Summary: | <app-crypt/heimdal-7.4.0: bypass of capath policy | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Andrey Ovcharov <sudormrfhalt> |
Component: | Current packages | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | jstein, kerberos |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B4 [noglsa cve] | ||
Package list: | Runtime testing required: | --- | |
Attachments: | heimdal-7.1.0-CVE-2017-6594.patch |
Description
Andrey Ovcharov
2017-06-10 13:34:34 UTC
Created attachment 475900 [details, diff]
heimdal-7.1.0-CVE-2017-6594.patch
https://github.com/heimdal/heimdal/commit/b1e699103f08d6a0ca46a122193c9da65f6cf837: Fix transit path validation CVE-2017-6594 Commit f469fc6 (2010-10-02) inadvertently caused the previous hop realm to not be added to the transit path of issued tickets. This may, in some cases, enable bypass of capath policy in Heimdal versions 1.5 through 7.2. Note, this may break sites that rely on the bug. With the bug some incomplete [capaths] worked, that should not have. These may now break authentication in some cross-realm configurations. Fix is present in >=7.4.0 source. GLSA Vote: No |