Debian Long Term Support / LTS Security Information / 2015 / Security Information -- DLA-146-1 krb5

Debian Security Advisory

DLA-146-1 krb5 -- LTS security update

Date Reported:

07 Feb 2015

Affected Packages:

krb5

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2014-5352, CVE-2014-9421, CVE-2014-9422, CVE-2014-9423.

More information:

Multiples vulnerabilities have been found in krb5, the MIT implementation of Kerberos:

• CVE-2014-5352

  Incorrect memory management in the libgssapi_krb5 library might result in denial of service or the execution of arbitrary code.

• CVE-2014-9421

  Incorrect memory management in kadmind's processing of XDR data might result in denial of service or the execution of arbitrary code.

• CVE-2014-9422

  Incorrect processing of two-component server principals might result in impersonation attacks.

• CVE-2014-9423

  An information leak in the libgssrpc library.

For Debian 6 Squeeze, these issues have been fixed in krb5 version 1.8.3+dfsg-4squeeze9