Debian Bug report logs -
#441209
CVE-2007-4743 Incorrect fix for CVE-2007-3999
Reported by: Nico Golde <nion@debian.org>
Date: Fri, 7 Sep 2007 13:06:01 UTC
Severity: grave
Tags: security
Found in version 1.6.dfsg.1-7
Done: Nico Golde <nion@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Sam Hartman <hartmans@debian.org>:
Bug#441209; Package krb5.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>:
New Bug report received and forwarded. Copy sent to Sam Hartman <hartmans@debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: krb5
Version: 1.6.dfsg.1-7
Severity: grave
Tags: security
Hi,
a CVE was published for krb5.
CVE-2007-4743[0]:
The original patch for CVE-2007-3999 in svc_auth_gss.c in the
RPCSEC_GSS RPC library in MIT Kerberos 5 (krb5) 1.4 through 1.6.2, as used by
the Kerberos administration daemon (kadmind) and other applications that use
krb5, does not correctly check the buffer length in some environments and
architectures, which might allow remote attackers to conduct a buffer overflow
attack.
Please include the CVE id in your fix. I have an NMU package ready, if you
have no time or you are not fast enough I would also NMU the package :)
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4743
Kind regards
Nico
--
Nico Golde - http://ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Reply sent to Nico Golde <nion@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #10 received at 441209-done@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
I don't know how you uploaded a package on 4 September with
an updated patch published on 5 September. Anyway, cool you
did, so I close this bug.
Kind regards
Nico
--
Nico Golde - http://ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 06 Oct 2007 07:25:21 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:35:55 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon