Your message dated Fri, 18 Aug 2023 22:17:28 +0000
with message-id <[email protected]>
and subject line Bug#1043431: fixed in krb5 1.18.3-6+deb11u4
has caused the Debian Bug report #1043431,
regarding krb5: CVE-2023-36054
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1043431: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1043431
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: krb5
Version: 1.20.1-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for krb5.
CVE-2023-36054[0]:
| lib/kadm5/kadm_rpc_xdr.c in MIT Kerberos 5 (aka krb5) before 1.20.2
| and 1.21.x before 1.21.1 frees an uninitialized pointer. A remote
| authenticated user can trigger a kadmind crash. This occurs because
| _xdr_kadm5_principal_ent_rec does not validate the relationship
| between n_key_data and the key_data array count.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-36054
https://www.cve.org/CVERecord?id=CVE-2023-36054
[1] https://github.com/krb5/krb5/commit/ef08b09c9459551aabbe7924fb176f1583053cdd
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: krb5
Source-Version: 1.18.3-6+deb11u4
Done: Sam Hartman <[email protected]>
We believe that the bug you reported is fixed in the latest version of
krb5, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sam Hartman <[email protected]> (supplier of updated krb5 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Mon, 14 Aug 2023 14:42:46 -0600
Source: krb5
Architecture: source
Version: 1.18.3-6+deb11u4
Distribution: bullseye
Urgency: medium
Maintainer: Sam Hartman <[email protected]>
Changed-By: Sam Hartman <[email protected]>
Closes: 1043431
Changes:
krb5 (1.18.3-6+deb11u4) bullseye; urgency=medium
.
* Fixes CVE-2023-36054: a remote authenticated attacker can cause
kadmind to free an uninitialized pointer. Upstream believes remote
code execusion is unlikely, Closes: #1043431
Checksums-Sha1:
757c0960bca8118a19e2ddff4e3577564fb073f2 3209 krb5_1.18.3-6+deb11u4.dsc
edde8bee2e2e581e9026736b7d9bba2beda3a2ff 109444
krb5_1.18.3-6+deb11u4.debian.tar.xz
f3232c158474efcffcd9c42fbbc70f65cee86ba6 5277
krb5_1.18.3-6+deb11u4_source.buildinfo
Checksums-Sha256:
6d1de6649c399ac6bb3a8d151cffbae93c4d17fafdeec5c4ae26300e5c8b5109 3209
krb5_1.18.3-6+deb11u4.dsc
9b6c8045949d6b1a108a6756ca8bf6490c5c975b30eb43c287406489e9250196 109444
krb5_1.18.3-6+deb11u4.debian.tar.xz
2663318bf61b32a4b6928bd68829ef8fb65b1bac86669d52ddd2aaff8526fca3 5277
krb5_1.18.3-6+deb11u4_source.buildinfo
Files:
a16b0fee80665026f680169fd611f676 3209 net optional krb5_1.18.3-6+deb11u4.dsc
212e740457642f7607aad0326acde4a9 109444 net optional
krb5_1.18.3-6+deb11u4.debian.tar.xz
2b68f3cc7f38e8bc4d8921ca4dd40357 5277 net optional
krb5_1.18.3-6+deb11u4_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iHUEARYIAB0WIQSj2jRwbAdKzGY/4uAsbEw8qDeGdAUCZNzexQAKCRAsbEw8qDeG
dHLTAQDQYNsvK9FCnEPALciM+Bgpx47r9JAhFvdWzA5TfwSthwEA9Nj6Fx+NCoxY
t5BbPzXjuAlrWQSyN4z4fFGjgWKUmQA=
=25jN
-----END PGP SIGNATURE-----
--- End Message ---
