File _patchinfo of Package patchinfo

<patchinfo incident="7091">
  <packager>enzokiel</packager>
  <issue tracker="cve" id="2017-6594"></issue>
  <issue tracker="cve" id="2017-11103"></issue>
  <issue tracker="bnc" id="1048278">VUL-0: CVE-2017-11103: samba: Orpheus Lyre KDC-REP service name Orpheus Lyre KDC-REP service name validation (mutual auth bypass) in embedded Heimdalvalidation (mutual auth bypass) in embedded Heimdal</issue>
  <category>security</category>
  <rating>moderate</rating>
  <summary>Security update for libheimdal</summary>
  <description>This update for libheimdal fixes the following issues:

    - Fix CVE-2017-11103: Orpheus' Lyre KDC-REP service name
      validation.
      This is a critical vulnerability.
      In _krb5_extract_ticket() the KDC-REP service name must be
      obtained from encrypted version stored in 'enc_part' instead
      of the unencrypted version stored in 'ticket'.
      Use of the unecrypted version provides an opportunity for
      successful server impersonation and other attacks.
      Identified by Jeffrey Altman, Viktor Duchovni and
      Nico Williams.
      See https://www.orpheus-lyre.info/ for more details. (bsc#1048278)

    - Fix CVE-2017-6594: transit path validation inadvertently 
      caused the previous hop realm to not be added
      to the transit path of issued tickets. This may, in some
      cases, enable bypass of capath policy in Heimdal versions 1.5
      through 7.2.
      Note, this may break sites that rely on the bug. With the bug
      some incomplete [capaths] worked, that should not have.
      These may now break authentication in some cross-realm
      configurations.
</description>
</patchinfo>