< February 2020 | Russ Allbery > Eagle's Path | May 2020 > |
This is a security release fixing a one-byte buffer overflow when relaying prompts from the underlying Kerberos library. All users of my pam-krb5 module should upgrade as soon as possible. See the security advisory for more information.
There are also a couple more minor security improvements in this release:
The module now rejects passwords as long or longer than
PAM_MAX_RESP_SIZE
(normally 512 octets) since they can be a denial
of service attack via the Kerberos string-to-key function, and uses
explicit_bzero where available to clear passwords before releasing memory.
Also in this release, use_pkinit
is now supported with MIT
Kerberos, the Kerberos prompter function returns more accurate error
messages, I fixed an edge-case memory leak in pam_chauthtok, and the
module/basic test will run properly with a system krb5.conf file that
doesn't specify a realm.
You can get the latest release from the pam-krb5 distribution page. I've also uploaded the new version to Debian unstable and patched security releases with only the security fix to Debian stable and oldstable.
< February 2020 | Russ Allbery > Eagle's Path | May 2020 > |