Debian Security Advisory
DLA-423-1 krb5 -- LTS security update
- Date Reported:
- 22 Feb 2016
- Affected Packages:
- Security database references:
- In the Debian bugtracking system: Bug 813126, Bug 813296.
In Mitre's CVE dictionary: CVE-2015-8629, CVE-2015-8631.
- More information:
It was discovered that an authenticated attacker can cause kadmind to read beyond the end of allocated memory by sending a string without a terminating zero byte. Information leakage may be possible for an attacker with permission to modify the database.
It was discovered that an authenticated attacker can cause kadmind to leak memory by supplying a null principal name in a request which uses one. Repeating these requests will eventually cause kadmind to exhaust all available memory.