Security update for krb5

Announcement ID:	SUSE-SU-2018:1425-1
Rating:	moderate
References:	bsc#1054028 bsc#1055851 bsc#1081725
Cross-References:	CVE-2017-7562
CVSS scores:	CVE-2017-7562 ( SUSE ): 6.5 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVE-2017-7562 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVE-2017-7562 ( NVD ): 6.5 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Affected Products:	SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Server 12 LTSS 12 SUSE Linux Enterprise Server 12 SP1 SUSE Linux Enterprise Server 12 SP1 LTSS 12-SP1 SUSE Linux Enterprise Server for SAP Applications 12 SUSE Linux Enterprise Server for SAP Applications 12 SP1 SUSE OpenStack Cloud 6

An update that solves one vulnerability and has two security fixes can now be installed.

Description:

This update for krb5 provides the following fixes:

Security issues fixed:

• CVE-2017-7562: Improper validation of certificate EKU and SAN could lead to authentication bypass. (bsc#1055851)

Non-security issues fixed:

• Set "rdns" and "dns_canonicalize_hostname" to false in krb5.conf in order to improve client security in handling service principle names. (bsc#1054028)
• Fix a GSS failure in legacy applications by not indicating deprecated GSS mechanisms in gss_indicate_mech() list. (bsc#1081725)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE OpenStack Cloud 6
  zypper in -t patch SUSE-OpenStack-Cloud-6-2018-983=1
• SUSE Linux Enterprise Server for SAP Applications 12 SP1
  zypper in -t patch SUSE-SLE-SAP-12-SP1-2018-983=1
• SUSE Linux Enterprise Server 12 LTSS 12
  zypper in -t patch SUSE-SLE-SERVER-12-2018-983=1
• SUSE Linux Enterprise Server 12 SP1 LTSS 12-SP1
  zypper in -t patch SUSE-SLE-SERVER-12-SP1-2018-983=1

Package List:

• SUSE OpenStack Cloud 6 (x86_64)
  • krb5-server-debuginfo-1.12.1-38.5.3
  • krb5-plugin-preauth-otp-debuginfo-1.12.1-38.5.3
  • krb5-client-debuginfo-1.12.1-38.5.3
  • krb5-plugin-kdb-ldap-1.12.1-38.5.3
  • krb5-client-1.12.1-38.5.3
  • krb5-debuginfo-32bit-1.12.1-38.5.3
  • krb5-32bit-1.12.1-38.5.3
  • krb5-debugsource-1.12.1-38.5.3
  • krb5-1.12.1-38.5.3
  • krb5-plugin-preauth-pkinit-debuginfo-1.12.1-38.5.3
  • krb5-plugin-preauth-pkinit-1.12.1-38.5.3
  • krb5-plugin-preauth-otp-1.12.1-38.5.3
  • krb5-server-1.12.1-38.5.3
  • krb5-debuginfo-1.12.1-38.5.3
  • krb5-doc-1.12.1-38.5.3
  • krb5-plugin-kdb-ldap-debuginfo-1.12.1-38.5.3
• SUSE Linux Enterprise Server for SAP Applications 12 SP1 (ppc64le x86_64)
  • krb5-server-debuginfo-1.12.1-38.5.3
  • krb5-plugin-preauth-otp-debuginfo-1.12.1-38.5.3
  • krb5-client-debuginfo-1.12.1-38.5.3
  • krb5-plugin-kdb-ldap-1.12.1-38.5.3
  • krb5-client-1.12.1-38.5.3
  • krb5-debugsource-1.12.1-38.5.3
  • krb5-1.12.1-38.5.3
  • krb5-plugin-preauth-pkinit-debuginfo-1.12.1-38.5.3
  • krb5-plugin-preauth-pkinit-1.12.1-38.5.3
  • krb5-plugin-preauth-otp-1.12.1-38.5.3
  • krb5-server-1.12.1-38.5.3
  • krb5-debuginfo-1.12.1-38.5.3
  • krb5-doc-1.12.1-38.5.3
  • krb5-plugin-kdb-ldap-debuginfo-1.12.1-38.5.3
• SUSE Linux Enterprise Server for SAP Applications 12 SP1 (x86_64)
  • krb5-debuginfo-32bit-1.12.1-38.5.3
  • krb5-32bit-1.12.1-38.5.3
• SUSE Linux Enterprise Server 12 LTSS 12 (ppc64le s390x x86_64)
  • krb5-server-debuginfo-1.12.1-38.5.3
  • krb5-plugin-preauth-otp-debuginfo-1.12.1-38.5.3
  • krb5-client-debuginfo-1.12.1-38.5.3
  • krb5-plugin-kdb-ldap-1.12.1-38.5.3
  • krb5-client-1.12.1-38.5.3
  • krb5-debugsource-1.12.1-38.5.3
  • krb5-1.12.1-38.5.3
  • krb5-plugin-preauth-pkinit-debuginfo-1.12.1-38.5.3
  • krb5-plugin-preauth-pkinit-1.12.1-38.5.3
  • krb5-plugin-preauth-otp-1.12.1-38.5.3
  • krb5-server-1.12.1-38.5.3
  • krb5-debuginfo-1.12.1-38.5.3
  • krb5-doc-1.12.1-38.5.3
  • krb5-plugin-kdb-ldap-debuginfo-1.12.1-38.5.3
• SUSE Linux Enterprise Server 12 LTSS 12 (s390x x86_64)
  • krb5-debuginfo-32bit-1.12.1-38.5.3
  • krb5-32bit-1.12.1-38.5.3
• SUSE Linux Enterprise Server 12 SP1 LTSS 12-SP1 (ppc64le s390x x86_64)
  • krb5-server-debuginfo-1.12.1-38.5.3
  • krb5-plugin-preauth-otp-debuginfo-1.12.1-38.5.3
  • krb5-client-debuginfo-1.12.1-38.5.3
  • krb5-plugin-kdb-ldap-1.12.1-38.5.3
  • krb5-client-1.12.1-38.5.3
  • krb5-debugsource-1.12.1-38.5.3
  • krb5-1.12.1-38.5.3
  • krb5-plugin-preauth-pkinit-debuginfo-1.12.1-38.5.3
  • krb5-plugin-preauth-pkinit-1.12.1-38.5.3
  • krb5-plugin-preauth-otp-1.12.1-38.5.3
  • krb5-server-1.12.1-38.5.3
  • krb5-debuginfo-1.12.1-38.5.3
  • krb5-doc-1.12.1-38.5.3
  • krb5-plugin-kdb-ldap-debuginfo-1.12.1-38.5.3
• SUSE Linux Enterprise Server 12 SP1 LTSS 12-SP1 (s390x x86_64)
  • krb5-debuginfo-32bit-1.12.1-38.5.3
  • krb5-32bit-1.12.1-38.5.3

References:

• https://www.suse.com/security/cve/CVE-2017-7562.html
• https://bugzilla.suse.com/show_bug.cgi?id=1054028
• https://bugzilla.suse.com/show_bug.cgi?id=1055851
• https://bugzilla.suse.com/show_bug.cgi?id=1081725