Your message dated Fri, 18 Aug 2023 22:17:08 +0000
with message-id <[email protected]>
and subject line Bug#1043431: fixed in krb5 1.20.1-2+deb12u1
has caused the Debian Bug report #1043431,
regarding krb5: CVE-2023-36054
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1043431: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1043431
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: krb5
Version: 1.20.1-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for krb5.
CVE-2023-36054[0]:
| lib/kadm5/kadm_rpc_xdr.c in MIT Kerberos 5 (aka krb5) before 1.20.2
| and 1.21.x before 1.21.1 frees an uninitialized pointer. A remote
| authenticated user can trigger a kadmind crash. This occurs because
| _xdr_kadm5_principal_ent_rec does not validate the relationship
| between n_key_data and the key_data array count.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-36054
https://www.cve.org/CVERecord?id=CVE-2023-36054
[1] https://github.com/krb5/krb5/commit/ef08b09c9459551aabbe7924fb176f1583053cdd
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: krb5
Source-Version: 1.20.1-2+deb12u1
Done: Sam Hartman <[email protected]>
We believe that the bug you reported is fixed in the latest version of
krb5, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sam Hartman <[email protected]> (supplier of updated krb5 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 14 Aug 2023 14:06:53 -0600
Source: krb5
Architecture: source
Version: 1.20.1-2+deb12u1
Distribution: bookworm
Urgency: high
Maintainer: Sam Hartman <[email protected]>
Changed-By: Sam Hartman <[email protected]>
Closes: 1043431
Changes:
krb5 (1.20.1-2+deb12u1) bookworm; urgency=high
.
* Fixes CVE-2023-36054: a remote authenticated attacker can cause
kadmind to free an uninitialized pointer. Upstream believes remote
code execusion is unlikely, Closes: #1043431
Checksums-Sha1:
5d218c8e19606d85baa4841686dfa2429d728807 3203 krb5_1.20.1-2+deb12u1.dsc
b6bb1986f423ed84a5071f2c0daf53a0da388954 100220
krb5_1.20.1-2+deb12u1.debian.tar.xz
5bf12073f0865df405167f03809719ffe0c1ac15 5201
krb5_1.20.1-2+deb12u1_source.buildinfo
Checksums-Sha256:
ca6cb23a7f082fbd18050b1a5b2b861d6914475a60e6e38e5e735bc35961f25f 3203
krb5_1.20.1-2+deb12u1.dsc
26ac804619c7b481ea51ea0966776e502ded73df63428d2298f20e3cec3d084a 100220
krb5_1.20.1-2+deb12u1.debian.tar.xz
5bbe27457af201921c5566e4a66c55f0f7ae0e1d692a286fe9fdbc02b2f69787 5201
krb5_1.20.1-2+deb12u1_source.buildinfo
Files:
bb04129aacb763b00a7c1151572f0f6a 3203 net optional krb5_1.20.1-2+deb12u1.dsc
746e1b66356f47551962c4e578db935a 100220 net optional
krb5_1.20.1-2+deb12u1.debian.tar.xz
890b78cfd1cc116b495b98e79c16c046 5201 net optional
krb5_1.20.1-2+deb12u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iHUEARYIAB0WIQSj2jRwbAdKzGY/4uAsbEw8qDeGdAUCZNzfcgAKCRAsbEw8qDeG
dKBhAQC45JdwLzeITkNdcGc8ZGqw1W3JRRrlM419ltGH8hflnQD9HpNSF9U6Z+p5
oxDLq3R1WP332URue64b4U67hY22eQk=
=QnqW
-----END PGP SIGNATURE-----
--- End Message ---
