On Wed, 2016-08-17 at 13:26 +0300, Alexandru Moise wrote: > This is CVE-2016-3120 > > The validate_as_request function in kdc_util.c in the Key > Distribution > Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.13.6 and 1.4.x > before > 1.14.3, when restrict_anonymous_to_tgt is enabled, uses an incorrect > client data structure, which allows remote authenticated users to > cause > a denial of service (NULL pointer dereference and daemon crash) via > an > S4U2Self request. > > Signed-off-by: Alexandru Moise <[email protected]> > --- > .../krb5/krb5/krb5-CVE-2016-3120.patch | 63 > ++++++++++++++++++++++ > meta-oe/recipes-connectivity/krb5/krb5_1.13.2.bb | 1 + > 2 files changed, 64 insertions(+) > create mode 100644 meta-oe/recipes-connectivity/krb5/krb5/krb5-CVE > -2016-3120.patch
This is a meta-oe patch which needs to go to the openembedded-devel list and also needs a correct shortlog (which mentions its fixing krb5 recipe as a prefix). Cheers, Richard -- _______________________________________________ Openembedded-core mailing list [email protected] http://lists.openembedded.org/mailman/listinfo/openembedded-core
