Debian Long Term Support / LTS Security Information / 2016 / Security Information -- DLA-423-1 krb5

Debian Security Advisory

DLA-423-1 krb5 -- LTS security update

Date Reported:

22 Feb 2016

Affected Packages:

krb5

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 813126, Bug 813296.
In Mitre's CVE dictionary: CVE-2015-8629, CVE-2015-8631.

More information:

• CVE-2015-8629

  It was discovered that an authenticated attacker can cause kadmind to read beyond the end of allocated memory by sending a string without a terminating zero byte. Information leakage may be possible for an attacker with permission to modify the database.

• CVE-2015-8631

  It was discovered that an authenticated attacker can cause kadmind to leak memory by supplying a null principal name in a request which uses one. Repeating these requests will eventually cause kadmind to exhaust all available memory.