[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 340-1] krb5 security update

Package        : krb5
Version        : 1.8.3+dfsg-4squeeze10
CVE ID         : CVE-2015-2695 CVE-2015-2697
Several vulnerabilities were discovered in krb5, the MIT implementation
of Kerberos. The Common Vulnerabilities and Exposures project identifies
the following problems:


   It was discovered that applications which call gss_inquire_context()
   on a partially-established SPNEGO context can cause the GSS-API
   library to read from a pointer using the wrong type, leading to a
   process crash.


    It was discovered that the build_principal_va() function incorrectly
    handles input strings. An authenticated attacker can take advantage
    of this flaw to cause a KDC to crash using a TGS request with a
    large realm field beginning with a null byte.

For the oldoldstable distribution (squeeze), these problems have been
fixed in version 1.8.3+dfsg-4squeeze10.

We recommend that you upgrade your krb5 packages.

Attachment: signature.asc
Description: PGP signature

Reply to: