Omfg. Zero day. On 4 Feb 2016 23:04, "Salvatore Bonaccorso" <[email protected]> wrote:
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > - ------------------------------------------------------------------------- > Debian Security Advisory DSA-3466-1 [email protected] > https://www.debian.org/security/ Salvatore Bonaccorso > February 04, 2016 https://www.debian.org/security/faq > - ------------------------------------------------------------------------- > > Package : krb5 > CVE ID : CVE-2015-8629 CVE-2015-8630 CVE-2015-8631 > Debian Bug : 813126 813127 813296 > > Several vulnerabilities were discovered in krb5, the MIT implementation > of Kerberos. The Common Vulnerabilities and Exposures project identifies > the following problems: > > CVE-2015-8629 > > It was discovered that an authenticated attacker can cause kadmind > to read beyond the end of allocated memory by sending a string > without a terminating zero byte. Information leakage may be possible > for an attacker with permission to modify the database. > > CVE-2015-8630 > > It was discovered that an authenticated attacker with permission to > modify a principal entry can cause kadmind to dereference a null > pointer by supplying a null policy value but including KADM5_POLICY > in the mask. > > CVE-2015-8631 > > It was discovered that an authenticated attacker can cause kadmind > to leak memory by supplying a null principal name in a request which > uses one. Repeating these requests will eventually cause kadmind to > exhaust all available memory. > > For the oldstable distribution (wheezy), these problems have been fixed > in version 1.10.1+dfsg-5+deb7u7. The oldstable distribution (wheezy) is > not affected by CVE-2015-8630. > > For the stable distribution (jessie), these problems have been fixed in > version 1.12.1+dfsg-19+deb8u2. > > We recommend that you upgrade your krb5 packages. > > Further information about Debian Security Advisories, how to apply > these updates to your system and frequently asked questions can be > found at: https://www.debian.org/security/ > > Mailing list: [email protected] > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > > iQIcBAEBCgAGBQJWs7yCAAoJEAVMuPMTQ89E6zkP/0QCDJ5v0GGvYo0wzd9Kkj8c > S7jXr1N34kFZCggbVF20C7d0BYYLmrDfyfyQAhDIcnzwbe0NQpyR5sAr3qv8v/xk > 4OOTlR/l0DBPwxscGbBI1dIYCFBk/w6Q0f57mbz/QQiGiY/Xnjfd9fs7Muqs4hAb > /j4ToBmEUY6tmyS0PZGoyYBYM/zkVPxLT7xjPu9vEtbb2unZhghos2dtaJHVvk7U > YjdA25CTWAR2ige38v8Ml+sRsU7UNMmXzhDaeBBhEOKuEBfKycwgfRHaBk7k0YXy > 0j89+AZdGLs7kn7YY9QUh3Af+a3L7oiXJ0TG4F9hqhNCkG954B5LAqYmkAh7jBmP > I9CoIO4+uyjQB253gIx7DdWrAel+JbQy8g8+kgHaUaY8wfIoFZ1YRgsGzRSnH8PK > 2oGk1XaqVpQYqVP/Gc3FBg9r4TJIsPOlFIkQivtmbg65wSH/LLrCa0DyU5yAVZuM > 0+0XfDHIDMZqe7Z6+FppHozk7AhB++kSuZF17I0IJR/edARsJPw61Q3tQF4Vormu > h7rNfh7Br5bRA6//xsnWsKA26ZR238NH3YUk12Cw2B1cH4nbSba0Dss3G90jQxZn > eYu3C1XeNTsaGeAPEKKYty/GxW/gQCWvLbvM6AqnIxDhwqjVVo18WjUoFQDZW6aa > YHpYvqcqBRxjFizxH7D2 > =X2oA > -----END PGP SIGNATURE----- > >
