* [bug#27749] [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103].
@ 2017-07-18 8:26 Alex Vong
2017-07-18 15:49 ` Leo Famulari
0 siblings, 1 reply; 13+ messages in thread
From: Alex Vong @ 2017-07-18 8:26 UTC (permalink / raw)
To: 27749
[-- Attachment #1.1: Type: text/plain, Size: 361 bytes --]
Tags: security
Hello,
THis patch upgrades heimdal to its latest version, fixing
CVE-2017-11103. Here are a few remarks:
1. Upstream switches to github for hosting
2. A lots of libraries are bundled
3. Many db tests fail
4. It does not build reproducibly
I decide to submit this despite many db tests fail because I think we
should fix CVE-2017-11103 asap.
[-- Attachment #1.2: 0001-gnu-heimdal-Update-to-7.4.0-fixes-CVE-2017-11103.patch --]
[-- Type: text/x-diff, Size: 5988 bytes --]
From c14ef8d3d957ccf965918a5190c2cac695a6da7e Mon Sep 17 00:00:00 2001
From: Alex Vong <alexvong1995@gmail.com>
Date: Tue, 18 Jul 2017 06:36:48 +0800
Subject: [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103].
* gnu/packages/kerberos.scm (heimdal): Update to 7.4.0.
[source]: Update source uri.
[arguments]: Adjust #:configure-flags and build phases accordingly.
[inputs]: Add autoconf, automake, libtool, perl, perl-json and texinfo.
---
gnu/packages/kerberos.scm | 69 ++++++++++++++++++++++++++++++++++++-----------
1 file changed, 54 insertions(+), 15 deletions(-)
diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm
index 58f619770..5682a0add 100644
--- a/gnu/packages/kerberos.scm
+++ b/gnu/packages/kerberos.scm
@@ -5,6 +5,7 @@
;;; Copyright © 2016 Efraim Flashner <efraim@flashner.co.il>
;;; Copyright © 2012, 2013 Nikita Karetnikov <nikita@karetnikov.org>
;;; Copyright © 2012, 2017 Ludovic Courtès <ludo@gnu.org>
+;;; Copyright © 2017 Alex Vong <alexvong1995@gmail.com>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -23,6 +24,7 @@
(define-module (gnu packages kerberos)
#:use-module (gnu packages)
+ #:use-module (gnu packages autotools)
#:use-module (gnu packages bison)
#:use-module (gnu packages perl)
#:use-module (gnu packages gnupg)
@@ -32,6 +34,7 @@
#:use-module (gnu packages compression)
#:use-module (gnu packages databases)
#:use-module (gnu packages readline)
+ #:use-module (gnu packages texinfo)
#:use-module (gnu packages tls)
#:use-module ((guix licenses) #:prefix license:)
#:use-module (guix packages)
@@ -136,24 +139,30 @@ secure manner through client-server mutual authentication via tickets.")
(define-public heimdal
(package
(name "heimdal")
- (version "1.5.3")
+ (version "7.4.0")
(source (origin
(method url-fetch)
- (uri (string-append "http://www.h5l.org/dist/src/heimdal-"
- version ".tar.gz"))
+ (uri (string-append "https://github.com/" name "/" name
+ "/releases/download/" name "-" version
+ "/" name "-" version ".tar.gz"))
(sha256
(base32
- "19gypf9vzfrs2bw231qljfl4cqc1riyg0ai0xmm1nd1wngnpphma"))
+ "1b992ifwnr06h89f8vqp1l0z8ixh29sk9nhk99lw28dd6v6lxq9x"))
(modules '((guix build utils)))
- (snippet
+ (snippet ;FIXME: remove bundled libraries
'(substitute* "configure"
(("User=.*$") "User=Guix\n")
(("Date=.*$") "Date=2017\n")))))
(build-system gnu-build-system)
(arguments
- '(#:configure-flags (list
- ;; Work around a linker error.
- "CFLAGS=-pthread"
+ '(#:modules ((guix build gnu-build-system)
+ (guix build utils)
+ (srfi srfi-26))
+
+ #:configure-flags (list
+ (string-append "CPPFLAGS=-D_PATH_BSHELL="
+ (assoc-ref %build-inputs "bash")
+ "/bin/sh")
;; Avoid 7 MiB of .a files.
"--disable-static"
@@ -167,17 +176,47 @@ secure manner through client-server mutual authentication via tickets.")
(assoc-ref %build-inputs "readline") "/include"))
#:phases (modify-phases %standard-phases
+ (add-after 'unpack 'pre-build
+ (lambda _
+ (for-each (lambda (file) ;fix sh paths
+ (substitute* file
+ (("/bin/sh")
+ (which "sh"))))
+ '("appl/afsutil/pagsh.c" "tools/Makefile.am"))
+ (substitute* "lib/roken/getxxyyy.c" ;set user during test
+ (("user = getenv\\(\"USER\"\\);")
+ (format #f
+ "#ifndef TEST_GETXXYYY
+#error \"TEST_GETXXYYY is not defined\"
+#endif
+user = \"~a\";
+"
+ (passwd:name (getpwuid (getuid))))))
+ #t))
+
+ (add-after 'pre-build 'autogen
+ (lambda _
+ (zero? (system* "sh" "autogen.sh"))))
+
(add-before 'check 'skip-tests
(lambda _
- ;; The test simply runs 'ftp --version && ftp --help'
- ;; but that fails in the chroot because 'ftp' tries to
- ;; do a service lookup before printing the help/version.
- (substitute* "appl/ftp/ftp/Makefile.in"
- (("^CHECK_LOCAL =.*")
- "CHECK_LOCAL = no-check-local\n"))
+ ;; skip db tests for now
+ ;; FIXME: figure out why they fail
+ (call-with-output-file "tests/db/have-db.in"
+ (cut format <> "#!~a~%exit 1~%" (which "sh")))
#t)))))
+
(native-inputs `(("e2fsprogs" ,e2fsprogs))) ;for 'compile_et'
- (inputs `(("readline" ,readline)
+ (inputs `(("autoconf" ,autoconf) ;for autogen
+ ("automake" ,automake)
+ ("libtool" ,libtool)
+ ("perl" ,perl)
+ ("perl-json" ,perl-json)
+
+ ("texinfo" ,texinfo) ;for doc
+ ("unzip" ,unzip) ;for test
+
+ ("readline" ,readline)
("bdb" ,bdb)
("e2fsprogs" ,e2fsprogs))) ;for libcom_err
(home-page "http://www.h5l.org/")
--
2.13.3
[-- Attachment #1.3: Type: text/plain, Size: 14 bytes --]
Cheers,
Alex
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [bug#27749] [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103].
2017-07-18 8:26 [bug#27749] [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103] Alex Vong
@ 2017-07-18 15:49 ` Leo Famulari
2017-07-18 15:51 ` Leo Famulari
` (2 more replies)
0 siblings, 3 replies; 13+ messages in thread
From: Leo Famulari @ 2017-07-18 15:49 UTC (permalink / raw)
To: Alex Vong; +Cc: 27749
[-- Attachment #1: Type: text/plain, Size: 2208 bytes --]
On Tue, Jul 18, 2017 at 04:26:23PM +0800, Alex Vong wrote:
> THis patch upgrades heimdal to its latest version, fixing
> CVE-2017-11103. Here are a few remarks:
Thanks! We also need to look at our samba package, which bundles heimdal
(we should fix that).
> 1. Upstream switches to github for hosting
Okay.
> 2. A lots of libraries are bundled
Which directory are they in? We should take a look at them and weigh the
risk of adding new vulnerabilities through the use of (possibly old and
unmaintained) bundled libraries.
If things look complicated, maybe it's possible to apply a patch to this
older Heimdal while we figure everything out.
Maybe we can find a patch for CVE-2017-11103 from Red Hat or another
long-term-support distro. I noticed an unrelated patch for Heimdal
1.6 here:
https://anonscm.debian.org/cgit/collab-maint/heimdal.git/commit/?h=debian/jessie&id=6d27073da8b45b5c67ca4ad74696489e49c4df1a
> 3. Many db tests fail
Do you think they are a problem in practice? Ludovic, you added Heimdal,
what do you think about this big version bump?
> 4. It does not build reproducibly
Not great but also not a blocker.
> From c14ef8d3d957ccf965918a5190c2cac695a6da7e Mon Sep 17 00:00:00 2001
> From: Alex Vong <alexvong1995@gmail.com>
> Date: Tue, 18 Jul 2017 06:36:48 +0800
> Subject: [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103].
>
> * gnu/packages/kerberos.scm (heimdal): Update to 7.4.0.
> [source]: Update source uri.
> [arguments]: Adjust #:configure-flags and build phases accordingly.
> [inputs]: Add autoconf, automake, libtool, perl, perl-json and texinfo.
> #:phases (modify-phases %standard-phases
> + (add-after 'unpack 'pre-build
> + (lambda _
> + (for-each (lambda (file) ;fix sh paths
> + (substitute* file
> + (("/bin/sh")
> + (which "sh"))))
> + '("appl/afsutil/pagsh.c" "tools/Makefile.am"))
Do we re-bootstrap because we edit Makefile.am? Is it possible to edit
the generated Makefile directly?
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 13+ messages in thread
* [bug#27749] [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103].
2017-07-18 15:49 ` Leo Famulari
@ 2017-07-18 15:51 ` Leo Famulari
2017-07-18 15:53 ` Leo Famulari
2017-07-19 9:22 ` Alex Vong
2 siblings, 0 replies; 13+ messages in thread
From: Leo Famulari @ 2017-07-18 15:51 UTC (permalink / raw)
To: Alex Vong; +Cc: 27749
[-- Attachment #1: Type: text/plain, Size: 509 bytes --]
On Tue, Jul 18, 2017 at 11:49:06AM -0400, Leo Famulari wrote:
> On Tue, Jul 18, 2017 at 04:26:23PM +0800, Alex Vong wrote:
> > THis patch upgrades heimdal to its latest version, fixing
> > CVE-2017-11103. Here are a few remarks:
>
> Thanks! We also need to look at our samba package, which bundles heimdal
> (we should fix that).
This vulnerability in samba's bundled heimdal was fixed in
81dfbffc5480699f79ea23a82bf8a4a557176670. Perhaps we can find inspiration
for a patch there, if necessary.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 13+ messages in thread
* [bug#27749] [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103].
2017-07-18 15:49 ` Leo Famulari
2017-07-18 15:51 ` Leo Famulari
@ 2017-07-18 15:53 ` Leo Famulari
2017-07-19 9:22 ` Alex Vong
2 siblings, 0 replies; 13+ messages in thread
From: Leo Famulari @ 2017-07-18 15:53 UTC (permalink / raw)
To: Alex Vong; +Cc: 27749
[-- Attachment #1: Type: text/plain, Size: 539 bytes --]
On Tue, Jul 18, 2017 at 11:49:06AM -0400, Leo Famulari wrote:
> Maybe we can find a patch for CVE-2017-11103 from Red Hat or another
> long-term-support distro. I noticed an unrelated patch for Heimdal
> 1.6 here:
> https://anonscm.debian.org/cgit/collab-maint/heimdal.git/commit/?h=debian/jessie&id=6d27073da8b45b5c67ca4ad74696489e49c4df1a
I'm not sure what version of heimdal FreeBSD packages, but they are
offering a patch for this, linked from their advisory:
https://www.freebsd.org/security/advisories/FreeBSD-SA-17:05.heimdal.asc
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 13+ messages in thread
* [bug#27749] [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103].
2017-07-18 15:49 ` Leo Famulari
2017-07-18 15:51 ` Leo Famulari
2017-07-18 15:53 ` Leo Famulari
@ 2017-07-19 9:22 ` Alex Vong
2017-07-19 11:04 ` Alex Vong
2 siblings, 1 reply; 13+ messages in thread
From: Alex Vong @ 2017-07-19 9:22 UTC (permalink / raw)
To: Leo Famulari; +Cc: 27749
[-- Attachment #1.1: Type: text/plain, Size: 2508 bytes --]
Leo Famulari <leo@famulari.name> writes:
[...]
>> 2. A lots of libraries are bundled
>
> Which directory are they in? We should take a look at them and weigh the
> risk of adding new vulnerabilities through the use of (possibly old and
> unmaintained) bundled libraries.
>
They live in lib/. Also the configure script provides options to use
system library instead of bundled ones.
> If things look complicated, maybe it's possible to apply a patch to this
> older Heimdal while we figure everything out.
>
> Maybe we can find a patch for CVE-2017-11103 from Red Hat or another
> long-term-support distro. I noticed an unrelated patch for Heimdal
> 1.6 here:
> https://anonscm.debian.org/cgit/collab-maint/heimdal.git/commit/?h=debian/jessie&id=6d27073da8b45b5c67ca4ad74696489e49c4df1a
>
Agree, we should patch the old version first and deal with the bundled
libraries and test failures later.
>> 3. Many db tests fail
>
> Do you think they are a problem in practice? Ludovic, you added Heimdal,
> what do you think about this big version bump?
>
I don't know. I am hoping some test failures will disappear after we
remove bundled libraries.
>> 4. It does not build reproducibly
>
> Not great but also not a blocker.
>
>> From c14ef8d3d957ccf965918a5190c2cac695a6da7e Mon Sep 17 00:00:00 2001
>> From: Alex Vong <alexvong1995@gmail.com>
>> Date: Tue, 18 Jul 2017 06:36:48 +0800
>> Subject: [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103].
>>
>> * gnu/packages/kerberos.scm (heimdal): Update to 7.4.0.
>> [source]: Update source uri.
>> [arguments]: Adjust #:configure-flags and build phases accordingly.
>> [inputs]: Add autoconf, automake, libtool, perl, perl-json and texinfo.
>
>> #:phases (modify-phases %standard-phases
>> + (add-after 'unpack 'pre-build
>> + (lambda _
>> + (for-each (lambda (file) ;fix sh paths
>> + (substitute* file
>> + (("/bin/sh")
>> + (which "sh"))))
>> + '("appl/afsutil/pagsh.c" "tools/Makefile.am"))
>
> Do we re-bootstrap because we edit Makefile.am? Is it possible to edit
> the generated Makefile directly?
I will try but personally I prefer patching the source and re-generate
the generated files. Patching the generated files feel like a hack to
me. What do you think?
Thanks for the suggestions!
Here is the patch:
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1.2: 0001-gnu-heimdal-Fix-CVE-2017-11103.patch --]
[-- Type: text/x-diff, Size: 3800 bytes --]
From fedc82524dcc8d0e8052a4837d7864fe84ca6f8e Mon Sep 17 00:00:00 2001
From: Alex Vong <alexvong1995@gmail.com>
Date: Wed, 19 Jul 2017 17:01:47 +0800
Subject: [PATCH] gnu: heimdal: Fix CVE-2017-11103.
* gnu/packages/patches/heimdal-CVE-2017-11103.patch: New file.
* gnu/local.mk (dist_patch_DATA): Add it.
* gnu/packages/kerberos.scm (heimdal)[source]: Use it.
---
gnu/local.mk | 1 +
gnu/packages/kerberos.scm | 1 +
gnu/packages/patches/heimdal-CVE-2017-11103.patch | 45 +++++++++++++++++++++++
3 files changed, 47 insertions(+)
create mode 100644 gnu/packages/patches/heimdal-CVE-2017-11103.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index 92ad112cf..d2ae454c0 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -691,6 +691,7 @@ dist_patch_DATA = \
%D%/packages/patches/hdf-eos5-remove-gctp.patch \
%D%/packages/patches/hdf-eos5-fix-szip.patch \
%D%/packages/patches/hdf-eos5-fortrantests.patch \
+ %D%/packages/patches/heimdal-CVE-2017-11103.patch \
%D%/packages/patches/higan-remove-march-native-flag.patch \
%D%/packages/patches/hubbub-sort-entities.patch \
%D%/packages/patches/hurd-fix-eth-multiplexer-dependency.patch \
diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm
index 58f619770..3b0050fc1 100644
--- a/gnu/packages/kerberos.scm
+++ b/gnu/packages/kerberos.scm
@@ -144,6 +144,7 @@ secure manner through client-server mutual authentication via tickets.")
(sha256
(base32
"19gypf9vzfrs2bw231qljfl4cqc1riyg0ai0xmm1nd1wngnpphma"))
+ (patches (search-patches "heimdal-CVE-2017-11103.patch"))
(modules '((guix build utils)))
(snippet
'(substitute* "configure"
diff --git a/gnu/packages/patches/heimdal-CVE-2017-11103.patch b/gnu/packages/patches/heimdal-CVE-2017-11103.patch
new file mode 100644
index 000000000..d76f0df36
--- /dev/null
+++ b/gnu/packages/patches/heimdal-CVE-2017-11103.patch
@@ -0,0 +1,45 @@
+Fix CVE-2017-11103:
+
+https://orpheus-lyre.info/
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11103
+https://security-tracker.debian.org/tracker/CVE-2017-11103
+
+Patch lifted from upstream source repository:
+
+https://github.com/heimdal/heimdal/commit/6dd3eb836bbb80a00ffced4ad57077a1cdf227ea
+
+From 6dd3eb836bbb80a00ffced4ad57077a1cdf227ea Mon Sep 17 00:00:00 2001
+From: Jeffrey Altman <jaltman@secure-endpoints.com>
+Date: Wed, 12 Apr 2017 15:40:42 -0400
+Subject: [PATCH] CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation
+
+In _krb5_extract_ticket() the KDC-REP service name must be obtained from
+encrypted version stored in 'enc_part' instead of the unencrypted version
+stored in 'ticket'. Use of the unecrypted version provides an
+opportunity for successful server impersonation and other attacks.
+
+Identified by Jeffrey Altman, Viktor Duchovni and Nico Williams.
+
+Change-Id: I45ef61e8a46e0f6588d64b5bd572a24c7432547c
+---
+ lib/krb5/ticket.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lib/krb5/ticket.c b/lib/krb5/ticket.c
+index d95d96d1b..b8d81c6ad 100644
+--- a/lib/krb5/ticket.c
++++ b/lib/krb5/ticket.c
+@@ -705,8 +705,8 @@ _krb5_extract_ticket(krb5_context context,
+ /* check server referral and save principal */
+ ret = _krb5_principalname2krb5_principal (context,
+ &tmp_principal,
+- rep->kdc_rep.ticket.sname,
+- rep->kdc_rep.ticket.realm);
++ rep->enc_part.sname,
++ rep->enc_part.srealm);
+ if (ret)
+ goto out;
+ if((flags & EXTRACT_TICKET_ALLOW_SERVER_MISMATCH) == 0){
+--
+2.13.3
+
--
2.13.3
[-- Attachment #1.3: Type: text/plain, Size: 14 bytes --]
Cheers,
Alex
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [bug#27749] [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103].
2017-07-19 9:22 ` Alex Vong
@ 2017-07-19 11:04 ` Alex Vong
2017-07-20 19:51 ` Leo Famulari
0 siblings, 1 reply; 13+ messages in thread
From: Alex Vong @ 2017-07-19 11:04 UTC (permalink / raw)
To: Leo Famulari; +Cc: 27749
[-- Attachment #1.1: Type: text/plain, Size: 379 bytes --]
I find out that our version of heimdal is also affected by
CVE-2017-6594. So I amend the previous patch to fix it as well.
Changes to 'NEWS' and files in 'tests/' does not apply, so I remove
them. Also, I change hunk#4 of 'kdc/krb5tgs.c' so that it applies.
It used to be:
foo
foo*
+bar
+bar*
baz
baz*
Now it is:
foo
foo*
+bar
+bar*
<empty-line>
Here is the updated patch:
[-- Attachment #1.2: 0001-gnu-heimdal-Fix-CVE-2017-6594-11103.patch --]
[-- Type: scm, Size: 7339 bytes --]
From 33ae64ead2031e7707639302977d31487e992660 Mon Sep 17 00:00:00 2001
From: Alex Vong <alexvong1995@gmail.com>
Date: Wed, 19 Jul 2017 17:01:47 +0800
Subject: [PATCH] gnu: heimdal: Fix CVE-2017-{6594,11103}.
* gnu/packages/patches/heimdal-CVE-2017-6594.patch,
gnu/packages/patches/heimdal-CVE-2017-11103.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/kerberos.scm (heimdal)[source]: Use them.
---
gnu/local.mk | 2 +
gnu/packages/kerberos.scm | 2 +
gnu/packages/patches/heimdal-CVE-2017-11103.patch | 45 ++++++++++++
gnu/packages/patches/heimdal-CVE-2017-6594.patch | 85 +++++++++++++++++++++++
4 files changed, 134 insertions(+)
create mode 100644 gnu/packages/patches/heimdal-CVE-2017-11103.patch
create mode 100644 gnu/packages/patches/heimdal-CVE-2017-6594.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index 92ad112cf..5f4bc47a0 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -691,6 +691,8 @@ dist_patch_DATA = \
%D%/packages/patches/hdf-eos5-remove-gctp.patch \
%D%/packages/patches/hdf-eos5-fix-szip.patch \
%D%/packages/patches/hdf-eos5-fortrantests.patch \
+ %D%/packages/patches/heimdal-CVE-2017-6594.patch \
+ %D%/packages/patches/heimdal-CVE-2017-11103.patch \
%D%/packages/patches/higan-remove-march-native-flag.patch \
%D%/packages/patches/hubbub-sort-entities.patch \
%D%/packages/patches/hurd-fix-eth-multiplexer-dependency.patch \
diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm
index 58f619770..59fd944c6 100644
--- a/gnu/packages/kerberos.scm
+++ b/gnu/packages/kerberos.scm
@@ -144,6 +144,8 @@ secure manner through client-server mutual authentication via tickets.")
(sha256
(base32
"19gypf9vzfrs2bw231qljfl4cqc1riyg0ai0xmm1nd1wngnpphma"))
+ (patches (search-patches "heimdal-CVE-2017-6594.patch"
+ "heimdal-CVE-2017-11103.patch"))
(modules '((guix build utils)))
(snippet
'(substitute* "configure"
diff --git a/gnu/packages/patches/heimdal-CVE-2017-11103.patch b/gnu/packages/patches/heimdal-CVE-2017-11103.patch
new file mode 100644
index 000000000..d76f0df36
--- /dev/null
+++ b/gnu/packages/patches/heimdal-CVE-2017-11103.patch
@@ -0,0 +1,45 @@
+Fix CVE-2017-11103:
+
+https://orpheus-lyre.info/
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11103
+https://security-tracker.debian.org/tracker/CVE-2017-11103
+
+Patch lifted from upstream source repository:
+
+https://github.com/heimdal/heimdal/commit/6dd3eb836bbb80a00ffced4ad57077a1cdf227ea
+
+From 6dd3eb836bbb80a00ffced4ad57077a1cdf227ea Mon Sep 17 00:00:00 2001
+From: Jeffrey Altman <jaltman@secure-endpoints.com>
+Date: Wed, 12 Apr 2017 15:40:42 -0400
+Subject: [PATCH] CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation
+
+In _krb5_extract_ticket() the KDC-REP service name must be obtained from
+encrypted version stored in 'enc_part' instead of the unencrypted version
+stored in 'ticket'. Use of the unecrypted version provides an
+opportunity for successful server impersonation and other attacks.
+
+Identified by Jeffrey Altman, Viktor Duchovni and Nico Williams.
+
+Change-Id: I45ef61e8a46e0f6588d64b5bd572a24c7432547c
+---
+ lib/krb5/ticket.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lib/krb5/ticket.c b/lib/krb5/ticket.c
+index d95d96d1b..b8d81c6ad 100644
+--- a/lib/krb5/ticket.c
++++ b/lib/krb5/ticket.c
+@@ -705,8 +705,8 @@ _krb5_extract_ticket(krb5_context context,
+ /* check server referral and save principal */
+ ret = _krb5_principalname2krb5_principal (context,
+ &tmp_principal,
+- rep->kdc_rep.ticket.sname,
+- rep->kdc_rep.ticket.realm);
++ rep->enc_part.sname,
++ rep->enc_part.srealm);
+ if (ret)
+ goto out;
+ if((flags & EXTRACT_TICKET_ALLOW_SERVER_MISMATCH) == 0){
+--
+2.13.3
+
diff --git a/gnu/packages/patches/heimdal-CVE-2017-6594.patch b/gnu/packages/patches/heimdal-CVE-2017-6594.patch
new file mode 100644
index 000000000..714af6030
--- /dev/null
+++ b/gnu/packages/patches/heimdal-CVE-2017-6594.patch
@@ -0,0 +1,85 @@
+Fix CVE-2017-6594:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6594
+https://security-tracker.debian.org/tracker/CVE-2017-6594
+
+Patch lifted from upstream source repository:
+
+https://github.com/heimdal/heimdal/commit/b1e699103f08d6a0ca46a122193c9da65f6cf837
+
+To apply the patch to Heimdal 1.5.3 release tarball, the changes to 'NEWS' and
+files in 'tests/' are removed, and hunk #4 of 'kdc/krb5tgs.c' is modified.
+
+From b1e699103f08d6a0ca46a122193c9da65f6cf837 Mon Sep 17 00:00:00 2001
+From: Viktor Dukhovni <viktor@twosigma.com>
+Date: Wed, 10 Aug 2016 23:31:14 +0000
+Subject: [PATCH] Fix transit path validation CVE-2017-6594
+
+Commit f469fc6 (2010-10-02) inadvertently caused the previous hop realm
+to not be added to the transit path of issued tickets. This may, in
+some cases, enable bypass of capath policy in Heimdal versions 1.5
+through 7.2.
+
+Note, this may break sites that rely on the bug. With the bug some
+incomplete [capaths] worked, that should not have. These may now break
+authentication in some cross-realm configurations.
+---
+ NEWS | 14 ++++++++++++++
+ kdc/krb5tgs.c | 12 ++++++++++--
+ tests/kdc/check-kdc.in | 17 +++++++++++++++++
+ tests/kdc/krb5.conf.in | 4 ++++
+ 4 files changed, 45 insertions(+), 2 deletions(-)
+
+diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c
+index 6048b9c55..98503812f 100644
+--- a/kdc/krb5tgs.c
++++ b/kdc/krb5tgs.c
+@@ -655,8 +655,12 @@ fix_transited_encoding(krb5_context context,
+ "Decoding transited encoding");
+ return ret;
+ }
++
++ /*
++ * If the realm of the presented tgt is neither the client nor the server
++ * realm, it is a transit realm and must be added to transited set.
++ */
+ if(strcmp(client_realm, tgt_realm) && strcmp(server_realm, tgt_realm)) {
+- /* not us, so add the previous realm to transited set */
+ if (num_realms + 1 > UINT_MAX/sizeof(*realms)) {
+ ret = ERANGE;
+ goto free_realms;
+@@ -737,6 +741,7 @@ tgs_make_reply(krb5_context context,
+ const char *server_name,
+ hdb_entry_ex *client,
+ krb5_principal client_principal,
++ const char *tgt_realm,
+ hdb_entry_ex *krbtgt,
+ krb5_enctype krbtgt_etype,
+ krb5_principals spp,
+@@ -798,7 +803,7 @@ tgs_make_reply(krb5_context context,
+ &tgt->transited, &et,
+ krb5_principal_get_realm(context, client_principal),
+ krb5_principal_get_realm(context, server->entry.principal),
+- krb5_principal_get_realm(context, krbtgt->entry.principal));
++ tgt_realm);
+ if(ret)
+ goto out;
+
+@@ -1519,4 +1524,6 @@ tgs_build_reply(krb5_context context,
+ krb5_keyblock sessionkey;
+ krb5_kvno kvno;
+ krb5_data rspac;
++ const char *tgt_realm = /* Realm of TGT issuer */
++ krb5_principal_get_realm(context, krbtgt->entry.principal);
+
+@@ -2324,6 +2331,7 @@ server_lookup:
+ spn,
+ client,
+ cp,
++ tgt_realm,
+ krbtgt_out,
+ tkey_sign->key.keytype,
+ spp,
+--
+2.13.3
+
--
2.13.3
[-- Attachment #1.3: Type: text/plain, Size: 14 bytes --]
Cheers,
Alex
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [bug#27749] [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103].
2017-07-19 11:04 ` Alex Vong
@ 2017-07-20 19:51 ` Leo Famulari
2017-10-18 21:31 ` Ricardo Wurmus
0 siblings, 1 reply; 13+ messages in thread
From: Leo Famulari @ 2017-07-20 19:51 UTC (permalink / raw)
To: Alex Vong; +Cc: 27749
[-- Attachment #1: Type: text/plain, Size: 970 bytes --]
On Wed, Jul 19, 2017 at 07:04:53PM +0800, Alex Vong wrote:
> Here is the updated patch:
>
> From 33ae64ead2031e7707639302977d31487e992660 Mon Sep 17 00:00:00 2001
> From: Alex Vong <alexvong1995@gmail.com>
> Date: Wed, 19 Jul 2017 17:01:47 +0800
> Subject: [PATCH] gnu: heimdal: Fix CVE-2017-{6594,11103}.
>
> * gnu/packages/patches/heimdal-CVE-2017-6594.patch,
> gnu/packages/patches/heimdal-CVE-2017-11103.patch: New files.
> * gnu/local.mk (dist_patch_DATA): Add them.
> * gnu/packages/kerberos.scm (heimdal)[source]: Use them.
Thanks! I recreated the commit since the patch no longer applied to
'gnu/local.mk' and pushed as 81c35029d4ee4fa7cd517998844229a514b35531.
I'm leaving this bug open for now so we can discuss the update.
By the way everyone, the vulnerability disclosure / promotion web page,
<https://orpheus-lyre.info>, has a nice primer on the bug (warning, the
page plays music automatically). Thanks for including that, Alex.
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 13+ messages in thread
* [bug#27749] [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103].
2017-07-20 19:51 ` Leo Famulari
@ 2017-10-18 21:31 ` Ricardo Wurmus
2017-10-19 14:57 ` Alex Vong
0 siblings, 1 reply; 13+ messages in thread
From: Ricardo Wurmus @ 2017-10-18 21:31 UTC (permalink / raw)
To: Alex Vong; +Cc: 27749
Hi Alex,
> On Wed, Jul 19, 2017 at 07:04:53PM +0800, Alex Vong wrote:
>> Here is the updated patch:
>>
>> From 33ae64ead2031e7707639302977d31487e992660 Mon Sep 17 00:00:00 2001
>> From: Alex Vong <alexvong1995@gmail.com>
>> Date: Wed, 19 Jul 2017 17:01:47 +0800
>> Subject: [PATCH] gnu: heimdal: Fix CVE-2017-{6594,11103}.
>>
>> * gnu/packages/patches/heimdal-CVE-2017-6594.patch,
>> gnu/packages/patches/heimdal-CVE-2017-11103.patch: New files.
>> * gnu/local.mk (dist_patch_DATA): Add them.
>> * gnu/packages/kerberos.scm (heimdal)[source]: Use them.
>
> Thanks! I recreated the commit since the patch no longer applied to
> 'gnu/local.mk' and pushed as 81c35029d4ee4fa7cd517998844229a514b35531.
>
> I'm leaving this bug open for now so we can discuss the update.
As mentioned before, the new release bundles a bunch of third party
libraries. It is not clear to me if *all* things under “lib” are
external libraries or if some of them are part of the source code of
heimdal.
Can we learn from the Debian package for heimdal here?
I think we really ought to update from the very old version we are using
currently.
--
Ricardo
GPG: BCA6 89B6 3655 3801 C3C6 2150 197A 5888 235F ACAC
https://elephly.net
^ permalink raw reply [flat|nested] 13+ messages in thread
* [bug#27749] [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103].
2017-10-18 21:31 ` Ricardo Wurmus
@ 2017-10-19 14:57 ` Alex Vong
2017-10-21 9:52 ` Alex Vong
0 siblings, 1 reply; 13+ messages in thread
From: Alex Vong @ 2017-10-19 14:57 UTC (permalink / raw)
To: Ricardo Wurmus; +Cc: 27749
[-- Attachment #1: Type: text/plain, Size: 1796 bytes --]
Ricardo Wurmus <rekado@elephly.net> writes:
> Hi Alex,
>
>> On Wed, Jul 19, 2017 at 07:04:53PM +0800, Alex Vong wrote:
>>> Here is the updated patch:
>>>
>>> From 33ae64ead2031e7707639302977d31487e992660 Mon Sep 17 00:00:00 2001
>>> From: Alex Vong <alexvong1995@gmail.com>
>>> Date: Wed, 19 Jul 2017 17:01:47 +0800
>>> Subject: [PATCH] gnu: heimdal: Fix CVE-2017-{6594,11103}.
>>>
>>> * gnu/packages/patches/heimdal-CVE-2017-6594.patch,
>>> gnu/packages/patches/heimdal-CVE-2017-11103.patch: New files.
>>> * gnu/local.mk (dist_patch_DATA): Add them.
>>> * gnu/packages/kerberos.scm (heimdal)[source]: Use them.
>>
>> Thanks! I recreated the commit since the patch no longer applied to
>> 'gnu/local.mk' and pushed as 81c35029d4ee4fa7cd517998844229a514b35531.
>>
>> I'm leaving this bug open for now so we can discuss the update.
>
> As mentioned before, the new release bundles a bunch of third party
> libraries. It is not clear to me if *all* things under “lib” are
> external libraries or if some of them are part of the source code of
> heimdal.
>
No, I don't think so. At least the heimdal/ subdirectory[0] should
contain non-third-party code.
> Can we learn from the Debian package for heimdal here?
>
Good suggestion, I think the Build-Depends field in [1] will help. For
exmaples, we should not use the bundled sqlite.
> I think we really ought to update from the very old version we are using
> currently.
>
Agree, our version is even older than the one in Debian old stable.
> --
> Ricardo
>
> GPG: BCA6 89B6 3655 3801 C3C6 2150 197A 5888 235F ACAC
> https://elephly.net
[0]: https://anonscm.debian.org/cgit/collab-maint/heimdal.git/tree/lib.
[1]: https://anonscm.debian.org/cgit/collab-maint/heimdal.git/tree/debian/control
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]
^ permalink raw reply [flat|nested] 13+ messages in thread
* [bug#27749] [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103].
2017-10-19 14:57 ` Alex Vong
@ 2017-10-21 9:52 ` Alex Vong
2017-11-26 22:59 ` Leo Famulari
2018-06-10 8:04 ` bug#27749: " 宋文武
0 siblings, 2 replies; 13+ messages in thread
From: Alex Vong @ 2017-10-21 9:52 UTC (permalink / raw)
To: Ricardo Wurmus; +Cc: 27749
[-- Attachment #1.1: Type: text/plain, Size: 366 bytes --]
Hello,
This is the new patch. It is basically the first patch but with the
sqlite and libedit bundled dependecies removed. I don't know if there
are any other bundled dependencies so I am asking this on the heimdal
mailing list.
Also, since I am not a user of heimdal, we need someone to check if the
new version does work properly (as some test failures occur).
[-- Attachment #1.2: 0001-gnu-heimdal-Update-to-7.4.0.patch --]
[-- Type: text/x-diff, Size: 6463 bytes --]
From 4b2fcc8998da79aea5b09d5646569906bb447638 Mon Sep 17 00:00:00 2001
From: Alex Vong <alexvong1995@gmail.com>
Date: Tue, 18 Jul 2017 06:36:48 +0800
Subject: [PATCH] gnu: heimdal: Update to 7.4.0.
* gnu/packages/kerberos.scm (heimdal): Update to 7.4.0.
[source]: Update source uri.
[arguments]: Adjust #:configure-flags and build phases accordingly.
[inputs]: Add autoconf, automake, libtool, perl, perl-json, texinfo, unzip
and sqlite.
---
gnu/packages/kerberos.scm | 86 +++++++++++++++++++++++++++++++++++------------
1 file changed, 64 insertions(+), 22 deletions(-)
diff --git a/gnu/packages/kerberos.scm b/gnu/packages/kerberos.scm
index 801b4e44a..fde310e65 100644
--- a/gnu/packages/kerberos.scm
+++ b/gnu/packages/kerberos.scm
@@ -6,6 +6,7 @@
;;; Copyright © 2012, 2013 Nikita Karetnikov <nikita@karetnikov.org>
;;; Copyright © 2012, 2017 Ludovic Courtès <ludo@gnu.org>
;;; Copyright © 2017 Ricardo Wurmus <rekado@elephly.net>
+;;; Copyright © 2017 Alex Vong <alexvong1995@gmail.com>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -145,16 +146,15 @@ secure manner through client-server mutual authentication via tickets.")
(define-public heimdal
(package
(name "heimdal")
- (version "1.5.3")
+ (version "7.4.0")
(source (origin
(method url-fetch)
- (uri (string-append "http://www.h5l.org/dist/src/heimdal-"
- version ".tar.gz"))
+ (uri (string-append "https://github.com/" name "/" name
+ "/releases/download/" name "-" version
+ "/" name "-" version ".tar.gz"))
(sha256
(base32
- "19gypf9vzfrs2bw231qljfl4cqc1riyg0ai0xmm1nd1wngnpphma"))
- (patches (search-patches "heimdal-CVE-2017-6594.patch"
- "heimdal-CVE-2017-11103.patch"))
+ "1b992ifwnr06h89f8vqp1l0z8ixh29sk9nhk99lw28dd6v6lxq9x"))
(modules '((guix build utils)))
(snippet
'(substitute* "configure"
@@ -162,33 +162,75 @@ secure manner through client-server mutual authentication via tickets.")
(("Date=.*$") "Date=2017\n")))))
(build-system gnu-build-system)
(arguments
- '(#:configure-flags (list
- ;; Work around a linker error.
- "CFLAGS=-pthread"
+ '(#:modules ((guix build gnu-build-system)
+ (guix build utils)
+ (srfi srfi-26))
+
+ #:configure-flags (list
+ (string-append "CPPFLAGS=-D_PATH_BSHELL="
+ (assoc-ref %build-inputs "bash")
+ "/bin/sh")
;; Avoid 7 MiB of .a files.
"--disable-static"
;; Do not build libedit.
- (string-append
- "--with-readline-lib="
- (assoc-ref %build-inputs "readline") "/lib")
- (string-append
- "--with-readline-include="
- (assoc-ref %build-inputs "readline") "/include"))
+ (string-append "--with-readline="
+ (assoc-ref %build-inputs "readline"))
+
+ ;; Do not build sqlite.
+ (string-append "--with-sqlite3="
+ (assoc-ref %build-inputs "sqlite")))
#:phases (modify-phases %standard-phases
+ (add-after 'unpack 'pre-build
+ (lambda _
+ (for-each (lambda (file) ;fix sh paths
+ (substitute* file
+ (("/bin/sh")
+ (which "sh"))))
+ '("appl/afsutil/pagsh.c" "tools/Makefile.am"))
+ (substitute* "lib/roken/getxxyyy.c" ;set user during test
+ (("user = getenv\\(\"USER\"\\);")
+ (format #f
+ "#ifndef TEST_GETXXYYY
+#error \"TEST_GETXXYYY is not defined\"
+#endif
+user = \"~a\";
+"
+ (passwd:name (getpwuid (getuid))))))
+ #t))
+
+ (add-after 'pre-build 'autogen
+ (lambda _
+ (zero? (system* "sh" "autogen.sh"))))
+
+ ;; FIXME: figure out the complete list of bundled libraries
+ (add-after 'configure 'remove-bundled-libraries
+ (lambda _
+ (for-each delete-file-recursively
+ '("lib/libedit" "lib/sqlite"))))
+
(add-before 'check 'skip-tests
(lambda _
- ;; The test simply runs 'ftp --version && ftp --help'
- ;; but that fails in the chroot because 'ftp' tries to
- ;; do a service lookup before printing the help/version.
- (substitute* "appl/ftp/ftp/Makefile.in"
- (("^CHECK_LOCAL =.*")
- "CHECK_LOCAL = no-check-local\n"))
+ ;; skip db tests for now
+ ;; FIXME: figure out why they fail
+ (call-with-output-file "tests/db/have-db.in"
+ (cut format <> "#!~a~%exit 1~%" (which "sh")))
#t)))))
+
(native-inputs `(("e2fsprogs" ,e2fsprogs))) ;for 'compile_et'
- (inputs `(("readline" ,readline)
+ (inputs `(("autoconf" ,autoconf) ;for autogen
+ ("automake" ,automake)
+ ("libtool" ,libtool)
+ ("perl" ,perl)
+ ("perl-json" ,perl-json)
+
+ ("texinfo" ,texinfo) ;for doc
+ ("unzip" ,unzip) ;for test
+
+ ("readline" ,readline)
+ ("sqlite" ,sqlite)
("bdb" ,bdb)
("e2fsprogs" ,e2fsprogs))) ;for libcom_err
(home-page "http://www.h5l.org/")
--
2.14.2
[-- Attachment #1.3: Type: text/plain, Size: 14 bytes --]
Cheers,
Alex
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [bug#27749] [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103].
2017-10-21 9:52 ` Alex Vong
@ 2017-11-26 22:59 ` Leo Famulari
2018-06-10 8:04 ` bug#27749: " 宋文武
1 sibling, 0 replies; 13+ messages in thread
From: Leo Famulari @ 2017-11-26 22:59 UTC (permalink / raw)
To: Alex Vong; +Cc: Ricardo Wurmus, 27749
[-- Attachment #1: Type: text/plain, Size: 983 bytes --]
On Sat, Oct 21, 2017 at 05:52:58PM +0800, Alex Vong wrote:
> Hello,
>
> This is the new patch. It is basically the first patch but with the
> sqlite and libedit bundled dependecies removed. I don't know if there
> are any other bundled dependencies so I am asking this on the heimdal
> mailing list.
>
> Also, since I am not a user of heimdal, we need someone to check if the
> new version does work properly (as some test failures occur).
>
> From 4b2fcc8998da79aea5b09d5646569906bb447638 Mon Sep 17 00:00:00 2001
> From: Alex Vong <alexvong1995@gmail.com>
> Date: Tue, 18 Jul 2017 06:36:48 +0800
> Subject: [PATCH] gnu: heimdal: Update to 7.4.0.
>
> * gnu/packages/kerberos.scm (heimdal): Update to 7.4.0.
> [source]: Update source uri.
> [arguments]: Adjust #:configure-flags and build phases accordingly.
> [inputs]: Add autoconf, automake, libtool, perl, perl-json, texinfo, unzip
> and sqlite.
What's the status of this patch? Did anyone test it?
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
^ permalink raw reply [flat|nested] 13+ messages in thread
* bug#27749: [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103].
2017-10-21 9:52 ` Alex Vong
2017-11-26 22:59 ` Leo Famulari
@ 2018-06-10 8:04 ` 宋文武
2018-06-25 3:16 ` [bug#27749] " Alex Vong
1 sibling, 1 reply; 13+ messages in thread
From: 宋文武 @ 2018-06-10 8:04 UTC (permalink / raw)
To: Alex Vong; +Cc: Ricardo Wurmus, 27749-done
Alex Vong <alexvong1995@gmail.com> writes:
> Hello,
>
> This is the new patch. It is basically the first patch but with the
> sqlite and libedit bundled dependecies removed. I don't know if there
> are any other bundled dependencies so I am asking this on the heimdal
> mailing list.
>
> Also, since I am not a user of heimdal, we need someone to check if the
> new version does work properly (as some test failures occur).
>
> From 4b2fcc8998da79aea5b09d5646569906bb447638 Mon Sep 17 00:00:00 2001
> From: Alex Vong <alexvong1995@gmail.com>
> Date: Tue, 18 Jul 2017 06:36:48 +0800
> Subject: [PATCH] gnu: heimdal: Update to 7.4.0.
>
Hello, I adjust this patch to version '7.5.0', and pushed, thank you!
Closing now :-)
^ permalink raw reply [flat|nested] 13+ messages in thread
* [bug#27749] [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103].
2018-06-10 8:04 ` bug#27749: " 宋文武
@ 2018-06-25 3:16 ` Alex Vong
0 siblings, 0 replies; 13+ messages in thread
From: Alex Vong @ 2018-06-25 3:16 UTC (permalink / raw)
To: 宋文武; +Cc: Ricardo Wurmus, 27749-done
[-- Attachment #1: Type: text/plain, Size: 892 bytes --]
Thanks for taking care of it!
On 10 June 2018 at 16:04, 宋文武 <iyzsong@member.fsf.org> wrote:
> Alex Vong <alexvong1995@gmail.com> writes:
>
> > Hello,
> >
> > This is the new patch. It is basically the first patch but with the
> > sqlite and libedit bundled dependecies removed. I don't know if there
> > are any other bundled dependencies so I am asking this on the heimdal
> > mailing list.
> >
> > Also, since I am not a user of heimdal, we need someone to check if the
> > new version does work properly (as some test failures occur).
> >
> > From 4b2fcc8998da79aea5b09d5646569906bb447638 Mon Sep 17 00:00:00 2001
> > From: Alex Vong <alexvong1995@gmail.com>
> > Date: Tue, 18 Jul 2017 06:36:48 +0800
> > Subject: [PATCH] gnu: heimdal: Update to 7.4.0.
> >
>
> Hello, I adjust this patch to version '7.5.0', and pushed, thank you!
>
> Closing now :-)
>
[-- Attachment #2: Type: text/html, Size: 1443 bytes --]
^ permalink raw reply [flat|nested] 13+ messages in thread
end of thread, other threads:[~2018-06-25 3:17 UTC | newest]
Thread overview: 13+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-07-18 8:26 [bug#27749] [PATCH] gnu: heimdal: Update to 7.4.0 [fixes CVE-2017-11103] Alex Vong
2017-07-18 15:49 ` Leo Famulari
2017-07-18 15:51 ` Leo Famulari
2017-07-18 15:53 ` Leo Famulari
2017-07-19 9:22 ` Alex Vong
2017-07-19 11:04 ` Alex Vong
2017-07-20 19:51 ` Leo Famulari
2017-10-18 21:31 ` Ricardo Wurmus
2017-10-19 14:57 ` Alex Vong
2017-10-21 9:52 ` Alex Vong
2017-11-26 22:59 ` Leo Famulari
2018-06-10 8:04 ` bug#27749: " 宋文武
2018-06-25 3:16 ` [bug#27749] " Alex Vong
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).