Version in base suite: 0.25

Base version: debian-lan-config_0.25
Target version: debian-lan-config_0.25+deb10u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/d/debian-lan-config/debian-lan-config_0.25.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/d/debian-lan-config/debian-lan-config_0.25+deb10u1.dsc

 debian/NEWS                                         |   22 ++++++++++++++++++++
 debian/changelog                                    |    7 ++++++
 fai/config/files/etc/krb5kdc/kadm5.acl/KERBEROS_KDC |    2 -
 3 files changed, 29 insertions(+), 2 deletions(-)

diff -Nru debian-lan-config-0.25/debian/NEWS debian-lan-config-0.25+deb10u1/debian/NEWS
--- debian-lan-config-0.25/debian/NEWS	1970-01-01 00:00:00.000000000 +0000
+++ debian-lan-config-0.25+deb10u1/debian/NEWS	2019-12-27 13:21:49.000000000 +0000
@@ -0,0 +1,22 @@
+debian-lan-config (0.25+deb10u1) buster-security; urgency=high
+
+    The krb5-admin-server ACLs provided by the debian-lan-config
+    package in '/usr/share/debian-lan-config/fai/config/files/etc/krb5kdc/kadm5.acl/KERBEROS_KDC'
+    contained an insecure setting.  This allowed all authenticated
+    users in the network to change the credentials of everyone else,
+    thus impersonating other users and gaining their privileges.
+
+    If you have used these ACLs in '/etc/krb5kdc/kadm5.acl' on a
+    machine providing the krb5-admin-server, check and remove
+    all lines with non-admin principals from 'kadm5.acl'.
+    Usually, the line 'root/admin@INTERN *' is sufficient and all
+    other principals must not have access.
+
+    If you copied the FAI config space provided by the
+    debian-lan-config package, make sure the file
+    'fai/config/files/etc/krb5kdc/kadm5.acl/KERBEROS_KDC'
+    in your FAI config space contains only the line
+    'root/admin@INTERN *', to install krb5-admin-servers
+    with correct ACLs.
+
+ -- Andreas B. Mundt <andi@debian.org>  Tue, 24 Dec 2019 13:12:55 +0100
diff -Nru debian-lan-config-0.25/debian/changelog debian-lan-config-0.25+deb10u1/debian/changelog
--- debian-lan-config-0.25/debian/changelog	2018-10-21 05:13:37.000000000 +0000
+++ debian-lan-config-0.25+deb10u1/debian/changelog	2019-12-27 13:21:49.000000000 +0000
@@ -1,3 +1,10 @@
+debian-lan-config (0.25+deb10u1) buster-security; urgency=high
+
+  * Fix kadmin access rules.
+  * Add NEWS file.
+
+ -- Andreas B. Mundt <andi@debian.org>  Fri, 27 Dec 2019 14:21:49 +0100
+
 debian-lan-config (0.25) unstable; urgency=medium
 
   * Remove some packages from NFSROOT; fix fstab entries.
diff -Nru debian-lan-config-0.25/fai/config/files/etc/krb5kdc/kadm5.acl/KERBEROS_KDC debian-lan-config-0.25+deb10u1/fai/config/files/etc/krb5kdc/kadm5.acl/KERBEROS_KDC
--- debian-lan-config-0.25/fai/config/files/etc/krb5kdc/kadm5.acl/KERBEROS_KDC	2018-10-21 05:13:37.000000000 +0000
+++ debian-lan-config-0.25+deb10u1/fai/config/files/etc/krb5kdc/kadm5.acl/KERBEROS_KDC	2019-12-27 13:21:49.000000000 +0000
@@ -1,4 +1,2 @@
 ## access controls for the Kerberos KDC
 root/admin@INTERN *
-*@INTERN cil
-*/*@INTERN i