Package: debian-edu-config
Version: 1.812+deb8u1
Severity: important
To improve security, settings in kadm5.acl should be adjusted.
The needed fix is minimal:
--- a/share/debian-edu-config/tools/kerberos-kdc-init
+++ b/share/debian-edu-config/tools/kerberos-kdc-init
@@ -187,7 +187,7 @@ EOF
if [ ! -f /etc/krb5kdc/kadm5.acl ] ; then
cat > /etc/krb5kdc/kadm5.acl <<EOF
root/admin@INTERN *
-*@INTERN cil
+*@INTERN Cil
*/*@INTERN i
EOF
chmod 644 /etc/krb5kdc/kadm5.acl
Thanks to Andreas B. Mundt for the hint.
Also, /etc/krb5kdc/kadm5.acl should be fixed accordingly upon upgrades
by adding something like this to debian-edu-config.postinst:
[configure case]
fi
+
+ # Set proper rights for users.
+ if [ -f /etc/krb5kdc/kadm5.acl ] ; then
+ sed -i 's/cil/Cil/' /etc/krb5kdc/kadm5.acl
+ fi
;;
esac
Wolfgang
Subject: Bug#946797 marked as pending in debian-edu-config
Date: Sun, 15 Dec 2019 23:39:56 +0000
Control: tag -1 pending
Hello,
Bug #946797 in debian-edu-config reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/debian-edu/debian-edu-config/commit/fc5da005cfd6cd71fa6870569351385f527d38ae
------------------------------------------------------------------------
share/debian-edu-config/tools/kerberos-kdc-init:
Set proper rights for users in kadm5.acl file. (Closes: #946797)
Adjust debian/debian-edu-config.postinst to fix kadm5.acl upon upgrades.
Signed-off-by: Wolfgang Schweer <wschweer@arcor.de>
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/946797
Added tag(s) pending.
Request was from WolfgangSchweer <noreply@salsa.debian.org>
to 946797-submitter@bugs.debian.org.
(Sun, 15 Dec 2019 23:45:11 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Edu Developers <debian-edu@lists.debian.org>: Bug#946797; Package debian-edu-config.
(Mon, 16 Dec 2019 10:15:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Dominik George <dominik.george@teckids.org>:
Extra info received and forwarded to list. Copy sent to Debian Edu Developers <debian-edu@lists.debian.org>.
(Mon, 16 Dec 2019 10:15:09 GMT) (full text, mbox, link).
Subject: Re: debian-edu-config: kadm5.acl should set proper rights for users
Date: Mon, 16 Dec 2019 11:05:33 +0100
Hi,
> Severity: important
I propose this bug to be set to severity critical and handled by DSA. After all, it is a local impersonation and root privilege escalation bug, if not remote if you consider clients scattered out over a school remote.
>
> To improve security, settings in kadm5.acl should be adjusted.
>
> The needed fix is minimal:
>
> --- a/share/debian-edu-config/tools/kerberos-kdc-init
> +++ b/share/debian-edu-config/tools/kerberos-kdc-init
> @@ -187,7 +187,7 @@ EOF
> if [ ! -f /etc/krb5kdc/kadm5.acl ] ; then
> cat > /etc/krb5kdc/kadm5.acl <<EOF
> root/admin@INTERN *
> -*@INTERN cil
> +*@INTERN Cil
> */*@INTERN i
> EOF
> chmod 644 /etc/krb5kdc/kadm5.acl
Why not just remove that line? Or disallow everything? Disallowing changes fixes the privilege escalation, but it is also questionnable if everyone and their dog need to be allowed to track when which other person used the network. I am pretty certain it is at least a DSGVO violation.
>
> Thanks to Andreas B. Mundt for the hint.
>
> Also, /etc/krb5kdc/kadm5.acl should be fixed accordingly upon upgrades
> by adding something like this to debian-edu-config.postinst:
>
> [configure case]
> fi
> +
> + # Set proper rights for users.
> + if [ -f /etc/krb5kdc/kadm5.acl ] ; then
> + sed -i 's/cil/Cil/' /etc/krb5kdc/kadm5.acl
> + fi
> ;;
> esac
Probably only if it was unmodified. If not, postinst should issue a warning using debconf, IMHO.
-nik
--
Sendt fra min Android-enhet med K-9 e-post. Unnskyld min kortfattethet.
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Edu Developers <debian-edu@lists.debian.org>: Bug#946797; Package debian-edu-config.
(Mon, 16 Dec 2019 10:21:10 GMT) (full text, mbox, link).
Acknowledgement sent
to Dominik George <dominik.george@teckids.org>:
Extra info received and forwarded to list. Copy sent to Debian Edu Developers <debian-edu@lists.debian.org>.
(Mon, 16 Dec 2019 10:21:10 GMT) (full text, mbox, link).
Subject: Re: debian-edu-config: kadm5.acl should set proper rights for users
Date: Mon, 16 Dec 2019 11:10:24 +0100
> handled by DSA.
in a DSA.
(We should disambiguate DSA and DSA ;))
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Edu Developers <debian-edu@lists.debian.org>: Bug#946797; Package debian-edu-config.
(Mon, 16 Dec 2019 10:27:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Wolfgang Schweer <w.schweer@gmx.de>:
Extra info received and forwarded to list. Copy sent to Debian Edu Developers <debian-edu@lists.debian.org>.
(Mon, 16 Dec 2019 10:27:03 GMT) (full text, mbox, link).
On Mon, Dec 16, 2019 at 11:05:33AM +0100, Dominik George wrote:
> > root/admin@INTERN *
> > -*@INTERN cil
> > +*@INTERN Cil
> > */*@INTERN i
> > EOF
> > chmod 644 /etc/krb5kdc/kadm5.acl
>
> Why not just remove that line?
The only line needed is: root/admin@INTERN *
Intention is to fix the bug, but keep the change as minimal as possible.
Wolfgang
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Edu Developers <debian-edu@lists.debian.org>: Bug#946797; Package debian-edu-config.
(Mon, 16 Dec 2019 10:36:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Dominik George <dominik.george@teckids.org>:
Extra info received and forwarded to list. Copy sent to Debian Edu Developers <debian-edu@lists.debian.org>.
(Mon, 16 Dec 2019 10:36:04 GMT) (full text, mbox, link).
To: Wolfgang Schweer <w.schweer@gmx.de>,946797@bugs.debian.org
Subject: Re: Bug#946797: debian-edu-config: kadm5.acl should set proper rights for users
Date: Mon, 16 Dec 2019 11:33:28 +0100
>> > root/admin@INTERN *
>> > -*@INTERN cil
>> > +*@INTERN Cil
>> > */*@INTERN i
>> > EOF
>> > chmod 644 /etc/krb5kdc/kadm5.acl
>>
>> Why not just remove that line?
>
>The only line needed is: root/admin@INTERN *
>Intention is to fix the bug, but keep the change as minimal as
>possible.
Then it should be CIl in my opinion. Listing principals is the same as getent passwd, so no additional leaks here. The i ACL allows tracking other users' use of the network. It is thus part of the bug.
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Edu Developers <debian-edu@lists.debian.org>: Bug#946797; Package debian-edu-config.
(Mon, 16 Dec 2019 11:15:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Wolfgang Schweer <w.schweer@gmx.de>:
Extra info received and forwarded to list. Copy sent to Debian Edu Developers <debian-edu@lists.debian.org>.
(Mon, 16 Dec 2019 11:15:03 GMT) (full text, mbox, link).
On Mon, Dec 16, 2019 at 11:33:28AM +0100, Dominik George wrote:
> >> Why not just remove that line?
> >
> >The only line needed is: root/admin@INTERN *
> >Intention is to fix the bug, but keep the change as minimal as
> >possible.
> Then it should be CIl in my opinion. Listing principals is the same as
> getent passwd, so no additional leaks here. The i ACL allows tracking
> other users' use of the network. It is thus part of the bug.
IMO Cil is enough, but better safe than sorry. Just committed like
proposed, thanks.
Wolfgang
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Edu Developers <debian-edu@lists.debian.org>: Bug#946797; Package debian-edu-config.
(Mon, 16 Dec 2019 12:12:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Dominik George <dominik.george@teckids.org>:
Extra info received and forwarded to list. Copy sent to Debian Edu Developers <debian-edu@lists.debian.org>.
(Mon, 16 Dec 2019 12:12:03 GMT) (full text, mbox, link).
To: Wolfgang Schweer <w.schweer@gmx.de>, 946797@bugs.debian.org
Subject: Re: Bug#946797: debian-edu-config: kadm5.acl should set proper
rights for users
Date: Mon, 16 Dec 2019 13:09:53 +0100
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On Mon, Dec 16, 2019 at 12:13:49PM +0100, Wolfgang Schweer wrote:
> On Mon, Dec 16, 2019 at 11:33:28AM +0100, Dominik George wrote:
> > >> Why not just remove that line?
> > >
> > >The only line needed is: root/admin@INTERN *
> > >Intention is to fix the bug, but keep the change as minimal as
> > >possible.
> > Then it should be CIl in my opinion. Listing principals is the same as
> > getent passwd, so no additional leaks here. The i ACL allows tracking
> > other users' use of the network. It is thus part of the bug.
>
> IMO Cil is enough, but better safe than sorry. Just committed like
> proposed, thanks.
Great!
Also, I'd propose to turn the sed command into:
sed -i 's/\(\*@INTERN[[:space:]]*\)cil/\1CIl/' /etc/krb5kdc/kadm5.acl
This way, it will not destroy any legitimate additions a local admin made.
- -nik
-----BEGIN PGP SIGNATURE-----
iQJlBAEBCgBPFiEEPJ1UpHV1wCb7F/0mt5o8FqDE8pYFAl33dBAxGmh0dHBzOi8v
d3d3LmRvbWluaWstZ2VvcmdlLmRlL2dwZy1wb2xpY3kudHh0LmFzYwAKCRC3mjwW
oMTylvjjD/9Hnfm8DN3+hobIMEsPg8lWXoN4Z90a46Hlfr/DcRGn+ENsbxnXMSBu
+Sg8PoomSvvDuW5QWgCXuUmBgS+mBNMOJFlSaT/3tORV8cr4nyq/kmgcU+9AcGBH
bmgQ5BvB2Z2eMau7eZvW+GhRA1UA576Luaxw/xl8EvqN5PmfYQgJwPK3aN1oNuJ0
nlR9N4yVbDKuvjLB2olXsO2jYOFKCkVU1QTPKf8Jfhq0usgqVjyv5NRY8ywKlns0
h5H9m1WQ9MdviGFE48YhGfKUSE9lKfFwAL/dnDSmvtzdsTI/HopxYAY9rw/XEi6a
S1MgmJQrFeYEGHJ49eLkiOWufG+Q8Z6jeN8LySsRx/17RjX7gMn5SIAvpZbwWuVK
h0yB5j6LQ/gfpcYu/N3DAWBW6zgLdxORfSi8IlDqXvJnSJKGlb0uQNBwsb+jT4HY
vJnPfE1fBGrgBOqe3BIrVdHE0iUvw9z8R+MaAewIGt4ThhJ7tJaGmROJ1gskQAnE
He+7QHRen0+WQxiLTgB03pww88phV7KBXnUQtx/7PlUUaK5AOKo38dtKNOTQo2gM
AAdp3OMFTw0f8JLk7uUtA1NEC1DPQvjNvjdQBVxDK7Vw08B1wKyAWTPfKEkYJHWv
FyaEwD4JPQySqrukf+RqJ2Pl4ip+PmgTZEYOmu1XpkV+9PRddltE0A==
=+c4F
-----END PGP SIGNATURE-----
Severity set to 'critical' from 'important'
Request was from Dominik George <natureshadow@debian.org>
to control@bugs.debian.org.
(Mon, 16 Dec 2019 13:06:06 GMT) (full text, mbox, link).
Added tag(s) patch and security.
Request was from Dominik George <natureshadow@debian.org>
to control@bugs.debian.org.
(Mon, 16 Dec 2019 13:06:07 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Edu Developers <debian-edu@lists.debian.org>: Bug#946797; Package debian-edu-config.
(Mon, 16 Dec 2019 13:15:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Wolfgang Schweer <w.schweer@gmx.de>:
Extra info received and forwarded to list. Copy sent to Debian Edu Developers <debian-edu@lists.debian.org>.
(Mon, 16 Dec 2019 13:15:07 GMT) (full text, mbox, link).
On Mon, Dec 16, 2019 at 01:09:53PM +0100, Dominik George wrote:
> Also, I'd propose to turn the sed command into:
>
> sed -i 's/\(\*@INTERN[[:space:]]*\)cil/\1CIl/' /etc/krb5kdc/kadm5.acl
>
> This way, it will not destroy any legitimate additions a local admin made.
Good point. Thanks, committed.
Wolfgang
Subject: Bug#946797 marked as pending in debian-edu-config
Date: Mon, 16 Dec 2019 15:41:17 +0000
Control: tag -1 pending
Hello,
Bug #946797 in debian-edu-config reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/debian-edu/debian-edu-config/commit/69dd3cf269eaa802f265cdd5b801f111d05731fe
------------------------------------------------------------------------
share/debian-edu-config/tools/kerberos-kdc-init:
Set proper rights for users in kadm5.acl file. (Closes: #946797)
Adjust debian/debian-edu-config.postinst to fix kadm5.acl upon upgrades.
Signed-off-by: Wolfgang Schweer <wschweer@arcor.de>
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/946797
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Edu Developers <debian-edu@lists.debian.org>: Bug#946797; Package debian-edu-config.
(Mon, 16 Dec 2019 15:51:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Holger Levsen <holger@layer-acht.org>:
Extra info received and forwarded to list. Copy sent to Debian Edu Developers <debian-edu@lists.debian.org>.
(Mon, 16 Dec 2019 15:51:03 GMT) (full text, mbox, link).
Hi,
Wolfgang, many thanks for this bug report and the quick fix.
I'll upload to unstable right now and will coordinate with DSA and LTS
the fixes for buster, stretch and jessie.
On Mon, Dec 16, 2019 at 11:05:33AM +0100, Dominik George wrote:
> > Severity: important
> I propose this bug to be set to severity critical and handled by DSA.
DSA is very happy about maintainers - in coordination with DSA - taking care
of 'their' security fixes.
--
cheers,
Holger
-------------------------------------------------------------------------------
holger@(debian|reproducible-builds|layer-acht).org
PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Edu Developers <debian-edu@lists.debian.org>: Bug#946797; Package debian-edu-config.
(Mon, 16 Dec 2019 16:00:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Holger Levsen <holger@layer-acht.org>:
Extra info received and forwarded to list. Copy sent to Debian Edu Developers <debian-edu@lists.debian.org>.
(Mon, 16 Dec 2019 16:00:04 GMT) (full text, mbox, link).
On Mon, Dec 16, 2019 at 12:26:57AM +0100, Wolfgang Schweer wrote:
> Also, /etc/krb5kdc/kadm5.acl should be fixed accordingly upon upgrades
> by adding something like this to debian-edu-config.postinst:
>
> [configure case]
> fi
> +
> + # Set proper rights for users.
> + if [ -f /etc/krb5kdc/kadm5.acl ] ; then
> + sed -i 's/cil/Cil/' /etc/krb5kdc/kadm5.acl
> + fi
> ;;
I've made this conditional, so that this is only executed when upgrading
from 2.11.9 or before. (Also because the above changes also need a
krb5-admin-server service restart...)
--
cheers,
Holger
-------------------------------------------------------------------------------
holger@(debian|reproducible-builds|layer-acht).org
PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Edu Developers <debian-edu@lists.debian.org>: Bug#946797; Package debian-edu-config.
(Mon, 16 Dec 2019 16:09:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Dominik George <nik@naturalnet.de>:
Extra info received and forwarded to list. Copy sent to Debian Edu Developers <debian-edu@lists.debian.org>.
(Mon, 16 Dec 2019 16:09:02 GMT) (full text, mbox, link).
To: Holger Levsen <holger@layer-acht.org>, 946797@bugs.debian.org
Subject: Re: Bug#946797: debian-edu-config: kadm5.acl should set proper
rights for users
Date: Mon, 16 Dec 2019 16:58:32 +0100
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hi,
> Wolfgang, many thanks for this bug report and the quick fix.
> I'll upload to unstable right now and will coordinate with DSA and LTS
> the fixes for buster, stretch and jessie.
Are you aware that, as laid out on IRC, I am already doing that?
- -nik
-----BEGIN PGP SIGNATURE-----
iQJlBAEBCgBPFiEEPJ1UpHV1wCb7F/0mt5o8FqDE8pYFAl33qacxGmh0dHBzOi8v
d3d3LmRvbWluaWstZ2VvcmdlLmRlL2dwZy1wb2xpY3kudHh0LmFzYwAKCRC3mjwW
oMTylk1KEACs5v3i94+Hopt5NNSRc+nvQTC7I4AIUsbupHWj9EpV/avKXBH5ak2C
I+U8H6wtlAXQr1KkQwkKxUQYEyXwVN1swKrqJeb6cqW0jB62QizHxDMlzULh1qBw
per1HXYtlK5WcpytkarmOAauWC9Hrh0EIqfQwQxywZSKWbV2IwSj5+LdKW+sVj42
+z8MzO9A+b2UHYo8KWnwq/P48FfFp0bn9unrhiqkLB2OhFsDydF0w7IB8yqecj6x
QP177Po3B7Hf1ThDF4cfF/kqZQ0NenWvv7uRwNL/y4wJ7XQ0EtEsMY73iq3E/CXz
YRvqttqbnNSQO0xAy8CE9jKHY9vMoL7if4NdvFYlSsJYmg+/Tw5BLaehKQRINvZh
pMqDLB4kVi5gpO1Q6qGo/2+SU0+91QbPR6dwQCvcZRQ8v4KqN6GpS00mQX44DFhT
S1kOr60rCYYlRtmxeqmHhyv52GRoY8iGq5KuQUnwXAm8buqy4LmzWQhAVrQk30fi
oA290vBcXyTvhs8/yKGTvjnJcdmfE9V2QIZ8cA/5WbOBAEiEBtH1PoG87dUTejkD
SwEq20DAK8BhCGlWofanEnDygbnvFg/ouHsYQkt6RiP9ocqxXr+J2k5ACOUCWYmo
Carf26wfZ8IWPG7zUoaud68YAPSCfHi35rmRNFBt69DFeH66cLYg+Q==
=SBC3
-----END PGP SIGNATURE-----
Reply sent
to Holger Levsen <holger@debian.org>:
You have taken responsibility.
(Mon, 16 Dec 2019 16:21:04 GMT) (full text, mbox, link).
Notification sent
to Wolfgang Schweer <w.schweer@gmx.de>:
Bug acknowledged by developer.
(Mon, 16 Dec 2019 16:21:04 GMT) (full text, mbox, link).
Subject: Bug#946797: fixed in debian-edu-config 2.11.10
Date: Mon, 16 Dec 2019 16:19:31 +0000
Source: debian-edu-config
Source-Version: 2.11.10
We believe that the bug you reported is fixed in the latest version of
debian-edu-config, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 946797@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Holger Levsen <holger@debian.org> (supplier of updated debian-edu-config package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 16 Dec 2019 16:56:24 +0100
Source: debian-edu-config
Architecture: source
Version: 2.11.10
Distribution: unstable
Urgency: medium
Maintainer: Debian Edu Developers <debian-edu@lists.debian.org>
Changed-By: Holger Levsen <holger@debian.org>
Closes: 946797
Changes:
debian-edu-config (2.11.10) unstable; urgency=medium
.
[ Wolfgang Schweer ]
* share/debian-edu-config/tools/kerberos-kdc-init:
- Set proper rights for users in kadm5.acl file. (Closes: #946797)
* Adjust debian/debian-edu-config.postinst to fix kadm5.acl upon upgrades.
* Use secure URI in Homepage field.
* Use canonical URL in Vcs-Git.
.
[ Holger Levsen ]
* Improve debian/debian-edu-config.postinst fix to only run once on
upgrades.
Checksums-Sha1:
5b27f6077b87231c0d18c20a4c32147526e95c8c 1923 debian-edu-config_2.11.10.dsc
e44bb8b240fb29ba916c959048ee620ad6d77950 340580 debian-edu-config_2.11.10.tar.xz
fdb9ddfea7b236e7f145a9cb24abc8de3dbd5652 5323 debian-edu-config_2.11.10_source.buildinfo
Checksums-Sha256:
c53a60a14694154a2598060735eaefe631d47b402d464e1d969d1b65873ed614 1923 debian-edu-config_2.11.10.dsc
285930972ed0ef9dc563064f42a3a75c159be2ba942e5d69ca7da64913dea8fb 340580 debian-edu-config_2.11.10.tar.xz
1fb2d212d9fc6a17c66ad51639cccf102d14b4a966138d26f0689750b9722a22 5323 debian-edu-config_2.11.10_source.buildinfo
Files:
93d8ea4c7578e37ee8927dafc0ed3209 1923 misc optional debian-edu-config_2.11.10.dsc
c698786e25119d7380d25fde242adf7e 340580 misc optional debian-edu-config_2.11.10.tar.xz
3c059ac522cada4d16cf63ffb1a8d015 5323 misc optional debian-edu-config_2.11.10_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEuL9UE3sJ01zwJv6dCRq4VgaaqhwFAl33qaEACgkQCRq4Vgaa
qhy3dg/9GNR24sciJDRuKh2pq2ExE1/+flhfnPYcFJkRE+x667FKc0kJgGLkCV4R
CLXzHJafRPPMWt/uFjIX0QmhY1kXPyJlTtMCo/QJW8GhIVUSzkjdVn9L3VTr4tcT
J9QYI7oXl3CJ+oEbErX8bq4ufifLRKxHoTVKrbPi2JOSD6zoakW6uWRIHNBUWVDz
uPxpgeVeT4ePMNyqnVb1360v5Lr3dUm51dCxxIXxD5hCzaDA+Vl8dUWO65BTryRR
im5EbjnBwp+wsWNkSAiumhBKdJnoqafsF8bOY9Bb180hPljFeVCvrfdLtuRf5t1k
Ky7zZBrhV0z375VxSNj80IqE81A7vzBblngUTrCMzJmnu/GdZwqRBfawgAVronj6
oelLB9EOLn78BK6/84BqAghFDk+tZ8ysE+h6PGYAnTQVF5mfSQjHVcMbyr/YuJzn
JAmx0qWhOm1dwkOvd8Gg/9JC5dg5XhZgfnheWkvD5v6V6CxUGHSGKU7+iWppaGkr
wawx1K5D07YEeV8gv2xLbkExOeN5NTHDre9Vw2Kam/rpfetv2WHc62gCO9PYr/tE
STjag0vENNQhKWVw1wn19kI5TOlQrXFJ7VoMNob4dp6Yjag5YLJlGq1EAFksRCW2
4qgZjEqrG6+MVvno8Px596DsveGkKE3q54ep27zh5vTre8kV0dI=
=6zZo
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Edu Developers <debian-edu@lists.debian.org>: Bug#946797; Package debian-edu-config.
(Mon, 16 Dec 2019 16:24:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Holger Levsen <holger@layer-acht.org>:
Extra info received and forwarded to list. Copy sent to Debian Edu Developers <debian-edu@lists.debian.org>.
(Mon, 16 Dec 2019 16:24:03 GMT) (full text, mbox, link).
On Mon, Dec 16, 2019 at 04:58:32PM +0100, Dominik George wrote:
> > Wolfgang, many thanks for this bug report and the quick fix.
> > I'll upload to unstable right now and will coordinate with DSA and LTS
> > the fixes for buster, stretch and jessie.
> Are you aware that, as laid out on IRC, I am already doing that?
no. (best always to inform the bug if you are working on one.) (*)
also I've already uploaded to unstable as the fix needs to land there
first anyway.
Please also take my additional fix for postinst.
(*) my server had some connectivity issues and I wasnt on irc for 48h...
and then I just re-joined #-edu now.
--
cheers,
Holger
-------------------------------------------------------------------------------
holger@(debian|reproducible-builds|layer-acht).org
PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C
Marked as found in versions debian-edu-config/1.929+deb9u3.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 16 Dec 2019 20:57:06 GMT) (full text, mbox, link).
Marked as found in versions debian-edu-config/2.10.65+deb10u2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 16 Dec 2019 20:57:07 GMT) (full text, mbox, link).
Marked as found in versions debian-edu-config/2.11.9.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Mon, 16 Dec 2019 20:57:08 GMT) (full text, mbox, link).
Marked as fixed in versions 1.818+deb8u3.
Request was from Dominik George <natureshadow@debian.org>
to control@bugs.debian.org.
(Wed, 18 Dec 2019 14:30:03 GMT) (full text, mbox, link).
No longer marked as fixed in versions 1.818+deb8u3.
Request was from Dominik George <natureshadow@debian.org>
to control@bugs.debian.org.
(Wed, 18 Dec 2019 14:39:16 GMT) (full text, mbox, link).
Marked as fixed in versions debian-edu-config/1.818+deb8u3.
Request was from Dominik George <natureshadow@debian.org>
to control@bugs.debian.org.
(Wed, 18 Dec 2019 14:39:18 GMT) (full text, mbox, link).
Reply sent
to Dominik George <natureshadow@debian.org>:
You have taken responsibility.
(Sat, 21 Dec 2019 16:36:03 GMT) (full text, mbox, link).
Notification sent
to Wolfgang Schweer <w.schweer@gmx.de>:
Bug acknowledged by developer.
(Sat, 21 Dec 2019 16:36:03 GMT) (full text, mbox, link).
Subject: Bug#946797: fixed in debian-edu-config 2.10.65+deb10u3
Date: Sat, 21 Dec 2019 16:32:44 +0000
Source: debian-edu-config
Source-Version: 2.10.65+deb10u3
We believe that the bug you reported is fixed in the latest version of
debian-edu-config, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 946797@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Dominik George <natureshadow@debian.org> (supplier of updated debian-edu-config package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 16 Dec 2019 16:29:19 +0100
Source: debian-edu-config
Architecture: source
Version: 2.10.65+deb10u3
Distribution: buster-security
Urgency: high
Maintainer: Debian Edu Developers <debian-edu@lists.debian.org>
Changed-By: Dominik George <natureshadow@debian.org>
Closes: 946797
Changes:
debian-edu-config (2.10.65+deb10u3) buster-security; urgency=high
.
* Security fix for CVE-2019-3467
.
[ Wolfgang Schweer ]
* share/debian-edu-config/tools/kerberos-kdc-init:
- Set proper rights for users in kadm5.acl file. (Closes: #946797)
* Adjust debian/debian-edu-config.postinst to fix kadm5.acl upon upgrades.
.
[ Holger Levsen ]
* Improve debian/debian-edu-config.postinst fix to only run once on
upgrades.
.
[ Dominik George ]
* Add NEWS to warn administrators with possible local changes.
Checksums-Sha1:
c8d1697ca57aa596b5a9be450c5bb01621c6417a 2019 debian-edu-config_2.10.65+deb10u3.dsc
fdc366af82ac76bc960faa079885297b52f9d891 345320 debian-edu-config_2.10.65+deb10u3.tar.xz
bbba6e68d16e31013ccd37a7faa1c2efe12e11b1 5824 debian-edu-config_2.10.65+deb10u3_amd64.buildinfo
Checksums-Sha256:
9993c2b690261ef72409bee9674ec187ad58f41583a0b0a256aa5cc64e8aaf86 2019 debian-edu-config_2.10.65+deb10u3.dsc
aaf5a4130d2a032d5e56eac5aa63629d5f9ed08366e6df4f0f95eb8e923aa4ed 345320 debian-edu-config_2.10.65+deb10u3.tar.xz
311b91ce88fd4a26b45f9bb7752257a0de26e03c582c5088039374c867605ec4 5824 debian-edu-config_2.10.65+deb10u3_amd64.buildinfo
Files:
0bbc77ad3bfa657431b7216d4c2996cd 2019 misc optional debian-edu-config_2.10.65+deb10u3.dsc
d38c7dd2f8ee6f4804f5e177bcbb74cd 345320 misc optional debian-edu-config_2.10.65+deb10u3.tar.xz
da0f8ddd45485c45f287201756165264 5824 misc optional debian-edu-config_2.10.65+deb10u3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJlBAEBCgBPFiEEPJ1UpHV1wCb7F/0mt5o8FqDE8pYFAl35Dx8xGmh0dHBzOi8v
d3d3LmRvbWluaWstZ2VvcmdlLmRlL2dwZy1wb2xpY3kudHh0LmFzYwAKCRC3mjwW
oMTylim4D/9Nt1XbDfCh3QLu4IFHH87WKqmeJvR/zPWf7Qz3u4jV26TC7KwPwPSA
/EInc9VGafb0qPjCv80iVqygLHp5YVKC1K2h4Q7xxNUJz/WktyGM52IJJY83PrfK
PWNPCNrJ8WFDR8o2OJhNbchAX8nGvbw/mD7n2Vf4jcTEQrZE8o7ZLeGo2iluPXMf
BxPsQtna2tFF0pYgqcNe28hzWqDQurfwKYMRANxWNKbfetqDXgnKqJ6QBokKDGoS
VwSMepogM4RqQxPcH1E9/lXPzKYZY1EXqFR+lOWPF9X4LC38oTHQvgwVIAz3Vt93
b0ABi4IwxFKdYWcN/9oaWAyEr0rE3e6Ckpo/dAGBnCXti/homGT/+/XdBS85Vi37
3u5TDqRd3RJmkIQjFvo6bzE5XdNR+CVnh5+ioNsSKmaxsSKBjVAkqCDfowmWZL1B
FNKmRpX99cUdsJhGJ2ASyEl148pRxwU9tR8nVU72rx9L1oq3gWGsptYsPoi8LTwM
aS+v1qz3eYOrrkpqKv2YL3oSIVnUlxHZnnSzDbj5b7nQjqGnBh2SryXgnlxWfPGw
fmlZB8LxtoFxTejb45yz45ciyRNBYeYJX2CHsCx0Vfql/ZMVL9aXfyYgwuCpusuG
2DagMRMNBGV7a/lLVULqoQyyukUfiGNxPTUuM5M3uqPBtox2EQUNww==
=/iWq
-----END PGP SIGNATURE-----
Reply sent
to Dominik George <natureshadow@debian.org>:
You have taken responsibility.
(Sat, 21 Dec 2019 16:36:05 GMT) (full text, mbox, link).
Notification sent
to Wolfgang Schweer <w.schweer@gmx.de>:
Bug acknowledged by developer.
(Sat, 21 Dec 2019 16:36:05 GMT) (full text, mbox, link).
Subject: Bug#946797: fixed in debian-edu-config 1.929+deb9u4
Date: Sat, 21 Dec 2019 16:33:58 +0000
Source: debian-edu-config
Source-Version: 1.929+deb9u4
We believe that the bug you reported is fixed in the latest version of
debian-edu-config, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 946797@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Dominik George <natureshadow@debian.org> (supplier of updated debian-edu-config package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 17 Dec 2019 18:38:50 +0100
Source: debian-edu-config
Binary: debian-edu-config
Architecture: source
Version: 1.929+deb9u4
Distribution: stretch-security
Urgency: high
Maintainer: Debian Edu Developers <debian-edu@lists.debian.org>
Changed-By: Dominik George <natureshadow@debian.org>
Description:
debian-edu-config - Configuration files for Skolelinux systems
Closes: 946797
Changes:
debian-edu-config (1.929+deb9u4) stretch-security; urgency=high
.
* Security fix for CVE-2019-3467
.
[ Wolfgang Schweer ]
* share/debian-edu-config/tools/kerberos-kdc-init:
- Set proper rights for users in kadm5.acl file. (Closes: #946797)
* Adjust debian/debian-edu-config.postinst to fix kadm5.acl upon upgrades.
.
[ Holger Levsen ]
* Improve debian/debian-edu-config.postinst fix to only run once on
upgrades.
.
[ Dominik George ]
* Add NEWS to warn administrators with possible local changes.
Checksums-Sha1:
8b729d7257d08386744143610020e874232f61fa 1940 debian-edu-config_1.929+deb9u4.dsc
6bfe3fab7764f30a92e8f05dbc0f0baad0436fc1 386320 debian-edu-config_1.929+deb9u4.tar.xz
8f529c0c287558fb84711bc1bd4f7fa88fbcc43c 6090 debian-edu-config_1.929+deb9u4_amd64.buildinfo
Checksums-Sha256:
2ef1f0325d7d5fda92405fcb8d4fd27ca70d6fab87d4953dbbeaab1f35078a38 1940 debian-edu-config_1.929+deb9u4.dsc
a9b8d47a36c52d9ddd4b5196dd50ebc4ce10401271589756bc15f369c101a84d 386320 debian-edu-config_1.929+deb9u4.tar.xz
bb42c1eb191ad13315c3ee30da6d6f0e570cc4e5bff8f4860fde4b2d471603f1 6090 debian-edu-config_1.929+deb9u4_amd64.buildinfo
Files:
034169c8ac0215a3d1911f664835fc39 1940 misc extra debian-edu-config_1.929+deb9u4.dsc
da4b1c3cc66f240fa0afe60168c636d7 386320 misc extra debian-edu-config_1.929+deb9u4.tar.xz
1d6246d480b8641ddea6b6dd4faa666b 6090 misc extra debian-edu-config_1.929+deb9u4_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJlBAEBCgBPFiEEPJ1UpHV1wCb7F/0mt5o8FqDE8pYFAl3589cxGmh0dHBzOi8v
d3d3LmRvbWluaWstZ2VvcmdlLmRlL2dwZy1wb2xpY3kudHh0LmFzYwAKCRC3mjwW
oMTyliVqD/9gftFKEPsLrkqgnkie2d5y/J763Pajao2iHCQnWuvVPgOy3Jkj8Mlg
jTbkVpaqkM4lMR5+3xtNViKizsGdRbE3qae/Aij+iEkOQaS97fWjDKjPY9mwHnL9
nHBkEzl3V3aGuIU/eWidsHTQQSNyqulDLKFWAsKvDBJEknR2l/nyVcEdQZcZAP/t
LyXrbLY8gEO2hFYPVICLFwkjsty5Guk2LnKsRVbdLRPTQoU89kblhOBAy7Z9JmxB
8E9JzgXYtGjGDUkCGQQohya696ImDL/4vA+gkZZax4i6p46CeLWfPRPmhz755aUD
P1PMUVizggigHRtfCWtf1V1xOP5x1zXjIYOWT2XVH6gUiDdMvX05hiGmqq1FkIi7
8tq99IQ+PsJ3WxRA1oKMoWTkfPJBs4aFQtJ0rAfcxcFFESDVPl7tPW8lnz9M647n
h73ddyjuzfvRBS3DnPmfs/bKVA1QPK91QBRTlkVnViABLGeGV9DKA9GWyLd89oI8
9WGpXENUnNOY9ppIGjZlRZnkOmlbIVp0C4NwPhuNBtZNX9YtLtxl+86xShDDW06+
VpbaxLaFMDAEUfhW6Q6epfrNX7608oADR15pLBOoHUZcOJD7ycYvt3aCx2/IQElP
SKQ3UYUCmuWm+L02tKol7MJBI70B+88AxOyg+GOICEJnWrN8NceMXA==
=tMNo
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 09 Feb 2020 07:32:38 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.