Your message dated Mon, 14 Aug 2023 20:36:26 +0000
with message-id <[email protected]>
and subject line Bug#1043431: fixed in krb5 1.20.1-3
has caused the Debian Bug report #1043431,
regarding krb5: CVE-2023-36054
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1043431: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1043431
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: krb5
Version: 1.20.1-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for krb5.
CVE-2023-36054[0]:
| lib/kadm5/kadm_rpc_xdr.c in MIT Kerberos 5 (aka krb5) before 1.20.2
| and 1.21.x before 1.21.1 frees an uninitialized pointer. A remote
| authenticated user can trigger a kadmind crash. This occurs because
| _xdr_kadm5_principal_ent_rec does not validate the relationship
| between n_key_data and the key_data array count.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-36054
https://www.cve.org/CVERecord?id=CVE-2023-36054
[1] https://github.com/krb5/krb5/commit/ef08b09c9459551aabbe7924fb176f1583053cdd
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: krb5
Source-Version: 1.20.1-3
Done: Sam Hartman <[email protected]>
We believe that the bug you reported is fixed in the latest version of
krb5, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sam Hartman <[email protected]> (supplier of updated krb5 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 14 Aug 2023 14:06:53 -0600
Source: krb5
Architecture: source
Version: 1.20.1-3
Distribution: unstable
Urgency: high
Maintainer: Sam Hartman <[email protected]>
Changed-By: Sam Hartman <[email protected]>
Closes: 1043431
Changes:
krb5 (1.20.1-3) unstable; urgency=high
.
* Fixes CVE-2023-36054: a remote authenticated attacker can cause
kadmind to free an uninitialized pointer. Upstream believes remote
code execusion is unlikely, Closes: #1043431
Checksums-Sha1:
627602d50d8471845845b2c13643cf5d2b75b41e 3171 krb5_1.20.1-3.dsc
379464c74a077057bacc59ce4c52107680f659a9 100208 krb5_1.20.1-3.debian.tar.xz
a70196905c61a670ef702f4d734cf116c21169ff 5169 krb5_1.20.1-3_source.buildinfo
Checksums-Sha256:
1b272a4e1d303749af23c10c1e5f709115b63b4d739361df4282d88403705057 3171
krb5_1.20.1-3.dsc
045ee0fca6e008f2cbfdadeea8f9d66182f21c99ae67d20cf940e98f1e513a28 100208
krb5_1.20.1-3.debian.tar.xz
77e30fee23ec96b835fafd906f855fbed19d8b08b3f1041cb6a74cd59a5125f8 5169
krb5_1.20.1-3_source.buildinfo
Files:
8dc148966658252b2ec316ee45f563fb 3171 net optional krb5_1.20.1-3.dsc
093eafce2c1f7c7cbae0e28b1770f794 100208 net optional
krb5_1.20.1-3.debian.tar.xz
07c6e596f150874c48c0a5d5e239545d 5169 net optional
krb5_1.20.1-3_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iHUEARYIAB0WIQSj2jRwbAdKzGY/4uAsbEw8qDeGdAUCZNqMrgAKCRAsbEw8qDeG
dHgHAP4u/bkN+2U/4BnmOn7LvXjiPmyk9I3pv6PprPFlEFc35wD/ea95+CCocV+O
DPFgTeq/G/ckBzx15ASlcQ4rXKKT7QM=
=Bsl2
-----END PGP SIGNATURE-----
--- End Message ---
