In Debian, this was fixed in 7.7.0+dfsg-2+deb11u1 in bullseye(-security)
- i.e., 7.7.0+dfsg-2 was still affeected.
7.7.0+dfsg-3 includes a fix for a different CVE:
heimdal (7.7.0+dfsg-3) unstable; urgency=high
* Fix CVE-2021-3671: A null pointer de-reference was found in the way
samba kerberos server handled missing sname in TGS-REQ. Closes: #996586.
* Fix autoconf 2.7 issues
In focal, this was fixed in 7.7.0+dfsg-1ubuntu1.3 on Wed, 11 Jan 2023
* SECURITY UPDATE: invalid free
- debian/patches/CVE-2022-44640.patch: relocates a call to fprintf and
parameters when calling it in decode_type() in lib/asn1/gen_decode.c
and add a call to fprintf in free_type() in lib/asn1/gen_free.c.
- CVE-2022-44640
In jammy, we have 7.7.0+dfsg-3ubuntu1. As mentioned above, 7.7.0+dfsg-3
does not include the fix for the mentioned CVE. Moreover, our delta in
this release is just former delta being carried by the merge:
heimdal (7.7.0+dfsg-3ubuntu1) jammy; urgency=medium
* Merge with Debian unstable (LP: #1946860). Remaining changes:
- Disable lto, to regain dep on roken, otherwise dependencies on amd64
are different to i386 resulting in different files on amd64 and
i386. LP #1934936
- Remove symbol rk_closefrom@HEIMDAL_ROKEN_1.0 1.4.0+git20110226
(LP #1945787)
Therefore, this does seem to still be affected by the CVE, as reported.
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-3671
** Changed in: heimdal (Ubuntu)
Status: New => Triaged
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2054916
Title:
CVE-2022-44640 affects the version of heimdal on ubuntu 22.04 - could
it be updated?
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/heimdal/+bug/2054916/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
