Debian 9843 Published by

The following updates has been released for Debian GNU/Linux:

[DLA 265-2] pykerberos regression update
[DLA 299-1] ruby1.8 security update
[DLA 300-1] ruby1.9.1 security update
[DLA 301-1] python-django security update
[DSA 3343-1] twig security update



[DLA 265-2] pykerberos regression update

Package : pykerberos
Version : 1.1+svn4895-1+deb6u2
CVE ID : CVE-2015-3206

It was discovered that the original fix did not disable KDC
verification support by default and changed checkPassowrd()'s
signature. This update corrects this.

This was the text of the original advisiory:

Martin Prpic has reported the possibility of a man-in-the-middle attack
in the pykerberos code to the Red Hat Bugzilla (Fedora bug tracker). The
original issue has earlier been reported upstream [1]. We are quoting the
upstream bug reported partially below:

The python-kerberos checkPassword() method has been badly insecure in
previous releases. It used to do (and still does by default) a kinit
(AS-REQ) to ask a KDC for a TGT for the given user principal, and
interprets the success or failure of that as indicating whether the
password is correct. It does not, however, verify that it actually spoke
to a trusted KDC: an attacker may simply reply instead with an AS-REP
which matches the password he just gave you.

Imagine you were verifying a password using LDAP authentication rather
than Kerberos: you would, of course, use TLS in conjunction with LDAP to
make sure you were talking to a real, trusted LDAP server. The same
requirement applies here. kinit is not a password-verification service.

The usual way of doing this is to take the TGT you've obtained with the
user's password, and then obtain a ticket for a principal for which the
verifier has keys (e.g. a web server processing a username/password form
login might get a ticket for its own HTTP/host@REALM principal), which
it can then verify. Note that this requires that the verifier has its
own Kerberos identity, which is mandated by the symmetric nature of
Kerberos (whereas in the LDAP case, the use of public-key cryptography
allows anonymous verification).

With this version of the pykerberos package a new option is introduced
for the checkPassword() method. Setting verify to True when using
checkPassword() will perform a KDC verification. For this to work, you
need to provide a krb5.keytab file containing service principal keys for
the service you intend to use.

As the default krb5.keytab file in /etc is normally not accessible by
non-root users/processes, you have to make sure a custom krb5.keytab
file containing the correct principal keys is provided to your
application using the KRB5_KTNAME environment variable.

Note: In Debian squeeze(-lts), KDC verification support is disabled by
default in order not to break existing setups.

[1] https://www.calendarserver.org/ticket/833


[DLA 299-1] ruby1.8 security update

Package : ruby1.8
Version : 1.8.7.302-2squeeze5
CVE ID : CVE-2009-5147

"sheepman" fixed a vulnerability in Ruby 1.8: DL::dlopen could open a library
with tainted name even if $SAFE > 0.

For Debian 6 “Squeeze”, this issue has been fixed in ruby1.8
1.8.7.302-2squeeze5.


[DLA 300-1] ruby1.9.1 security update

Package : ruby1.9.1
Version : 1.9.2.0-2+deb6u7
CVE ID : CVE-2009-5147

"sheepman" fixed a vulnerability in Ruby 1.9.1: DL::dlopen could open a
library with tainted name even if $SAFE > 0.

For Debian 6 “Squeeze”, this issue has been fixed in ruby1.9.1
1.9.2.0-2+deb6u7


[DLA 301-1] python-django security update

Package : python-django
Version : 1.2.3-3+squeeze14
CVE ID : CVE-2015-5963 CVE-2015-5964

Denial-of-service possibility in logout() view by filling session store

Previously, a session could be created when anonymously accessing the
django.contrib.auth.views.logout view (provided it wasn't decorated with
django.contrib.auth.decorators.login_required as done in the admin). This
could allow an attacker to easily create many new session records by
sending repeated requests, potentially filling up the session store or
causing other users' session records to be evicted.

The django.contrib.sessions.middleware.SessionMiddleware has been modified
to no longer create empty session records.

This portion of the fix has been assigned CVE-2015-5963.

Additionally, the contrib.sessions.backends.base.SessionBase.flush() and
cache_db.SessionStore.flush() methods have been modified to avoid creating
a new empty session. Maintainers of third-party session backends should
check if the same vulnerability is present in their backend and correct it
if so.

This portion of the fix has been assigned CVE-2015-5964.

We recommend that you upgrade your python-django packages.

[DSA 3343-1] twig security update

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3343-1 security@debian.org
https://www.debian.org/security/ Sebastien Delafond
August 26, 2015 https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package : twig

James Kettle, Alain Tiemblo, Christophe Coevoet and Fabien Potencier
discovered that twig, a templating engine for PHP, did not correctly
process its input. End users allowed to submit twig templates could
use specially crafted code to trigger remote code execution, even in
sandboxed templates.

For the stable distribution (jessie), this problem has been fixed in
version 1.16.2-1+deb8u1.

For the testing (stretch) and unstable (sid) distributions, this
problem has been fixed in version 1.20.0-1.

We recommend that you upgrade your twig packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/