Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.427 (Entity 5.427) From: tlyu@mit.edu Subject: SVN Commit RT-Send-CC: X-RT-Original-Encoding: iso-8859-1 Content-Length: 944 Pull up r25704 from trunk ------------------------------------------------------------------------ r25704 | ghudson | 2012-02-21 14:14:47 -0500 (Tue, 21 Feb 2012) | 15 lines ticket: 7093 subject: Access controls for string RPCs [CVE-2012-1012] target_version: 1.10.1 tags: pullup In the kadmin protocol, make the access controls for get_strings/set_string mirror those of get_principal/modify_principal. Previously, anyone with global list privileges could get or modify string attributes on any principal. The impact of this depends on how generous the kadmind acl is with list permission and whether string attributes are used in a deployment (nothing in the core code uses them yet). CVSSv2 vector: AV:N/AC:M/Au:S/C:P/I:P/A:N/E:H/RL:O/RC:C https://github.com/krb5/krb5/commit/d83bc412c6e56463f1e333a61cc1f600ed9a65fe Commit By: tlyu Revision: 25709 Changed Files: U branches/krb5-1-10/src/kadmin/server/server_stubs.c