subject:"Bug#973880\: krb5\: CVE\-2020\-28196"

Bug#973880: krb5: CVE-2020-28196

2020-11-06 Thread Sam Hartman

Thanks for the note.  I've been meaning to do a much needed krb5 update
and this definitely pushes it up the priority stack.
I'll work on this over the weekend.

Bug#973880: krb5: CVE-2020-28196

2020-11-06 Thread Salvatore Bonaccorso

Source: krb5
Version: 1.17-10
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team 
Control: found -1 1.17-3

Hi,

The following vulnerability was published for krb5.

CVE-2020-28196[0]:
| MIT Kerberos 5 (aka krb5) before 1.17.2 and 1.18.x before 1.18.3
| allows unbounded recursion via an ASN.1-encoded Kerberos message
| because the lib/krb5/asn.1/asn1_encode.c support for BER indefinite
| lengths lacks a recursion limit.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2020-28196
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28196
[1] https://github.com/krb5/krb5/commit/57415dda6cf04e73ffc3723be518eddfae599bfd

Regards,
Salvatore

Bug#973880: krb5: CVE-2020-28196

Bug#973880: krb5: CVE-2020-28196

2 matches

Site Navigation

Mail list logo

Footer information