On Wed, Jul 21, 2021 at 10:01:23AM -0600, Sam Hartman wrote: > control: severity -1 important > > Salvatore> The following vulnerability was published for krb5. > > Salvatore> CVE-2021-36222[0]: | sending a request containing a > Salvatore> PA-ENCRYPTED-CHALLENGE padata element | without using > Salvatore> FAST could result in null dereference in the KDC which | > Salvatore> leads to DoS > > On a Debian system with systemd, the KDC will restart, significantly > limiting the impact of this bug. > I'm going to argue for important, although if you want to push to > serious, I won't fight it. > I'm busy with Family obligat scattered throughout the day ions, but it > sounded like Benjamin Kaduk > might be available to help.
Yes, I have some time to help. Given that Salvatore filed the report, I am assuming that this would qualify for a security upload for stretch. However, the upstream commit claims that only krb5 1.16 and later are affected, so I will attempt to check whether stretch is actually affected. If I understand correctly given the current state of buster freeze, I will need to upload the targeted fix to sid and request an unblock (as opposed to being able to do a security upload). -Ben