Your message dated Mon, 10 Jun 2013 09:47:45 -0400
with message-id <[email protected]>
and subject line UDP ping-pong fixed in 1.11.3
has caused the Debian Bug report #708267,
regarding cve-2002-2443: kpasswd udp ping-pong
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
708267: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=708267
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: krb5-admin-server
Version: 1.10.1+dfsg-5
Owner: [email protected]
Upstream has fixed CVE-2002-2443 in their git master, with the following
commit message:
Fix kpasswd UDP ping-pong [CVE-2002-2443]
The kpasswd service provided by kadmind was vulnerable to a UDP
"ping-pong" attack [CVE-2002-2443]. Don't respond to packets unless
they pass some basic validation, and don't respond to our own error
packets.
Some authors use CVE-1999-0103 to refer to the kpasswd UDP ping-pong
attack or UDP ping-pong attacks in general, but there is discussion
leading toward narrowing the definition of CVE-1999-0103 to the echo,
chargen, or other similar built-in inetd services.
Thanks to Vincent Danen for alerting us to this issue.
CVSSv2: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:P/RL:O/RC:C
--- End Message ---
--- Begin Message ---
source: krb5
source-version: 1.11.3+dfsg-1
But the bug number didn't make it into the changelog.
--- End Message ---
