[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[DONE] wml://security/2015/dla-265.wml

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- --- english/security/2015/dla-265.wml	2016-04-08 01:24:54.000000000 +0500
+++ russian/security/2015/dla-265.wml	2016-05-30 22:07:04.568752249 +0500
@@ -1,45 +1,46 @@
- -<define-tag description>LTS security update</define-tag>
+#use wml::debian::translation-check translation="1.2" maintainer="Lev Lamberov"
+<define-tag description>обновление безопаÑ?ноÑ?Ñ?и LTS</define-tag>
 <define-tag moreinfo>
- -<p>Martin Prpic has reported the possibility of a man-in-the-middle attack
- -in the pykerberos code to the Red Hat Bugzilla (Fedora bug tracker). The
- -original issue has earlier been <a href="https://www.calendarserver.org/ticket/833";>reported upstream</a>. We are quoting the
- -upstream bug reported partially below:</p>
- -
- -<p>The python-kerberos checkPassword() method has been badly insecure in
- -previous releases. It used to do (and still does by default) a kinit
- -(AS-REQ) to ask a KDC for a TGT for the given user principal, and
- -interprets the success or failure of that as indicating whether the
- -password is correct. It does not, however, verify that it actually spoke
- -to a trusted KDC: an attacker may simply reply instead with an AS-REP
- -which matches the password he just gave you.</p>
- -
- -<p>Imagine you were verifying a password using LDAP authentication rather
- -than Kerberos: you would, of course, use TLS in conjunction with LDAP to
- -make sure you were talking to a real, trusted LDAP server. The same
- -requirement applies here. kinit is not a password-verification service.</p>
- -
- -<p>The usual way of doing this is to take the TGT you've obtained with the
- -user's password, and then obtain a ticket for a principal for which the
- -verifier has keys (e.g. a web server processing a username/password form
- -login might get a ticket for its own HTTP/host@REALM principal), which
- -it can then verify. Note that this requires that the verifier has its
- -own Kerberos identity, which is mandated by the symmetric nature of
- -Kerberos (whereas in the LDAP case, the use of public-key cryptography
- -allows anonymous verification).</p>
- -
- -<p>With this version of the pykerberos package a new option is introduced
- -for the checkPassword() method. Setting verify to True when using
- -checkPassword() will perform a KDC verification. For this to work, you
- -need to provide a krb5.keytab file containing service principal keys for
- -the service you intend to use.</p>
- -
- -<p>As the default krb5.keytab file in /etc is normally not accessible by
- -non-root users/processes, you have to make sure a custom krb5.keytab
- -file containing the correct principal keys is provided to your
- -application using the KRB5_KTNAME environment variable.</p>
+<p>Ð?аÑ?Ñ?ин Ð?Ñ?пик Ñ?ообÑ?ил в Red Hat Bugzilla (Ñ?иÑ?Ñ?еме оÑ?Ñ?леживаниÑ? оÑ?ибок Fedora)
+о возможноÑ?Ñ?и оÑ?Ñ?Ñ?еÑ?Ñ?влениÑ? аÑ?ак по пÑ?инÑ?ипÑ? Ñ?еловек-в-Ñ?еÑ?едине в коде pykerberos. Ранее
+о пÑ?облеме бÑ?ло <a href="https://www.calendarserver.org/ticket/833";>Ñ?ообÑ?ено авÑ?оÑ?ом оÑ?новной веÑ?ки Ñ?азÑ?абоÑ?ки</a>. Ð?иже
+пÑ?иводиÑ?Ñ?Ñ? Ñ?ообÑ?ение об оÑ?ибке из оÑ?новной веÑ?ки Ñ?азÑ?абоÑ?ки:</p>
+
+<p>Ð?еÑ?од checkPassword() в python-kerberos в пÑ?едÑ?дÑ?Ñ?ем вÑ?пÑ?Ñ?ке
+оказалÑ?Ñ? небезопаÑ?нÑ?м. Ð?н иÑ?полÑ?зовалÑ?Ñ? длÑ? вÑ?полнениÑ? (и по Ñ?молÑ?аниÑ? иÑ?полÑ?зÑ?еÑ?Ñ?Ñ? до Ñ?иÑ? поÑ?) kinit
+(AS-REQ) длÑ? запÑ?оÑ?а TGT Ñ? KDC длÑ? данной Ñ?Ñ?Ñ?Ñ?ной запиÑ?и, а Ñ?акже
+инÑ?еÑ?пÑ?еÑ?иÑ?Ñ?еÑ? Ñ?Ñ?пеÑ?ное вÑ?полнение Ñ?Ñ?ой опеÑ?аÑ?ии или оÑ?ибкÑ?, Ñ?казÑ?ваÑ? Ñ?о, веÑ?ен
+паÑ?олÑ? или неÑ?. Тем не менее, Ñ?Ñ?оÑ? меÑ?од не вÑ?полнÑ?еÑ? пÑ?овеÑ?кÑ? Ñ?ого, Ñ?Ñ?обÑ?
+взаимодейÑ?Ñ?вие оÑ?Ñ?Ñ?еÑ?Ñ?влÑ?лоÑ?Ñ? Ñ? довеÑ?енной KDC: злоÑ?мÑ?Ñ?ленник можеÑ? оÑ?веÑ?иÑ?Ñ? вмеÑ?Ñ?о KDC Ñ?ообÑ?ением Ñ? AS-REP,
+Ñ?овпадаÑ?Ñ?им Ñ? пеÑ?еданнÑ?м им паÑ?олем.</p>
+
+<p>Ð?Ñ?едÑ?Ñ?авÑ?Ñ?е, Ñ?Ñ?о вÑ? пÑ?овеÑ?Ñ?еÑ?е паÑ?олÑ?, иÑ?полÑ?зÑ?Ñ? аÑ?Ñ?енÑ?иÑ?икаÑ?иÑ? LDAP, а не
+Kerberos: конеÑ?но, вÑ? бÑ?деÑ?е иÑ?полÑ?зоваÑ?Ñ? TLS Ñ? LDAP длÑ? Ñ?ого, Ñ?Ñ?об
+Ñ?бедиÑ?Ñ?Ñ?Ñ?, Ñ?Ñ?о вÑ? взаимодейÑ?Ñ?вÑ?еÑ?е Ñ? наÑ?Ñ?оÑ?Ñ?им довеÑ?еннÑ?м Ñ?еÑ?веÑ?ом LDAP. ТÑ?Ñ? пÑ?именÑ?еÑ?Ñ?Ñ?
+Ñ?о же Ñ?Ñ?ебование. kinit не Ñ?влÑ?еÑ?Ñ?Ñ? Ñ?лÑ?жбой пÑ?овеÑ?ки паÑ?олей.</p>
+
+<p>Ð?бÑ?Ñ?но, вÑ? иÑ?полÑ?зÑ?еÑ?е TGT, полÑ?Ñ?еннÑ?й вмеÑ?Ñ?е Ñ? паÑ?олем полÑ?зоваÑ?елÑ?,
+заÑ?ем полÑ?Ñ?аеÑ?е билеÑ? длÑ? Ñ?Ñ?Ñ?Ñ?ной запиÑ?и, длÑ? коÑ?оÑ?ой Ñ? пÑ?овеÑ?Ñ?Ñ?Ñ?его
+имеÑ?Ñ?Ñ?Ñ? клÑ?Ñ?и (напÑ?имеÑ?, веб-Ñ?еÑ?веÑ?, пÑ?овеÑ?Ñ?Ñ?Ñ?ий имÑ? полÑ?зоваÑ?елÑ? и паÑ?олÑ? в Ñ?оÑ?ме
+аÑ?Ñ?енÑ?иÑ?икаÑ?ии, можеÑ? полÑ?Ñ?иÑ?Ñ? билеÑ? длÑ? Ñ?воей Ñ?обÑ?Ñ?венной Ñ?Ñ?Ñ?Ñ?ной запиÑ?и HTTP/host@REALM), коÑ?оÑ?Ñ?е
+он заÑ?ем можеÑ? пÑ?овеÑ?иÑ?Ñ?. Ð?амеÑ?Ñ?Ñ?е, Ñ?Ñ?о Ñ?Ñ?о Ñ?Ñ?ебÑ?еÑ? Ñ?ого, Ñ?Ñ?обÑ? пÑ?овеÑ?Ñ?Ñ?Ñ?ий имел Ñ?воÑ?
+Ñ?обÑ?Ñ?веннÑ?Ñ? Ñ?Ñ?Ñ?Ñ?нÑ?Ñ? запиÑ?Ñ? Kerberos, Ñ?Ñ?о Ñ?Ñ?ебÑ?еÑ?Ñ?Ñ? из-за Ñ?иммеÑ?Ñ?иÑ?ной пÑ?иÑ?одÑ?
+Kerberos (а в Ñ?лÑ?Ñ?ае Ñ? LDAP иÑ?полÑ?зование Ñ?иÑ?Ñ?ованиÑ? Ñ? оÑ?кÑ?Ñ?Ñ?Ñ?ми клÑ?Ñ?ами
+позволÑ?еÑ? оÑ?Ñ?Ñ?еÑ?Ñ?влÑ?Ñ?Ñ? анонимнÑ?Ñ? пÑ?овеÑ?кÑ?).</p>
+
+<p>Ð? Ñ?Ñ?ой веÑ?Ñ?ии пакеÑ?а pykerberos добавлена новаÑ? опÑ?иÑ? длÑ?
+меÑ?ода checkPassword(). УÑ?Ñ?ановка опÑ?ии verify в знаÑ?ение True пÑ?и иÑ?полÑ?зовании
+меÑ?ода checkPassword() пÑ?иведÑ?Ñ? к вÑ?полнениÑ? пÑ?овеÑ?ки KDC. ЭÑ?о Ñ?Ñ?ого вам
+Ñ?ледÑ?еÑ? пÑ?едоÑ?Ñ?авиÑ?Ñ? Ñ?айл krb5.keytab, Ñ?одеÑ?жаÑ?ий клÑ?Ñ?и Ñ?Ñ?Ñ?Ñ?нÑ?Ñ? запиÑ?ей длÑ?
+Ñ?лÑ?жбÑ?, коÑ?оÑ?Ñ?Ñ? вÑ? намеÑ?енÑ? иÑ?полÑ?зоваÑ?Ñ?.</p>
+
+<p>Ð?оÑ?колÑ?кÑ? по Ñ?молÑ?аниÑ? Ñ?айл krb5.keytab в /etc не доÑ?Ñ?Ñ?пен
+полÑ?зоваÑ?елÑ?м и пÑ?оÑ?еÑ?Ñ?ам, не имеÑ?Ñ?им пÑ?ава Ñ?Ñ?пеÑ?полÑ?зоваÑ?елÑ?, вам Ñ?ледÑ?еÑ? Ñ?бедиÑ?Ñ?Ñ?Ñ?, Ñ?Ñ?о ваÑ? Ñ?обÑ?Ñ?веннÑ?й Ñ?айл
+krb5.keytab, Ñ?одеÑ?жаÑ?ий пÑ?авилÑ?нÑ?е клÑ?Ñ?и Ñ?Ñ?Ñ?Ñ?нÑ?Ñ? запиÑ?ей, пеÑ?едаÑ?Ñ?Ñ?Ñ? ваÑ?емÑ?
+пÑ?иложениÑ? Ñ?еÑ?ез пеÑ?еменнÑ?Ñ? окÑ?Ñ?жениÑ? KRB5_KTNAME.</p>
 
- -<p><b>Note</b>: In Debian squeeze(-lts), KDC verification support is disabled by
- -default in order not to break existing setups.</p>
+<p><b>Ð?нимание</b>: в Debian squeeze(-lts) поддеÑ?жка пÑ?овеÑ?ки KDC по Ñ?молÑ?аниÑ? оÑ?клÑ?Ñ?ена
+длÑ? Ñ?ого, Ñ?Ñ?обÑ? не наÑ?Ñ?Ñ?алаÑ?Ñ? Ñ?абоÑ?а Ñ?же наÑ?Ñ?Ñ?оеннÑ?Ñ? Ñ?иÑ?Ñ?ем.</p>
 </define-tag>
 
 # do not modify the following line
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJXTHNhAAoJEF7nbuICFtKl0oEP/2uORhstifVOTER0MPIn3IoG
sFbsq6bp71wBHMTBKFUnqF+10CBreb503DSPkO3IUued+aDAdde0k8fFcAK9tOgA
j8+aHyve94LUeODQQgk651YnthDRYw8XOnBXRO0sKwanO1q1lDz8qteVnOiSLRL7
UEaI1wSwd+uNchCk9BMYDWUPj8pdgvIb6wuoZonCNm/jnGeoQ1oCHL79gKgve8MA
fZCoiCZXD8vS0WYwRYCydg7tXfhMXJEzRc1pfkZlQdkqFnznNNPqRxf6PC74+3Zy
vIxl80Snn1qvEkdL7vzpcsNZUWzkOl4kUzPkoCkEzoziziE3oI5MViDowmIEAks8
x6o6RMckaAfeC6sD7ZP43Y8wfGE3wr7GXVFdA3bbmME9TAEbt1tzdvS0LkAUzzLU
J/jNydYPJj0mucvxwhXRPAd3GgZo6PwqMGd7ri/Q+XC19tAhuPTXCcCSmF/+S/aC
bE8tXmY/ZZKOphP9S9vTKRFGZ5jeJ/38MRkBzVaDOrj1MUZRmrd3ph4uymOmZzrH
X8mNUIq7JNQ7UWPuPrTfs58yYZvaT71L/PK8Oc1sH+vVn48XnVhVK1m2Ur8g5chx
cjO1ckXRFEKi9kpAaSAUxuKvpMZ63cgSuSpxx6HXDBtJX7B+KbiMvs5g6Bj4jqUX
XVxUlpYQQHO7ILaUAeY2
=Fwcv
-----END PGP SIGNATURE-----
Reply to: