Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 388079 (CVE-2011-4151) - app-crypt/mit-krb5: remote denial of service (CVE-2011-4151)
Summary: app-crypt/mit-krb5: remote denial of service (CVE-2011-4151)
Status: RESOLVED DUPLICATE of bug 387585
Alias: CVE-2011-4151
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [ebuild]
Depends on:
Reported: 2011-10-22 04:47 UTC by GLSAMaker/CVETool Bot
Modified: 2011-10-23 16:18 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2011-10-22 04:47:17 UTC
CVE-2011-4151 (
  The krb5_db2_lockout_audit function in the Key Distribution Center (KDC) in
  MIT Kerberos 5 (aka krb5) 1.8 through 1.8.4, when the db2 (aka Berkeley DB)
  back end is used, allows remote attackers to cause a denial of service
  (assertion failure and daemon exit) via unspecified vectors, a different
  vulnerability than CVE-2011-1528.

@kerberos, I am not able to find much information about this. Help? --underling
Comment 1 Eray Aslan gentoo-dev 2011-10-23 05:10:13 UTC
(In reply to comment #0)
> @kerberos, I am not able to find much information about this. Help?

Upstream response:

It looks like someone split CVE-2011-1528 without notifying us.
Basically, CVE-2011-1528 covers two different configurations in which
two different sets of releases are vulnerable depending on the KDC
back end configuration.  It looks like whoever did the split meant to
separately identify the Berkeley DB back end vulnerability as
CVE-2011-4151, leaving the LDAP back end vulnerability as
CVE-2011-1528, but the CVE database does not reflect this split
completely, leaving CVE-2011-1528 describing both variants.

We made a close judgment call that the two variants did not merit
separate CVE IDs, but it looks like someone disagreed.

If I am reading the limited information in the entry for CVE-2011-4151
correctly, it is already covered by the patch in MITKRB5-SA-2011-006.
Also note that krb5-1.9 and later are not vulnerable to CVE-2011-4151
(the Berkeley DB variation of the vulnerability).

I will ask the CVE maintainers for clarification about why the CVE ID
split occurred, and update the advisory as appropriate.

It looks like we are good.  I will let you know if there are other developments.
Comment 2 Tim Sammut (RETIRED) gentoo-dev 2011-10-23 16:18:14 UTC
(In reply to comment #1)
> It looks like we are good.  I will let you know if there are other
> developments.

Great, thank you for digging into this.

*** This bug has been marked as a duplicate of bug 387585 ***