debian-lan-config (0.19+deb8u2) jessie-security; urgency=high

    The Kerberos kadm ACLs in '/etc/krb5kdc/kadm5.acl' contained an
    insecure setting allowing all authenticated users in the network
    to change the credentials of everyone else, thus impersonating
    other users and gaining their privileges.
    The krb5-admin-server ACLs provided by the debian-lan-config
    package in '/usr/share/debian-lan-config/fai/config/files/etc/krb5kdc/kadm5.acl/KERBEROS_KDC'
    contained an insecure setting.  This allowed all authenticated
    users in the network to change the credentials of everyone else,
    thus impersonating other users and gaining their privileges.

    If you have used these ACLs, please check and remove the
    corresponding lines from 'kadm5.acl'.
    If you have used these ACLs in '/etc/krb5kdc/kadm5.acl' on a
    machine providing the krb5-admin-server, check and remove
    all lines with non-admin principals from 'kadm5.acl'.
    Usually, the line 'root/admin@INTERN *' is sufficient and all
    other principals must not have access.

    If you copied the FAI config space provided by the
    debian-lan-config package, make sure the file
    'fai/config/files/etc/krb5kdc/kadm5.acl/KERBEROS_KDC'
    in your FAI config space contains only the line
    'root/admin@INTERN *', to install krb5-admin-servers
    with correct ACLs.

 -- Utkarsh Gupta <utkarsh@debian.org>  Fri, 10 Jan 2019 03:32:35 +0530
