Bug#969526: negotiate_kerberos_auth: Kerberos auth helper broken with error: "Invalid base64 token" after upgrade from 3.5.23-5+deb9u1 to 3.5.23-5+deb9u3

Fri, 04 Sep 2020 03:27:19 -0700 

Hi Joel K.,

> I've checked the changelog and the diff for version deb9u3. For me it
> looks like the following patch broke the auth helper.
>
> This patch changed the negotiate_kerberos_auth code. Also the debug
> error message I've received was added "ERROR: Invalid base64 token".
>
>   * Improve patch for CVE-2019-12529 and replace more base64 code with code
>     from Nettle's crypto library.
>
> patches/CVE-2019-12529.patch
>
> My C knowledge is way too bad to find the problem in the code. Sorry :)

No problem, thank you for your investigation regardless.

I haven't looked at this issue myself, but what I've done here is
added Markus to the CC of this bug as they prepared the +deb9u2 and
+deb9u3 updates and may not see this message otherwise (not quite sure
who is on the recipient list of this mail):

  squid3 (3.5.23-5+deb9u3) stretch-security; urgency=high

    * Non-maintainer upload by the LTS team.
    * Fix regression when parsing icap and ecap protocols. Do not return
      PROTO_NONE anymore and prevent an assertion. (Closes: #965012)
    * Improve patch for CVE-2019-12529 and replace more base64 code with code
      from Nettle's crypto library.
    * Enable the test suite by default now. Fix test failures.

   -- Markus Koschany <a...@debian.org>  Sat, 08 Aug 2020 20:51:51 +0200

  squid3 (3.5.23-5+deb9u2) stretch-security; urgency=medium

    * Non-maintainer upload by the LTS team.
    * Fix CVE-2018-19132, CVE-2019-12519, CVE-2019-12520, CVE-2019-12521,
      CVE-2019-12523, CVE-2019-12524, CVE-2019-12525, CVE-2019-12526,
      CVE-2019-12528, CVE-2019-12529, CVE-2019-13345, CVE-2019-18676,
      CVE-2019-18677, CVE-2019-18678, CVE-2019-18679, CVE-2019-18860,
      CVE-2020-11945, CVE-2020-8449 and CVE-2020-8450.
      Several security vulnerabilites were discovered in squid3.
      Due to incorrect input validation and URL request handling it was possible
      to bypass access restrictions which allowed access to restricted HTTP
      servers and to cause a denial-of-service.

   -- Markus Koschany <a...@debian.org>  Fri, 10 Jul 2020 21:58:09 +0200

Hopefully the solution will be obvious/straightforward to Markus.
 

Regards,

--
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      la...@debian.org 🍥 chris-lamb.co.uk
       `-

Reply via email to