Summary: | app-crypt/mit-krb5: remote denial of service (CVE-2011-4151) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | GLSAMaker/CVETool Bot <glsamaker> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED DUPLICATE | ||
Severity: | minor | CC: | kerberos |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B3 [ebuild] | ||
Package list: | Runtime testing required: | --- |
Description
GLSAMaker/CVETool Bot
2011-10-22 04:47:17 UTC
(In reply to comment #0) > @kerberos, I am not able to find much information about this. Help? Upstream response: """ It looks like someone split CVE-2011-1528 without notifying us. Basically, CVE-2011-1528 covers two different configurations in which two different sets of releases are vulnerable depending on the KDC back end configuration. It looks like whoever did the split meant to separately identify the Berkeley DB back end vulnerability as CVE-2011-4151, leaving the LDAP back end vulnerability as CVE-2011-1528, but the CVE database does not reflect this split completely, leaving CVE-2011-1528 describing both variants. We made a close judgment call that the two variants did not merit separate CVE IDs, but it looks like someone disagreed. If I am reading the limited information in the entry for CVE-2011-4151 correctly, it is already covered by the patch in MITKRB5-SA-2011-006. Also note that krb5-1.9 and later are not vulnerable to CVE-2011-4151 (the Berkeley DB variation of the vulnerability). I will ask the CVE maintainers for clarification about why the CVE ID split occurred, and update the advisory as appropriate. """ It looks like we are good. I will let you know if there are other developments. (In reply to comment #1) > It looks like we are good. I will let you know if there are other > developments. Great, thank you for digging into this. *** This bug has been marked as a duplicate of bug 387585 *** |