Wolfgang Schweer · Dominik George · Wolfgang Schweer · Dominik George · Wolfgang Schweer · Dominik George
--- a/debian/NEWS
+++ b/debian/NEWS
+debian-edu-config (2.10.65+deb10u3) buster-security; urgency=high
+
+    The Kerberos kadm ACLs in /etc/krb5kdc/kadm5.acl contained an insecure
+    setting allowing all authenticated users in the network to change the
+    credentials of everyone else, thus impersonating other users and gaining
+    their privileges.
+
+    If you never changed these ACLs, the package update fixes the issue
+    automatically. If you did, please double-check that no unexpected
+    principal has the c ACL (lower-case!) set.
+
+ -- Dominik George <natureshadow@debian.org>  Mon, 16 Dec 2019 16:29:19 +0100
--- a/debian/changelog
+++ b/debian/changelog
+debian-edu-config (2.10.65+deb10u3) buster-security; urgency=high
+
+  * Security fix for CVE-2019-3467
+
+  [ Wolfgang Schweer ]
+  * share/debian-edu-config/tools/kerberos-kdc-init:
+    - Set proper rights for users in kadm5.acl file. (Closes: #946797)
+  * Adjust debian/debian-edu-config.postinst to fix kadm5.acl upon upgrades.
+
+  [ Holger Levsen ]
+  * Improve debian/debian-edu-config.postinst fix to only run once on
+    upgrades.
+
+  [ Dominik George ]
+  * Add NEWS to warn administrators with possible local changes.
+
+ -- Dominik George <natureshadow@debian.org>  Mon, 16 Dec 2019 16:29:19 +0100
+
 debian-edu-config (2.10.65+deb10u2) buster; urgency=medium

  [ Wolfgang Schweer ]

--- a/debian/debian-edu-config.postinst
+++ b/debian/debian-edu-config.postinst
@@ -256,6 +256,14 @@ configure)
        cp /etc/cfengine3/debian-edu/edu.cf /var/lib/cfengine3/inputs/debian-edu
        cp /etc/cfengine3/debian-edu/promises.cf /var/lib/cfengine3/inputs
    fi
+
+    # Set proper rights for users - see #946797
+    if dpkg --compare-versions "$2" le "2.10.65+deb10u2" ; then
+        if [ -f /etc/krb5kdc/kadm5.acl ] ; then
+            sed -i 's/\(\*@INTERN[[:space:]]*\)cil/\1CIl/' /etc/krb5kdc/kadm5.acl
+            service krb5-admin-server restart
+        fi
+    fi
    ;;
 esac


--- a/share/debian-edu-config/tools/kerberos-kdc-init
+++ b/share/debian-edu-config/tools/kerberos-kdc-init
@@ -187,7 +187,7 @@ EOF
    if [ ! -f /etc/krb5kdc/kadm5.acl ] ; then
 	cat > /etc/krb5kdc/kadm5.acl <<EOF
 root/admin@INTERN *
-*@INTERN cil
+*@INTERN CIl
 */*@INTERN i
 EOF
    chmod 644 /etc/krb5kdc/kadm5.acl