Your message dated Mon, 28 Aug 2017 16:57:41 -0400
with message-id <[email protected]>
and subject line Fixed in krb5 1.12.1+dfsg-19+deb8u3
has caused the Debian Bug report #819468,
regarding krb5: CVE-2016-3119: null pointer dereference in kadmin
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
819468: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=819468
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: krb5
Version: 1.10.1+dfsg-1
Severity: important
Tags: security upstream patch fixed-upstream
Hi,
the following vulnerability was published for krb5.
CVE-2016-3119[0]:
| The process_db_args function in
| plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c in the LDAP KDB module
| in kadmind in MIT Kerberos 5 (aka krb5) through 1.13.4 and 1.14.x
| through 1.14.1 mishandles the DB argument, which allows remote
| authenticated users to cause a denial of service (NULL pointer
| dereference and daemon crash) via a crafted request to modify a
| principal.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-3119
[1] https://github.com/krb5/krb5/commit/08c642c09c38a9c6454ab43a9b53b2a89b9eef99
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
source: krb5
source-version: 1.12.1+dfsg-19+deb8ku3
Hi.
The following issues were fixed in 1.12.1+dfsg-19+deb8u3 for jessie.
I ended up needing to build a +deb8u4 because of a build/upload issue,
and so the bugs were not automattically closed.
Here's the relevant changelog info:
krb5 (1.12.1+dfsg-19+deb8u4) jessie; urgency=medium
* New version number; same code as deb8u3 but rebuilt to build arch all
packages and because dgit doesn't deal well with reusing a version
number when a package is rejected
-- Sam Hartman <[email protected]> Mon, 28 Aug 2017 11:55:49 -0400
krb5 (1.12.1+dfsg-19+deb8u3) jessie; urgency=high
* CVE-2017-11368: Remote authenticated attackers can crash the KDC,
Closes: #869260
* fix for CVE-2016-3120 (kdc crash on restrict_anon_to_tgt), Closes:
#832572
* fix for CVE-2016-3119: remote DOS with ldap for authenticated
attackers, Closes: #819468
* Prevent requires_preauth bypass (CVE-2015-2694), Closes: #783557
-- Sam Hartman <[email protected]> Sun, 13 Aug 2017 18:02:34 -0400
signature.asc
Description: PGP signature
--- End Message ---
