[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 1265-1] krb5 security update



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : krb5
Version        : 1.10.1+dfsg-5+deb7u9
CVE ID         : CVE-2013-1418 CVE-2014-5351 CVE-2014-5353
                 CVE-2014-5355 CVE-2016-3119 CVE-2016-3120
Debian Bug     : 728845 762479 773226 778647 819468 832572

Kerberos, a system for authenticating users and services on a network,
was affected by several vulnerabilities. The Common Vulnerabilities
and Exposures project identifies the following issues.

CVE-2013-1418
    Kerberos allows remote attackers to cause a denial of service
   (NULL pointer dereference and daemon crash) via a crafted request
    when multiple realms are configured.

CVE-2014-5351
    Kerberos sends old keys in a response to a -randkey -keepold
    request, which allows remote authenticated users to forge tickets by
    leveraging administrative access.

CVE-2014-5353
    When the KDC uses LDAP, allows remote authenticated users to cause a
    denial of service (daemon crash) via a successful LDAP query with no
    results, as demonstrated by using an incorrect object type for a
    password policy.

CVE-2014-5355
    Kerberos expects that a krb5_read_message data field is represented
    as a string ending with a '\0' character, which allows remote
    attackers to (1) cause a denial of service (NULL pointer
    dereference) via a zero-byte version string or (2) cause a denial of
    service (out-of-bounds read) by omitting the '\0' character,

CVE-2016-3119
    Kerberos allows remote authenticated users to cause a denial of
    service (NULL pointer dereference and daemon crash) via a crafted
    request to modify a principal.

CVE-2016-3120
    Kerberos allows remote authenticated users to cause a denial of
    service (NULL pointer dereference and daemon crash) via an S4U2Self
    request.

For Debian 7 "Wheezy", these problems have been fixed in version
1.10.1+dfsg-5+deb7u9.

We recommend that you upgrade your krb5 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlpx95pfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeRd+g/7B1Fgvyn2LEQB5QlDyxDQG46KLTwihMnrDc0Km8sZ0zAQsoRCzjnL/96G
pxsxnAMuTYkwAS98SKtODgQ3SRfD9gMrUXsIJHAMfqTEVrjWRXOZeJ00LIgj3g6d
690aKQv7TLYtmzizGo3w4KDkmUiVWzpgaGEEO7UCQCClpSODFmvNXYDOe4VRLwVS
MsB8VJ7D9UyjzEhfD2MJZSngBEG5Y+RxB5TZoVCGiHjaC6HiFp3CxEIn2cIuihWU
I3RQGVSPH/dlWkYTi9PIbZBhy+uf/f1V6K8LbPjD3kyMtyNLalc0mv+b61X5LfqQ
8M0hliMldGkhSLFEzpoQbabEYqm6jrnvlXIRY4mJzh0r9NRLdHYXyArw8FKdIq5J
MH0+6Fsmg2CXOguLc6U0GHkPLgrVaSQG2FSDhbb2G2Q866m+n5x9CQLQ68VluQDG
4DsCwIufklh96ZaYsISbOpH7taTLExAusf0xbhdaqqNqd7vcN5A2ciCburUERtLU
Wc8nAJIk5Uf9PU/RipNMNow5yXHZ8mdOUqjDXkJBvNOvgrzMUp3bWJ5aQwWkHbCI
+sw8C5W4KHNpbAAW7ega6tDxV9piEVlwYXFGH6B6ko+tT/L4mcUnB2h4139Dcap4
wnnWbe6i4YA7QspOQbT8iyK6c040gLaV3PmDWY/IcU+IIk4p1ZI=
=4hT1
-----END PGP SIGNATURE-----


Reply to: