On Sat, 6 Apr 2013, Michael Gilbert wrote:
I'm not seeing any new kerberos releases:
http://web.mit.edu/kerberos/krb5-1.10
Current Kerberos Security Team policy is to not issue security advisories
for null pointer dereference crashes. We assign CVE numbers for tracking,
but do not delay
I'm not seeing any new kerberos releases:
http://web.mit.edu/kerberos/krb5-1.10
Is this perhaps not meant to be public knowledge yet?
Best wishes,
Mike
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact
Package: krb5-kdc
Version: 1.10.1+dfsg-4+nmu1
Severity: serious
Upstream has patched against CVE-2013-1416; Debian should as well.
By sending an unusual but valid TGS-REQ, an authenticated remote attacker
can cause the KDC process to crash by dereferencing a null pointer.
Only krb5 releases
3 matches
Mail list logo
