Debian Long Term Support / LTS Security Information / 2018 / Security Information -- DLA-1265-1 krb5

Debian Security Advisory

DLA-1265-1 krb5 -- LTS security update

Date Reported:

31 Jan 2018

Affected Packages:

krb5

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 728845, Bug 762479, Bug 773226, Bug 778647, Bug 819468, Bug 832572.
In Mitre's CVE dictionary: CVE-2013-1418, CVE-2014-5351, CVE-2014-5353, CVE-2014-5355, CVE-2016-3119, CVE-2016-3120.

More information:

Kerberos, a system for authenticating users and services on a network, was affected by several vulnerabilities. The Common Vulnerabilities and Exposures project identifies the following issues.

• CVE-2013-1418

  Kerberos allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted request when multiple realms are configured.

• CVE-2014-5351

  Kerberos sends old keys in a response to a -randkey -keepold request, which allows remote authenticated users to forge tickets by leveraging administrative access.

• CVE-2014-5353

  When the KDC uses LDAP, allows remote authenticated users to cause a denial of service (daemon crash) via a successful LDAP query with no results, as demonstrated by using an incorrect object type for a password policy.

• CVE-2014-5355

  Kerberos expects that a krb5_read_message data field is represented as a string ending with a '\0' character, which allows remote attackers to (1) cause a denial of service (NULL pointer dereference) via a zero-byte version string or (2) cause a denial of service (out-of-bounds read) by omitting the '\0' character,

• CVE-2016-3119

  Kerberos allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted request to modify a principal.

• CVE-2016-3120

  Kerberos allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via an S4U2Self request.

For Debian 7 Wheezy, these problems have been fixed in version 1.10.1+dfsg-5+deb7u9.

We recommend that you upgrade your krb5 packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS