Version in base suite: 2.10.65+deb10u2 Base version: debian-edu-config_2.10.65+deb10u2 Target version: debian-edu-config_2.10.65+deb10u3 Base file: /srv/ftp-master.debian.org/ftp/pool/main/d/debian-edu-config/debian-edu-config_2.10.65+deb10u2.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/d/debian-edu-config/debian-edu-config_2.10.65+deb10u3.dsc debian/NEWS | 12 ++++++++++++ debian/changelog | 18 ++++++++++++++++++ debian/debian-edu-config.postinst | 8 ++++++++ share/debian-edu-config/tools/kerberos-kdc-init | 2 +- 4 files changed, 39 insertions(+), 1 deletion(-) diff -Nru debian-edu-config-2.10.65+deb10u2/debian/NEWS debian-edu-config-2.10.65+deb10u3/debian/NEWS --- debian-edu-config-2.10.65+deb10u2/debian/NEWS 1970-01-01 00:00:00.000000000 +0000 +++ debian-edu-config-2.10.65+deb10u3/debian/NEWS 2019-12-16 15:29:19.000000000 +0000 @@ -0,0 +1,12 @@ +debian-edu-config (2.10.65+deb10u3) buster-security; urgency=high + + The Kerberos kadm ACLs in /etc/krb5kdc/kadm5.acl contained an insecure + setting allowing all authenticated users in the network to change the + credentials of everyone else, thus impersonating other users and gaining + their privileges. + + If you never changed these ACLs, the package update fixes the issue + automatically. If you did, please double-check that no unexpected + principal has the c ACL (lower-case!) set. + + -- Dominik George Mon, 16 Dec 2019 16:29:19 +0100 diff -Nru debian-edu-config-2.10.65+deb10u2/debian/changelog debian-edu-config-2.10.65+deb10u3/debian/changelog --- debian-edu-config-2.10.65+deb10u2/debian/changelog 2019-11-09 06:42:37.000000000 +0000 +++ debian-edu-config-2.10.65+deb10u3/debian/changelog 2019-12-16 15:29:19.000000000 +0000 @@ -1,3 +1,21 @@ +debian-edu-config (2.10.65+deb10u3) buster-security; urgency=high + + * Security fix for CVE-2019-3467 + + [ Wolfgang Schweer ] + * share/debian-edu-config/tools/kerberos-kdc-init: + - Set proper rights for users in kadm5.acl file. (Closes: #946797) + * Adjust debian/debian-edu-config.postinst to fix kadm5.acl upon upgrades. + + [ Holger Levsen ] + * Improve debian/debian-edu-config.postinst fix to only run once on + upgrades. + + [ Dominik George ] + * Add NEWS to warn administrators with possible local changes. + + -- Dominik George Mon, 16 Dec 2019 16:29:19 +0100 + debian-edu-config (2.10.65+deb10u2) buster; urgency=medium [ Wolfgang Schweer ] diff -Nru debian-edu-config-2.10.65+deb10u2/debian/debian-edu-config.postinst debian-edu-config-2.10.65+deb10u3/debian/debian-edu-config.postinst --- debian-edu-config-2.10.65+deb10u2/debian/debian-edu-config.postinst 2019-11-06 14:12:27.000000000 +0000 +++ debian-edu-config-2.10.65+deb10u3/debian/debian-edu-config.postinst 2019-12-16 15:29:19.000000000 +0000 @@ -256,6 +256,14 @@ cp /etc/cfengine3/debian-edu/edu.cf /var/lib/cfengine3/inputs/debian-edu cp /etc/cfengine3/debian-edu/promises.cf /var/lib/cfengine3/inputs fi + + # Set proper rights for users - see #946797 + if dpkg --compare-versions "$2" le "2.10.65+deb10u2" ; then + if [ -f /etc/krb5kdc/kadm5.acl ] ; then + sed -i 's/\(\*@INTERN[[:space:]]*\)cil/\1CIl/' /etc/krb5kdc/kadm5.acl + service krb5-admin-server restart + fi + fi ;; esac diff -Nru debian-edu-config-2.10.65+deb10u2/share/debian-edu-config/tools/kerberos-kdc-init debian-edu-config-2.10.65+deb10u3/share/debian-edu-config/tools/kerberos-kdc-init --- debian-edu-config-2.10.65+deb10u2/share/debian-edu-config/tools/kerberos-kdc-init 2019-08-10 09:39:19.000000000 +0000 +++ debian-edu-config-2.10.65+deb10u3/share/debian-edu-config/tools/kerberos-kdc-init 2019-12-16 15:29:19.000000000 +0000 @@ -187,7 +187,7 @@ if [ ! -f /etc/krb5kdc/kadm5.acl ] ; then cat > /etc/krb5kdc/kadm5.acl <