2012-04-25 20:07:21 |
Russ Allbery |
bug |
|
|
added bug |
2012-04-25 20:13:02 |
Russ Allbery |
bug watch added |
|
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=670457 |
|
2012-04-25 20:13:02 |
Russ Allbery |
bug task added |
|
krb5 (Debian) |
|
2012-04-26 15:21:35 |
Robie Basak |
bug |
|
|
added subscriber Robie Basak |
2012-04-27 11:11:50 |
James Page |
bug watch added |
|
http://krbdev.mit.edu/rt/Ticket/Display.html?id=7119 |
|
2012-04-27 11:12:45 |
James Page |
krb5 (Ubuntu): status |
New |
Confirmed |
|
2012-04-27 11:12:48 |
James Page |
krb5 (Ubuntu): importance |
Undecided |
Medium |
|
2012-04-27 11:13:31 |
James Page |
krb5 (Ubuntu): status |
Confirmed |
Incomplete |
|
2012-04-27 11:13:37 |
James Page |
bug |
|
|
added subscriber James Page |
2012-04-27 12:59:42 |
Bug Watch Updater |
krb5 (Debian): status |
Unknown |
New |
|
2012-05-09 12:38:51 |
Bug Watch Updater |
krb5 (Debian): status |
New |
Fix Committed |
|
2012-05-11 13:19:45 |
Bug Watch Updater |
krb5 (Debian): status |
Fix Committed |
Fix Released |
|
2012-05-15 03:05:44 |
Robie Basak |
attachment added |
|
Test Case https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/988520/+attachment/3146878/+files/testcase.sh |
|
2012-05-15 03:06:02 |
Robie Basak |
attachment added |
|
krb5.debdiff https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/988520/+attachment/3146879/+files/krb5.debdiff |
|
2012-05-15 03:06:21 |
Robie Basak |
attachment added |
|
Test build https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/988520/+attachment/3146880/+files/krb5_1.10%2Bdfsg%7Ebeta1-2ubuntu0.1_amd64.build.xz |
|
2012-05-15 03:11:29 |
Robie Basak |
description |
MIT Kerberos 1.10 (including pre-releases and betas) exposed a bug in the tracking of preauth mechanisms such that, if an authentication fails after preauth was requested, all subsequent preauth-required authentications in the same Kerberos context will also fail.
This breaks password change when credentials have expired, and also breaks try_first_pass functionality in Kerberos PAM modules.
Upstream has fixed this problem in their mainline with commit 25822. |
SRU Justification
[Impact]
If an authentication fails after preauth was requested, all subsequent preauth-required authentications in the same Kerberos context will also fail. This breaks password change when credentials have expired, and also breaks try_first_pass functionality in Kerberos PAM modules.
[Development Fix]
New upstream release. Updated in Debian. Pending sync in Ubuntu. Verified in Ubuntu manually.
[Stable Fix]
Upstream patch cherry-picked. Debdiff attached.
[Test Case]
testcase.sh attached.
[Regression Potential]
Low: one line patch for missing initialisation written by upstream.
Original report by Russ Allbery:
MIT Kerberos 1.10 (including pre-releases and betas) exposed a bug in the tracking of preauth mechanisms such that, if an authentication fails after preauth was requested, all subsequent preauth-required authentications in the same Kerberos context will also fail.
This breaks password change when credentials have expired, and also breaks try_first_pass functionality in Kerberos PAM modules.
Upstream has fixed this problem in their mainline with commit 25822. |
|
2012-05-15 03:11:35 |
Robie Basak |
krb5 (Ubuntu): status |
Incomplete |
Triaged |
|
2012-05-15 03:12:01 |
Robie Basak |
nominated for series |
|
Ubuntu Precise |
|
2012-05-15 17:41:00 |
Ubuntu Foundations Team Bug Bot |
tags |
|
patch |
|
2012-05-15 17:41:08 |
Ubuntu Foundations Team Bug Bot |
bug |
|
|
added subscriber Ubuntu Sponsors Team |
2012-05-23 06:55:10 |
Robie Basak |
description |
SRU Justification
[Impact]
If an authentication fails after preauth was requested, all subsequent preauth-required authentications in the same Kerberos context will also fail. This breaks password change when credentials have expired, and also breaks try_first_pass functionality in Kerberos PAM modules.
[Development Fix]
New upstream release. Updated in Debian. Pending sync in Ubuntu. Verified in Ubuntu manually.
[Stable Fix]
Upstream patch cherry-picked. Debdiff attached.
[Test Case]
testcase.sh attached.
[Regression Potential]
Low: one line patch for missing initialisation written by upstream.
Original report by Russ Allbery:
MIT Kerberos 1.10 (including pre-releases and betas) exposed a bug in the tracking of preauth mechanisms such that, if an authentication fails after preauth was requested, all subsequent preauth-required authentications in the same Kerberos context will also fail.
This breaks password change when credentials have expired, and also breaks try_first_pass functionality in Kerberos PAM modules.
Upstream has fixed this problem in their mainline with commit 25822. |
SRU Justification
[Impact]
If an authentication fails after preauth was requested, all subsequent preauth-required authentications in the same Kerberos context will also fail. This breaks password change when credentials have expired, and also breaks try_first_pass functionality in Kerberos PAM modules.
[Development Fix]
New upstream release. Updated in Debian. Synced in Ubuntu. Verified fixed on Quantal using test case below.
[Stable Fix]
Upstream patch cherry-picked. Debdiff attached.
[Test Case]
testcase.sh attached.
[Regression Potential]
Low: one line patch for missing initialisation written by upstream.
Original report by Russ Allbery:
MIT Kerberos 1.10 (including pre-releases and betas) exposed a bug in the tracking of preauth mechanisms such that, if an authentication fails after preauth was requested, all subsequent preauth-required authentications in the same Kerberos context will also fail.
This breaks password change when credentials have expired, and also breaks try_first_pass functionality in Kerberos PAM modules.
Upstream has fixed this problem in their mainline with commit 25822. |
|
2012-05-23 06:56:35 |
Robie Basak |
krb5 (Ubuntu): status |
Triaged |
Fix Released |
|
2012-05-23 15:42:08 |
Jamie Strandboge |
bug task added |
|
krb5 (Ubuntu Precise) |
|
2012-05-23 15:46:56 |
Robie Basak |
krb5 (Ubuntu Precise): status |
New |
Triaged |
|
2012-05-23 15:47:12 |
Robie Basak |
krb5 (Ubuntu Precise): importance |
Undecided |
Medium |
|
2012-05-29 18:14:15 |
Brian Murray |
krb5 (Ubuntu Precise): status |
Triaged |
Fix Committed |
|
2012-05-29 18:14:19 |
Brian Murray |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2012-05-29 18:14:21 |
Brian Murray |
bug |
|
|
added subscriber SRU Verification |
2012-05-29 18:14:24 |
Brian Murray |
tags |
patch |
patch verification-needed |
|
2012-05-29 18:50:22 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/precise-proposed/krb5 |
|
2012-05-29 20:13:32 |
Jean-Baptiste Lallement |
tags |
patch verification-needed |
patch verification-done |
|
2012-06-03 19:20:16 |
musicalvegan0 |
bug |
|
|
added subscriber musicalvegan0 |
2012-06-06 01:35:53 |
Launchpad Janitor |
krb5 (Ubuntu Precise): status |
Fix Committed |
Fix Released |
|
2012-07-17 13:54:16 |
Benjamin Drung |
removed subscriber Ubuntu Sponsors Team |
|
|
|
2012-10-15 20:31:02 |
Chris J Arges |
bug |
|
|
added subscriber Sustaining Engineering |
2014-02-07 17:13:16 |
Curtis Hovey |
removed subscriber Registry Administrators |
|
|
|