CVE-2016-3120 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3120): The validate_as_request function in kdc_util.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.13.6 and 1.4.x before 1.14.3, when restrict_anonymous_to_tgt is enabled, uses an incorrect client data structure, which allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via an S4U2Self request.
@Maintainers we have 1.14.3 in tree which is fixed, please call for stabilization when ready. Thank you
Arches, please test and mark stable =app-crypt/mit-krb5-1.15.2 Target Keywords = alpha amd64 arm ~arm64 hppa ia64 ~mips ppc ppc64 ~s390 ~sh ~sparc x86 Thank you
ia64 stable
Stable on alpha.
amd64 stable
ppc/ppc64 stable
hppa stable
x86 stable (ignoring test failures from bug 637526).
arm stable, all arches done.
@maintainer(s), please clean the vulnerable versions.
cleanup done
(In reply to Eray Aslan from comment #11) > cleanup done Thank you. Closing report.
tatt says it looks good on sparc
sparc stable (thanks to Rolf Eike Beer)