debian-lan-config (0.25+deb10u1) buster-security; urgency=high

    The krb5-admin-server ACLs provided by the debian-lan-config
    package in '/usr/share/debian-lan-config/fai/config/files/etc/krb5kdc/kadm5.acl/KERBEROS_KDC'
    contained an insecure setting.  This allowed all authenticated
    users in the network to change the credentials of everyone else,
    thus impersonating other users and gaining their privileges.

    If you have used these ACLs in '/etc/krb5kdc/kadm5.acl' on a
    machine providing the krb5-admin-server, check and remove
    all lines with non-admin principals from 'kadm5.acl'.
    Usually, the line 'root/admin@INTERN *' is sufficient and all
    other principals must not have access.

    If you copied the FAI config space provided by the
    debian-lan-config package, make sure the file
    'fai/config/files/etc/krb5kdc/kadm5.acl/KERBEROS_KDC'
    in your FAI config space contains only the line
    'root/admin@INTERN *', to install krb5-admin-servers
    with correct ACLs.

 -- Andreas B. Mundt <andi@debian.org>  Tue, 24 Dec 2019 13:12:55 +0100
