Security update for libheimdal SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2017:2180-1 Final 1 1 2017-08-16T18:07:07Z current 2017-08-16T18:07:07Z 2017-08-16T18:07:07Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for libheimdal This update for libheimdal fixes the following issues: - Fix CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation. This is a critical vulnerability. In _krb5_extract_ticket() the KDC-REP service name must be obtained from encrypted version stored in 'enc_part' instead of the unencrypted version stored in 'ticket'. Use of the unecrypted version provides an opportunity for successful server impersonation and other attacks. Identified by Jeffrey Altman, Viktor Duchovni and Nico Williams. See https://www.orpheus-lyre.info/ for more details. (bsc#1048278) - Fix CVE-2017-6594: transit path validation inadvertently caused the previous hop realm to not be added to the transit path of issued tickets. This may, in some cases, enable bypass of capath policy in Heimdal versions 1.5 through 7.2. Note, this may break sites that rely on the bug. With the bug some incomplete [capaths] worked, that should not have. These may now break authentication in some cross-realm configurations. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-updates/2017-08/msg00062.html E-Mail link for openSUSE-SU-2017:2180-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.2 openSUSE Leap 42.3 libheimdal-7.4.0-3.1 libheimdal-devel-7.4.0-3.1 libheimdal-7.4.0-3.1 as a component of openSUSE Leap 42.2 libheimdal-devel-7.4.0-3.1 as a component of openSUSE Leap 42.2 libheimdal-7.4.0-3.1 as a component of openSUSE Leap 42.3 libheimdal-devel-7.4.0-3.1 as a component of openSUSE Leap 42.3 Heimdal before 7.4 allows remote attackers to impersonate services with Orpheus' Lyre attacks because it obtains service-principal names in a way that violates the Kerberos 5 protocol specification. In _krb5_extract_ticket() the KDC-REP service name must be obtained from the encrypted version stored in 'enc_part' instead of the unencrypted version stored in 'ticket'. Use of the unencrypted version provides an opportunity for successful server impersonation and other attacks. NOTE: this CVE is only for Heimdal and other products that embed Heimdal code; it does not apply to other instances in which this part of the Kerberos 5 protocol specification is violated. CVE-2017-11103 openSUSE Leap 42.2:libheimdal-7.4.0-3.1 openSUSE Leap 42.2:libheimdal-devel-7.4.0-3.1 openSUSE Leap 42.3:libheimdal-7.4.0-3.1 openSUSE Leap 42.3:libheimdal-devel-7.4.0-3.1 important Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-08/msg00062.html https://www.suse.com/security/cve/CVE-2017-11103.html CVE-2017-11103 https://bugzilla.suse.com/1048278 SUSE Bug 1048278 The transit path validation code in Heimdal before 7.3 might allow attackers to bypass the capath policy protection mechanism by leveraging failure to add the previous hop realm to the transit path of issued tickets. CVE-2017-6594 openSUSE Leap 42.2:libheimdal-7.4.0-3.1 openSUSE Leap 42.2:libheimdal-devel-7.4.0-3.1 openSUSE Leap 42.3:libheimdal-7.4.0-3.1 openSUSE Leap 42.3:libheimdal-devel-7.4.0-3.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-08/msg00062.html https://www.suse.com/security/cve/CVE-2017-6594.html CVE-2017-6594 https://bugzilla.suse.com/1048278 SUSE Bug 1048278