Hi, On Tue, May 14, 2019 at 11:55:42AM +0200, Salvatore Bonaccorso wrote: > Hi Brian, > > On Tue, May 14, 2019 at 06:11:05PM +1000, Brian May wrote: > > Salvatore Bonaccorso <car...@debian.org> writes: > > > > > Source: heimdal > > > Version: 7.5.0+dfsg-2.1 > > > Severity: important > > > Tags: security upstream > > > Control: found -1 7.1.0+dfsg-13+deb9u2 > > > Control: found -1 7.1.0+dfsg-13 > > > > > > Hi, > > > > > > The following vulnerability was published for heimdal, actually just > > > what is affecting samba embedded copy of heimdal. > > > > > > CVE-2018-16860[0]: > > > Samba AD DC S4U2Self/S4U2Proxy unkeyed checksum > > > > > > If you fix the vulnerability please also make sure to include the > > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > > > > > For further information see: > > > > > > [0] https://security-tracker.debian.org/tracker/CVE-2018-16860 > > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16860 > > > > > > Please adjust the affected versions in the BTS as needed, all versions > > > starting from 0.8 upwards including 7.5.0 are affected. > > > > > > What is your take on this? Does this need a DSA or is an update via an > > > upcoming point release enough? > > > > I am hardly authoritative on this, however my rough take right now is: > > > > * There is a vulerability. > > * The fix is simple. Looking at the Samba patches, I suspect we only > > need the bit that alters krb5tgs.c - below. > > * Not convinced this can actually be exploited without AD. It is > > unlikely you would be using the stock Heimdal with AD. So possible > > we don't need to worry. > > Alright, I will mark it no-dsa for stretch then at least. For buster, > might be still good to have the fix go in?
For reference this is the patch in heimdal git repo: https://github.com/heimdal/heimdal/commit/c6257cc2c842c0faaeb4ef34e33890ee88c4cbba Regards, Salvatore