Source: python-kdcproxy Version: 1.0.0-2 Severity: important Tags: security upstream Forwarded: https://github.com/latchset/kdcproxy/pull/68 X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]> Control: found -1 1.0.0-1
Hi, The following vulnerabilities were published for python-kdcproxy. CVE-2025-59088[0]: | If kdcproxy receives a request for a realm which does not have | server addresses defined in its configuration, by default, it will | query SRV records in the DNS zone matching the requested realm name. | This creates a server-side request forgery vulnerability, since an | attacker could send a request for a realm matching a DNS zone where | they created SRV records pointing to arbitrary ports and hostnames | (which may resolve to loopback or internal IP addresses). This | vulnerability can be exploited to probe internal network topology | and firewall rules, perform port scanning, and exfiltrate data. | Deployments where the "use_dns" setting is explicitly set to false | are not affected. CVE-2025-59089[1]: | If an attacker causes kdcproxy to connect to an attacker-controlled | KDC server (e.g. through server-side request forgery), they can | exploit the fact that kdcproxy does not enforce bounds on TCP | response length to conduct a denial-of-service attack. While | receiving the KDC's response, kdcproxy copies the entire buffered | stream into a new buffer on each recv() call, even when the transfer | is incomplete, causing excessive memory allocation and CPU usage. | Additionally, kdcproxy accepts incoming response chunks as long as | the received data length is not exactly equal to the length | indicated in the response header, even when individual chunks or the | total buffer exceed the maximum length of a Kerberos message. This | allows an attacker to send unbounded data until the connection | timeout is reached (approximately 12 seconds), exhausting server | memory or CPU resources. Multiple concurrent requests can cause | accept queue overflow, denying service to legitimate clients. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-59088 https://www.cve.org/CVERecord?id=CVE-2025-59088 [1] https://security-tracker.debian.org/tracker/CVE-2025-59089 https://www.cve.org/CVERecord?id=CVE-2025-59089 [2] https://github.com/latchset/kdcproxy/pull/68 Regards, Salvatore
