Summary: | <app-crypt/mit-krb5-1.14.2: null pointer dereference in kadmin (CVE-2016-3119) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | kerberos |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1319616 | ||
Whiteboard: | B3 [noglsa cve] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2016-03-21 13:37:22 UTC
Arches, please stabilize =app-crypt/mit-krb5-1.14.2 Target Keywords = alpha amd64 arm ~arm64 hppa ia64 ~mips ppc ppc64 ~s390 ~sh sparc x86 Stable for HPPA PPC64. amd64 stable arm stable Stable on alpha. x86 stable ppc stable sparc stable ia64 stable. Maintainer(s), please cleanup. Security, please vote. cleanup done: commit 14af0646800b47b2942c2f18d5c9955d8d73717a Author: Eray Aslan <eras@gentoo.org> Date: Tue Jul 12 15:53:36 2016 +0300 app-crypt/mit-krb5: remove old Package-Manager: portage-2.3.0 CVE-2016-3119 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3119): The process_db_args function in plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c in the LDAP KDB module in kadmind in MIT Kerberos 5 (aka krb5) through 1.13.4 and 1.14.x through 1.14.1 mishandles the DB argument, which allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted request to modify a principal. (In reply to Eray Aslan from comment #10) > cleanup done: > > commit 14af0646800b47b2942c2f18d5c9955d8d73717a > Author: Eray Aslan <eras@gentoo.org> > Date: Tue Jul 12 15:53:36 2016 +0300 > > app-crypt/mit-krb5: remove old > > Package-Manager: portage-2.3.0 @Eras, thanks for the work! GLSA Vote: No. |