OBSOLETE Patch-ID# 112238-15
Download this patch from My Oracle Support
|
Your use of the firmware, software and any other materials contained
in this update is subject to My Oracle Support Terms of Use, which
may be viewed at My Oracle Support.
|
|
For further information on patching best practices and resources, please
see the following links:
|
|
Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
|
Keywords: security krb5 client fails interfaces buffer overrun login kerberos pam.conf authentication pam_krb5.so.1 pointer
Synopsis: Obsoleted by: 112238-16 SunOS 5.8_x86: mech_krb5.so.1 and pam_krb5.so.1 patch
Date: Mar/24/2009
Install Requirements: After installing this patch on an active boot environment, the system will be in a potentially inconsistent state until a reboot is performed. Unless
otherwise specified in the Special Install Instructions below, it is normally safe to apply further patches prior to initiating the reboot due to the relatively small footprint of the patch utilities. Normal operations must not be resumed until after the reboot is performed.
Use Single User Mode (run level S) when installing this patch on an active boot environment. An alternative may be specified in the Special Install Instructions.
Solaris Release: 8_x86
SunOS Release: 5.8_x86
Unbundled Product:
Unbundled Release:
Xref: This patch available for SPARC as patch 112237
Topic: SunOS 5.8_x86: mech_krb5.so.1 patch
Relevant Architectures: i386
Bugs fixed with this patch:
Changes incorporated in this version: 6799884 6812087
Patches accumulated and obsoleted by this patch: 109806-19
Patches which conflict with this patch:
Patches required with this patch: 109224-02 (or greater)
Obsoleted by:
Files included with this patch:
/kernel/misc/kgss/gl_kmech_krb5
/usr/bin/kinit
/usr/lib/gss/gl/mech_krb5.so
/usr/lib/gss/gl/mech_krb5.so.1
/usr/lib/gss/mech_dh.so.1
/usr/lib/security/pam_krb5.so.1
Problem Description:
6799884 pam_krb5 could allow authentication to an attacker's KDC
6812087 Solaris 8 fix for CR 6802931 requires a small portion of the 1.2.1 MIT resync code
(from 112238-14)
6473261 fail-over to master KDC when synchronization type errors are returned to the client
6496178 krb5 mech resends AS-REQ to the same KDC (master) after user enters a bad password
(from 112238-13)
5008950 fix for 4957406 is incomplete
4957406 NFS on kerberized file systems thinks I'm nobody
4860226 fix for 4786126 is incomplete
4786126 delegated credentials not provided to caller of gss_accept_sec_context
(from 112238-12)
6261685 security: buffer overflow, heap corruption in KDC
6284864 krb5_recvauth() may free memory twice under certain conditions
(from 112238-11)
4851952 krb5_os_localaddr() doesn't work correctly when multiple interfaces configured
(from 112238-10)
4807010 crash in the gssapi module
5055875 buffer overflow in (undocumented) auth_to_local rules
(from 112238-09)
4882946 GSS_C_NO_BUFFER: gss_init_sec_context gives an Error code
(from 112238-08)
4836676 bounds checks not in place for princs in krbv5
(from 112238-07)
4521000 krb5_gss_wrap_size_limit() does not work
(from 112238-06)
4423818 krb5 mechanism validating the wrong encryption type field
4691352 multiple Kerberos vulnerabilities need to be fixed
(from 112238-05)
4526202 pam_krb5 auth can fail with multiple ftp sessions of same user
(from 112238-04)
4360141 kpasswd needs to be able to interface with MIT
(from 112238-03)
4677605 mech_krb5 patches need a dependency on the libgss patch
(from 112238-02)
4338622 buffer overrun vulnerabilities in Kerberos (SEAM)
(from 112238-01)
4496679 krb5 client authentication fails with 32 interfaces
(from 109806-19)
6200894 pam_krb5 shouldn't use seteuid and friends -- that's not MT-safe
6455225 pam_krb5 should overwrite cache with new credentials when handling pam_setcred (PAM_REFRESH_CRED)
6531864 ktkt_warnd not warning after login
6607813 pam_krb5 setcred coredumps on successful refresh if auth not previously called
6691206 pam_krb5's store_cred should always store new credentials if previous auth pass successful
6724557 potential for memory leak in krb5_setcred's krb5_renew_tgt routine
(from 109806-18)
5014663 pam_krb5: auth prompts for password when principal does not exist
5025227 pam_krb5: auth returns PAM_AUTH_ERR in some cases instead of PAM_SYSTEM_ERR
6215066 kadm apps cannot bind to kadmind if admin_server specifies port #
6246405 Solaris 9 (not Sol 10) PAM stack will prompt for password twice with pam_unix & pam_krb5
6488352 non-Kerberos user attempting to change passwd with pam_krb5.so.1 in pam.conf blanks passwd
(from 109806-17)
4865454 pam_krb5.so.1 doesn't seem to query more than 1 KDC before giving up using MIT
(from 109806-16)
4830044 pam_krb5 needs to be repository-aware
(from 109806-15)
4435001 missing krb5.conf file can allow anyone to log in
(from 109806-14)
4775197 bugfix 4630574 is incomplete
(from 109806-13)
4630574 pam_krb5 should not re-implement utility functions and use libpam utilities
(from 109806-12)
4526202 pam_krb5 auth can fail with multiple ftp sessions of same user
(from 109806-11)
4640156 error msg on console: PAM-KRB5 (account): no module data, pam_krb5 auth ...
(from 109806-10)
4508923 xscreensaver core dumps when it calls Sun's pam_krb5 module's pam_setcred
4699468 pam_krb5 password aging code should check KDCs password protocol
(from 109806-09)
4657596 passwd aging fix does not work for passwords greater than 8 characters
(from 109806-08)
4360141 kpasswd needs to be able to interface with MIT
(from 109806-07)
4457703 pam_krb5 doesn't do kerberos password aging
(from 109806-06)
4485174 dtsession hangs occasionally on wrong password (krb5 auth)
(from 109806-05)
4406541 krb5_err_cleanup() puts bad pointer in environ
4391549 pam_krb5 calls putenv() where is should use pam_putenv()
4499330 pam_krb5.so.1 fails to initialize credentials
(from 109806-04)
4360931 case conflict between DNS domain and Kerberos principal name
(from 109806-03)
4373142 krb5 PAM module restricts password to 8 characters
(from 109806-02)
4351689 wrong login behavior with Kerberos-only login
(from 109806-01)
4330143 login doesn't work when using the kerberos module in pam.conf only
Patch Installation Instructions:
--------------------------------
Please refer to the man pages for instructions on using 'patchadd'
and 'patchrm' scripts provided with Solaris.
The following example installs a patch to a standalone machine:
example# patchadd /var/spool/patch/123456-07
The following example removes a patch from a standalone system:
example# patchrm 123456-07
For additional examples please see the appropriate man pages. Any
other special or non-generic installation instructions should be
described below as special instructions.
Special Install Instructions:
-----------------------------
NOTE 1: Install the patch in single user mode and do a reconfiguration
boot (boot -r) immediately after patch installation.
NOTE 2: Client root principal instances are now always forced to
lower-case on the krb5 client, regardless of case of DNS domain in
/etc/resolv.conf. Customers with root client principal instances
containing upper-case chars (foo.Bar.COM in root/foo.Bar.COM@REALM)
need to create new principals of all lower-case instances
(root/foo.bar.com@REALM).
NOTE 3: To get the complete fix for BugId's 6799884 (pam_krb5 could allow
authentication to an attacker's KDC) and 6812087 (Solaris 8 fix for
CR 6802931 requires a small portion of the 1.2.1 MIT resync code),
please also install the following patch:
112240-13 (or greater) Supplemental Encryption Kerberos V5:
mech_krb5.so.1 patch
README -- Last modified date: Friday, November 9, 2012