RT RT/krbdev.mit.edu: Ticket #7093 Access controls for string RPCs [CVE-2012-1012] Signed in as guest.
[Logout]

[Home] [Search] [Configuration]

[Display] [History] [Basics] [Dates] [People] [Links] [Jumbo]

 
 

 The Basics  
Id
7093
Status
resolved
Worked
0 min
Priority
0/0
Queue
krb5
 

 Keyword Selections  
Component
Tags
Version_reported
Version_Fixed
  • 1.10.1
Target_Version
  • 1.10.1
 

 Relationships  
Depends on:
Depended on by:
Parents:
Children:

Refers to:
Referred to by:
  • 7097: (ghudson) improve kadm5 acl testing coverage [resolved]
 
 Dates  
Created: Tue Feb 21 14:14:47 2012
Starts: Not set
Started: Tue Feb 21 14:14:47 2012
Last Contact: Tue Feb 21 23:11:57 2012
Due: Not set
Updated: Wed Dec 16 18:02:58 2015 by tlyu
 

 People  
Owner
 ghudson
Requestors
 ghudson@mit.edu
Cc
 
AdminCc
 
 

 More about Greg Hudson  
Comments about this user:
No comment entered about this user
This user's 25 highest priority tickets:
 

History   Display mode: [Brief headers] [Full headers]
      Tue Feb 21 14:14:47 2012  ghudson - Ticket created    
     
From: ghudson@mit.edu
Subject: SVN Commit


In the kadmin protocol, make the access controls for
get_strings/set_string mirror those of get_principal/modify_principal.
Previously, anyone with global list privileges could get or modify
string attributes on any principal.  The impact of this depends on how
generous the kadmind acl is with list permission and whether string
attributes are used in a deployment (nothing in the core code uses
them yet).

CVSSv2 vector: AV:N/AC:M/Au:S/C:P/I:P/A:N/E:H/RL:O/RC:C

http://src.mit.edu/fisheye/changelog/krb5/?cs=25704
Commit By: ghudson
Revision: 25704
Changed Files:
U   trunk/src/kadmin/server/server_stubs.c


Download (untitled) 612b
      Tue Feb 21 14:14:47 2012  ghudson - Requestor ghudson@mit.edu added    
      Tue Feb 21 14:14:47 2012  ghudson - Status changed from new to review    
      Tue Feb 21 14:14:47 2012  ghudson - Tags pullup added    
      Tue Feb 21 14:14:48 2012  ghudson - Target_Version 1.10.1 added    
      Tue Feb 21 23:11:57 2012  tlyu - Status changed from review to resolved    
      Tue Feb 21 23:11:57 2012  tlyu - Version_Fixed 1.10.1 added    
      Tue Feb 21 23:11:57 2012  tlyu - Correspondence added    
     
From: tlyu@mit.edu
Subject: SVN Commit


Pull up r25704 from trunk

 ------------------------------------------------------------------------
 r25704 | ghudson | 2012-02-21 14:14:47 -0500 (Tue, 21 Feb 2012) | 15 lines

 ticket: 7093
 subject: Access controls for string RPCs [CVE-2012-1012]
 target_version: 1.10.1
 tags: pullup

 In the kadmin protocol, make the access controls for
 get_strings/set_string mirror those of get_principal/modify_principal.
 Previously, anyone with global list privileges could get or modify
 string attributes on any principal.  The impact of this depends on how
 generous the kadmind acl is with list permission and whether string
 attributes are used in a deployment (nothing in the core code uses
 them yet).

 CVSSv2 vector: AV:N/AC:M/Au:S/C:P/I:P/A:N/E:H/RL:O/RC:C

http://src.mit.edu/fisheye/changelog/krb5/?cs=25709
Commit By: tlyu
Revision: 25709
Changed Files:
U   branches/krb5-1-10/src/kadmin/server/server_stubs.c


Download (untitled) 919b
      Wed Dec 16 18:02:58 2015  tlyu - Keyword pullup deleted