UbuntuUpdates.org

Package "krb5-multidev"

Name: krb5-multidev

Description:

Development files for MIT Kerberos without Heimdal conflict
Latest version: 1.13.2+dfsg-5ubuntu2.2
Release: xenial (16.04)
Level: security
Repository: main
Head package: krb5
Homepage: http://web.mit.edu/kerberos/

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "krb5-multidev"

32-bit deb package
64-bit deb package
APT INSTALL

Other versions of "krb5-multidev" in Xenial

Repository Area Version
base main 1.13.2+dfsg-5
updates main 1.13.2+dfsg-5ubuntu2.2

Changelog

Version: 1.13.2+dfsg-5ubuntu2.2 2020-11-17 16:07:43 UTC

  krb5 (1.13.2+dfsg-5ubuntu2.2) xenial-security; urgency=medium

  * SECURITY UPDATE: Unbounded recursion
    - debian/patches/CVE-2020-28196.patch: adds recursion limit for ASN.1
      indefinite lenghts in src/lib/krb5/asn.1/asn1_encode.c.
    - CVE-2020-28196

 -- <email address hidden> (Leonidas S. Barbosa) Wed, 11 Nov 2020 11:24:12 -0300
Source diff to previous version
CVE-2020-28196 MIT Kerberos 5 (aka krb5) before 1.17.2 and 1.18.x before 1.18.3 allows unbounded recursion via an ASN.1-encoded Kerberos message because the lib/krb

Version: 1.13.2+dfsg-5ubuntu2.1 2019-01-14 23:06:33 UTC

  krb5 (1.13.2+dfsg-5ubuntu2.1) xenial-security; urgency=medium

  * SECURITY UPDATE: DoS (NULL pointer dereference) via a crafted request to
    modify a principal
    - debian/patches/CVE-2016-3119.patch: Fix LDAP null dereference on
      empty arg
    - CVE-2016-3119
  * SECURITY UPDATE: DoS (NULL pointer dereference) via an S4U2Self request
    - debian/patches/CVE-2016-3120.patch: Fix S4U2Self KDC crash when anon
      is restricted
    - CVE-2016-3120
  * SECURITY UPDATE: KDC assertion failure
    - debian/patches/CVE-2017-11368-1.patch: Prevent KDC unset status
      assertion failures
    - debian/patches/CVE-2017-11368-2.patch: Simplify KDC status assignment
    - CVE-2017-11368
  * SECURITY UPDATE: Double free vulnerability
    - debian/patches/CVE-2017-11462.patch: Preserve GSS context on init/accept
      failure
    - CVE-2017-11462
  * SECURITY UPDATE: Authenticated kadmin with permission to add principals
    to an LDAP Kerberos can DoS or bypass DN container check.
    - debian/patches/CVE-2018-5729-CVE-2018-5730.patch: Fix flaws in LDAP DN
      checking
    - CVE-2018-5729
    - CVE-2018-5730

 -- Eduardo Barretto <email address hidden> Fri, 11 Jan 2019 13:46:00 -0200
CVE-2016-3119 The process_db_args function in plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c in the LDAP KDB module in kadmind in MIT Kerberos 5 (aka krb5) through
CVE-2016-3120 The validate_as_request function in kdc_util.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.13.6 and 1.4.x before 1.14.
CVE-2017-11368 In MIT Kerberos 5 (aka krb5) 1.7 and later, an authenticated attacker can cause a KDC assertion failure by sending invalid S4U2Self or S4U2Proxy requ
CVE-2017-11462 Double free vulnerability in MIT Kerberos 5 (aka krb5) allows attackers to have unspecified impact via vectors involving automatic deletion of securi
CVE-2018-5729 MIT krb5 1.6 or later allows an authenticated kadmin with permission to add principals to an LDAP Kerberos database to cause a denial of service (NUL
CVE-2018-5730 MIT krb5 1.6 or later allows an authenticated kadmin with permission to add principals to an LDAP Kerberos database to circumvent a DN containership


About   -   Send Feedback to @ubuntu_updates