given user principal, and
interprets the success or failure of that as indicating whether the
password is correct. It does not, however, verify that it actually spoke
to a trusted KDC: an attacker may simply reply instead with an AS-REP
which matches the password he just gave you.

Imagine you were verifying a password using LDAP authentication rather
than Kerberos: you would, of course, use TLS in conjunction with LDAP to
make sure you were talking to a real, trusted LDAP server. The same
requirement applies here. kinit is not a password-verification service.

The usual way of doing this is to take the TGT you've obtained with the
user's password, and then obtain a ticket for a principal for which the
verifier has keys (e.g. a web server processing a username/password form
login might get a ticket for its own HTTP/host@REALM principal), which
it can then verify. Note that this requires that the verifier has its
own Kerberos identity, which is mandated by the symmetric nature of
Kerberos (whereas in the LDAP case, the use of public-key cryptography
allows anonymous verification).

With this version of the pykerberos package a new option is introduced
for the checkPassword() method. Setting verify to True when using
checkPassword() will perform a KDC verification. For this to work, you
need to provide a krb5.keytab file containing service principal keys for
the service you intend to use.

As the default krb5.keytab file in /etc is normally not accessible by
non-root users/processes, you have to make sure a custom krb5.keytab
file containing the correct principal keys is provided to your
application using the KRB5_KTNAME environment variable.

Note: In Debian squeeze(-lts), KDC verification support is disabled by
default in order not to break existing setups.

[1] https://www.calendarserver.org/ticket/833

[DLA 266-1] libxml2 security update

Package : libxml2
Version : 2.7.8.dfsg-2+squeeze12
CVE ID : CVE-2015-1819
Debian Bug : #782782 #782985 #783010

This upload to Debian squeeze-lts fixes three issues found in the libxml2
package.

(1) CVE-2015-1819 / #782782

Florian Weimer from Red Hat reported an issue against libxml2, where a
parser which uses libxml2 chokes on a crafted XML document, allocating
gigabytes of data. This is a fine line issue between API misuse and a bug
in libxml2. This issue got addressed in libxml2 upstream and the patch
has been backported to libxml2 in squeeze-lts.

(2) #782985

Jun Kokatsu reported an out-of-bounds memory access in libxml2. By
entering an unclosed html comment the libxml2 parser didn't stop parsing
at the end of the buffer, causing random memory to be included in the
parsed comment that was returned to the evoking application.

In the Shopify application (where this issue was originally discovered),
this caused ruby objects from previous http requests to be disclosed in
the rendered page.

(3) #783010

Michal Zalewski reported another out-of-bound reads issue in libxml2 that
did not cause any crashes but could be detected under ASAN and Valgrind.

[DSA 3300-1] iceweasel security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3300-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
July 04, 2015 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : iceweasel
CVE ID : CVE-2015-2743 CVE-2015-4000 CVE-2015-2734 CVE-2015-2735
CVE-2015-2736 CVE-2015-2737 CVE-2015-2738 CVE-2015-2739
CVE-2015-2740 CVE-2015-2728 CVE-2015-2731 CVE-2015-2724

Multiple security issues have been found in Iceweasel, Debian's version
of the Mozilla Firefox web browser: Multiple memory safety errors,
use-after-frees and other implementation errors may lead to the
execution of arbitrary code or denial of service. This update also
addresses a vulnerability in DHE key processing commonly known as
the "LogJam" vulnerability.

For the oldstable distribution (wheezy), this problem has been fixed
in version 31.8.0esr-1~deb7u1.

For the stable distribution (jessie), this problem has been fixed in
version 31.8.0esr-1~deb8u1.

For the unstable distribution (sid), this problem has been fixed in
version 38.1.0esr-1.

We recommend that you upgrade your iceweasel packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/