Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 550120 (CVE-2015-3206) - <dev-python/pykerberos-1.1.7: checkPassword() does not verify KDC authenticity
Summary: <dev-python/pykerberos-1.1.7: checkPassword() does not verify KDC authenticity
Alias: CVE-2015-3206
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [noglsa]
Depends on:
Reported: 2015-05-22 07:09 UTC by Agostino Sarubbo
Modified: 2016-11-26 00:02 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-05-22 07:09:20 UTC
From ${URL} :

The python-kerberos checkPassword() function does not verify that the KDC that it is authenticating 
with is the one that it intended to communicate with. This could allow a man-in-the-middle attacker 
to spoof a KDC when an application using python-kerberos attempts to verify a password via the 
checkPassword() function.

This issue is tracked upstream in , however it was 
resolved by documenting the shortcomings of the checkPassword() function: .

The pykerberos library (, a fork of python-kerberos, does 
include KDC validation support. This change should be backported to python-kerberos to avoid 
various other application that rely on checkPassword() from having to replace the checkPassword() 
with a more secure alternative.

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Ian Delaney (RETIRED) gentoo-dev 2015-05-29 05:10:51 UTC
*pykerberos-1.1.7 (29 May 2015)

  29 May 2015; Ian Delaney <> +pykerberos-1.1.7.ebuild:
  bump wrt to sec bug #550120

I bumped this as a member of proxy-maint. I know nothing more of the package. Check with the others listed in CC if you wish.
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2016-11-22 17:40:03 UTC
dev-python/pykerberos implemented KDC verification support via

$ git tag --contains 02d13860b25fab58e739f0e000bed0067b7c6f9c

So this was fixed for Gentoo once =dev-python/pykerberos-1.1.7 appeared.

@ Arches,

please test and mark stable: =dev-python/pykerberos-1.1.9
Comment 3 Agostino Sarubbo gentoo-dev 2016-11-25 18:29:08 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2016-11-25 18:55:56 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 5 Patrice Clement gentoo-dev 2016-11-25 23:31:19 UTC
commit 7dd1321fe354b963a72c3876e18d6c211fa2c0ab (HEAD -> master, origin/master, origin/HEAD)
Author:     Patrice Clement <>
AuthorDate: Sat Nov 26 00:29:57 2016 +0100
Commit:     Patrice Clement <>
CommitDate: Sat Nov 26 00:30:10 2016 +0100

dev-python/pykerberos: clean up vulnerable version.


Package-Manager: portage-2.3.0

dev-python/pykerberos/Manifest                |  1 -
dev-python/pykerberos/pykerberos-1.1.5.ebuild | 22 ----------------------
2 files changed, 23 deletions(-)
delete mode 100644 dev-python/pykerberos/pykerberos-1.1.5.ebuild
Comment 6 Patrice Clement gentoo-dev 2016-11-25 23:32:54 UTC
Clean up done. Over to the security team!
Comment 7 Aaron Bauman (RETIRED) gentoo-dev 2016-11-26 00:02:00 UTC
GLSA Vote: No