RHBA-2011:1031 - Bug Fix Advisory

Topic

Updated krb5 packages that fix multiple bugs and add one enhancement are now
available for Red Hat Enterprise Linux 5.

Description

Kerberos is a network authentication system which allows clients and servers to
authenticate to each other with the help of a trusted third party, a KDC.

This update fixes the following bugs:

• Prior to this update,the lock of the realm database could, under certain

circumstances, not be released. Due to this problem, the lock could not be
acquired until the clearing process was stopped or restarted. With this update,
the realm database is successfully locked. (BZ#586032)

• Prior to this update,the Kerberos-aware FTP server did not parse the

"restrict" keyword correctly when it was used in /etc/ftpusers. This update
modifies the code so that the server parses the "restrict" keyword correctly.
(BZ#644215)

• Prior to this update,the Kerberos-aware FTP client did not correctly display

the size of a transferred file on 32-bit systems if the size of the file
exceeded 4GB. This update modifies the type of the variable used to track the
number of bytes transferred. (BZ#648404)

• Prior to this update, the client libraries failed, under certain

circumstances, to parse an error reply message from the server when trying to
change passwords. With this update, the client library can parse the message and
correctly returns the reported error to its caller. (BZ#658871)

• Prior to this update, Kerberos-aware servers leaked memory when replay caching

was disabled. This update modifies the code so that no more memory leaks occur.
(BZ#678205)

• Prior to this update, the SELinux label was not maintained for replay cache

files when expired entries were expunged. This update maintains the reply cache
files in such a case. (BZ#712453)

This update also adds the following enhancement:

• Prior to this update, the Kerberos-aware FTP client was not able to parse user

commands if the length of the command exceeded the limit of 500 characters. This
update allows for the Kerberos-aware FTP client to parse user commands without
character limit. (BZ#665833)

All Kerberos users are advised to upgrade to these updated packages, which fix
these bugs and add this enhancement.

Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259/

Affected Products

• Red Hat Enterprise Linux Server 5 x86_64
• Red Hat Enterprise Linux Server 5 ia64
• Red Hat Enterprise Linux Server 5 i386
• Red Hat Enterprise Linux Workstation 5 x86_64
• Red Hat Enterprise Linux Workstation 5 i386
• Red Hat Enterprise Linux Desktop 5 x86_64
• Red Hat Enterprise Linux Desktop 5 i386
• Red Hat Enterprise Linux for IBM z Systems 5 s390x
• Red Hat Enterprise Linux for Power, big endian 5 ppc
• Red Hat Enterprise Linux Server from RHUI 5 x86_64
• Red Hat Enterprise Linux Server from RHUI 5 i386

Fixes

• BZ - 586032 - kadmind fails to lock db during password change: Cannot lock database
• BZ - 644215 - krb5ftpd off by one error when reading /etc/ftpusers for restricted users
• BZ - 648404 - Kerberos ftp shows wrong transferred bytes when transferring a file in size of more than 4GiB.
• BZ - 658871 - krb5-lib wrongly considers KRB5KRB_AP_ERR_REPEAT error from MS AD as correct application reply leading to wrong error "Requested protocol version not supported"
• BZ - 712453 - application linked to krb5-libs creates /var/tmp/host_0 with wrong selinux context

CVEs

(none)

References

(none)