Comments

16 Comments

Fix CVE-2024-2698 and CVE-2024-3183

krb5kdc and kadmind daemons are working with Berkeley DB backend with this update.

As explained in this Bugzilla comment, this update is removing the lock permission for the krb5kdc_t processes. This is breaking MIT krb5 KDC:

type=AVC msg=audit(1710509353.206:154): avc:  denied  { lock } for  pid=857 comm="krb5kdc" path="/var/kerberos/krb5kdc/principal.kadm5.lock" dev="vda2" ino=262657 scontext=system_u:system_r:krb5kdc_t:s0 tcontext=unconfined_u:object_r:krb5kdc_principal_t:s0 tclass=file permissive=0

There are three different failures in automated tests:

  • addedfiles: Potential file conflicts in case x86_64 and i686 versions of krb5-tests are installed at the same time. I opened a bugzilla for this case.
  • license: "HPND-export-US-modify" and "RSA-MD" licenses seem to not be known by the analysis tool yet, but they are part of the SPDX standard.
  • annocheck: The tool claims LTO is not enabled at compilation. However, the -flto=auto flag is already set by $RPM_OPT_FLAGS. This is most likely a false negative.

None of these failures should be considered a blocker.

I confirm there is no AVC error reported on a IPA client when authenticating using a passkey with IPA 4.11.0-4.beta1 on a distinct server and client setup.

BZ#2238224 Passkey authentication: SELinux transition missing
karma

I confirm this update allows IPA to generate AD-compatible PAC PrivSvr signatures, by relying on the "pac_privsvr_enctype" KDB string attribute introduced in krb5 1.21.

User Icon jrische commented & provided feedback on krb5-1.21-2.fc39 a year ago

The problems related to the CI and TMT are now fixed. But tests are still failing due to the upgrade to Python 3.12, which removed a function used by krb5 tests. I opened an upstream pull request to fix this: https://github.com/krb5/krb5/pull/1307

I tested this change locally. It allows all tests to pass.

I will waive the test failure for this advisory, and update the krb5 dist-git repo once the upstream PR is accepted.

User Icon jrische commented & provided feedback on krb5-1.21-2.fc39 a year ago

The issue was reported to the TMT project: https://github.com/teemtee/tmt/issues/2205

User Icon jrische commented & provided feedback on krb5-1.21-2.fc39 a year ago

The issue mentioned in my last comment is fixed, but there is another issue related to TMT or Ansible:

Package manager "None" is not supported.
User Icon jrische commented & provided feedback on krb5-1.21-2.fc39 a year ago

The functional tests for this advisory are blocked because of this issue: https://pagure.io/fedora-ci/general/issue/419

User Icon jrische commented & provided feedback on krb5-1.21-2.fc39 a year ago

The rpmdeplint test failure is due to the fact the some paths are used for both the i686 and the x86_64 versions of krb5-tests.

Since this packages is used for testing only, it should not impact users. I will fix it in a future release.

The failure of the "rpminspect.static-analysis" test is due to the content of krb5-tests. This package include the full content of the build directory. It is used to run upstream tests in TMT. This package is only meant for testing purpose.

karma

The following operations are working:

  • Server and client installation
  • User and group creation
  • Hostgroup creation
  • HBAC rules configuration
  • HBAC working as expected for Kerberos-authenticated SSH login
karma

The following operations are working:

  • Server and client installation
  • User and group creation
  • Hostgroup creation
  • HBAC rules configuration
  • HBAC working as expected for Kerberos-authenticated SSH login

This update fixes krb5 upstream test t_discover_uri.py for KDC discovery using DNS URI records lookup.