From the release notes: Major changes in 1.21.3 (2024-06-26) ==================================== This is a bug fix release. * Fix vulnerabilities in GSS message token handling [CVE-2024-37370, CVE-2024-37371]. * Fix a potential bad pointer free in krb5_cccol_have_contents(). * Fix a memory leak in the macOS ccache type.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0b0b1dcf64f222410abcf1cb8cc953ffe497a205 commit 0b0b1dcf64f222410abcf1cb8cc953ffe497a205 Author: Eray Aslan <eras@gentoo.org> AuthorDate: 2024-06-27 07:27:20 +0000 Commit: Eray Aslan <eras@gentoo.org> CommitDate: 2024-06-27 07:29:23 +0000 app-crypt/mit-krb5: add 1.21.3 security bump also - install ldif files when openldap USE flag is in use - make +threads USE flag mandatory Bug: https://bugs.gentoo.org/934994 Closes: https://bugs.gentoo.org/890038 Closes: https://bugs.gentoo.org/868462 Signed-off-by: Eray Aslan <eras@gentoo.org> app-crypt/mit-krb5/Manifest | 1 + app-crypt/mit-krb5/mit-krb5-1.21.3.ebuild | 154 ++++++++++++++++++++++++++++++ 2 files changed, 155 insertions(+)
CVE-2024-37370: In MIT krb5 release 1.3 and later, an attacker can modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the application. CVE-2024-37371: In MIT krb5 release 1.3 and later, an attacker can cause invalid memory reads by sending message tokens with invalid length fields. These sound like Denial of Service issues to me, but I'm not familiar enough with Kerberos to be sure and the description here is a bit sparse.
