Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 12 Jul 2017 08:07:36 +0000 (UTC)
From:      Xin LI <delphij@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org
Subject:   svn commit: r320911 - in releng/11.0: . crypto/heimdal/lib/krb5 sys/conf
Message-ID:  <201707120807.v6C87a8c057616@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: delphij
Date: Wed Jul 12 08:07:36 2017
New Revision: 320911
URL: https://svnweb.freebsd.org/changeset/base/320911

Log:
  Fix heimdal KDC-REP service name validation vulnerability [SA-17:05]
  
  Approved by:	so

Modified:
  releng/11.0/UPDATING
  releng/11.0/crypto/heimdal/lib/krb5/ticket.c
  releng/11.0/sys/conf/newvers.sh

Modified: releng/11.0/UPDATING
==============================================================================
--- releng/11.0/UPDATING	Wed Jul 12 08:07:16 2017	(r320910)
+++ releng/11.0/UPDATING	Wed Jul 12 08:07:36 2017	(r320911)
@@ -16,7 +16,11 @@ from older versions of FreeBSD, try WITHOUT_CLANG and 
 the tip of head, and then rebuild without this option. The bootstrap process
 from older version of current across the gcc/clang cutover is a bit fragile.
 
-20170427        p10     FreeBSD-SA-17:04.ipfilter
+20170712	p11	FreeBSD-SA-17:05.heimdal
+
+	Fix heimdal KDC-REP service name validation vulnerability.
+
+20170427	p10	FreeBSD-SA-17:04.ipfilter
 
 	Fix ipfilter(4) fragment handling panic. [SA-17:04]
 

Modified: releng/11.0/crypto/heimdal/lib/krb5/ticket.c
==============================================================================
--- releng/11.0/crypto/heimdal/lib/krb5/ticket.c	Wed Jul 12 08:07:16 2017	(r320910)
+++ releng/11.0/crypto/heimdal/lib/krb5/ticket.c	Wed Jul 12 08:07:36 2017	(r320911)
@@ -713,8 +713,8 @@ _krb5_extract_ticket(krb5_context context,
     /* check server referral and save principal */
     ret = _krb5_principalname2krb5_principal (context,
 					      &tmp_principal,
-					      rep->kdc_rep.ticket.sname,
-					      rep->kdc_rep.ticket.realm);
+					      rep->enc_part.sname,
+					      rep->enc_part.srealm);
     if (ret)
 	goto out;
     if((flags & EXTRACT_TICKET_ALLOW_SERVER_MISMATCH) == 0){

Modified: releng/11.0/sys/conf/newvers.sh
==============================================================================
--- releng/11.0/sys/conf/newvers.sh	Wed Jul 12 08:07:16 2017	(r320910)
+++ releng/11.0/sys/conf/newvers.sh	Wed Jul 12 08:07:36 2017	(r320911)
@@ -32,7 +32,7 @@
 
 TYPE="FreeBSD"
 REVISION="11.0"
-BRANCH="RELEASE-p10"
+BRANCH="RELEASE-p11"
 if [ -n "${BRANCH_OVERRIDE}" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201707120807.v6C87a8c057616>