Opened 2 years ago

Closed 2 years ago

Last modified 2 years ago

#17313 closed enhancement (fixed)

krb5-1.20.1

Reported by: Bruce Dubbs Owned by: Bruce Dubbs
Priority: elevated Milestone: 11.3
Component: BOOK Version: git
Severity: normal Keywords:
Cc:

Description

New point version.

Change History (5)

comment:1 by Bruce Dubbs, 2 years ago

Owner: changed from blfs-book to Bruce Dubbs
Status: newassigned

comment:2 by Bruce Dubbs, 2 years ago

Major changes in 1.20.1 (2022-11-15)

  • Fix integer overflows in PAC parsing [CVE-2022-42898].
  • Fix null deref in KDC when decoding invalid NDR.
  • Fix memory leak in OTP kdcpreauth module.
  • Fix PKCS11 module path search.

The CVE is where Kerberos libraries and AD DC failed to guard against integer overflows when parsing a PAC on a 32-bit system, which allowed an attacker with a forged PAC to corrupt the heap.

It does not seem to affect 64-bit systems.

comment:3 by Bruce Dubbs, 2 years ago

Resolution: fixed
Status: assignedclosed

Fixed at commits 

de8ae35b4a Update to nghttp2-1.51.0.
11672910e0 Update to xfsprogs-6.0.0.
7756281c69 Update to sysstat-12.7.1.
e0e8726f9b U:pdate to krb5-1.20.1.

comment:4 by Douglas R. Reno, 2 years ago

Priority: normalelevated

comment:5 by Douglas R. Reno, 2 years ago

Issued SA-11.2-044

Note: See TracTickets for help on using tickets.