Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

DSA-3395-1 krb5 -- security update

Related Vulnerabilities: CVE-2015-2695   CVE-2015-2696   CVE-2015-2697  

Several vulnerabilities were discovered in krb5, the MIT implementation of Kerberos. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2015-2695 It was discovered that applications which call gss_inquire_context() on a partially-established SPNEGO context can cause the GSS-API library to read from a pointer using the wrong type, leading to a process crash. CVE-2015-2696 It was discovered that applications which call gss_inquire_context() on a partially-established IAKERB context can cause the GSS-API library to read from a pointer using the wrong type, leading to a process crash. CVE-2015-2697 It was discovered that the build_principal_va() function incorrectly handles input strings. An authenticated attacker can take advantage of this flaw to cause a KDC to crash using a TGS request with a large realm field beginning with a null byte. For the oldstable distribution (wheezy), these problems have been fixed in version 1.10.1+dfsg-5+deb7u4. For the stable distribution (jessie), these problems have been fixed in version 1.12.1+dfsg-19+deb8u1. For the testing distribution (stretch), these problems have been fixed in version 1.13.2+dfsg-3. For the unstable distribution (sid), these problems have been fixed in version 1.13.2+dfsg-3. We recommend that you upgrade your krb5 packages.

Source

Debian Security Advisory

DSA-3395-1 krb5 -- security update

Date Reported:
06 Nov 2015
Affected Packages:
krb5
Vulnerable:
Yes
Security database references:
In the Debian bugtracking system: Bug 803083, Bug 803084, Bug 803088.
In Mitre's CVE dictionary: CVE-2015-2695, CVE-2015-2696, CVE-2015-2697.
More information:

Several vulnerabilities were discovered in krb5, the MIT implementation of Kerberos. The Common Vulnerabilities and Exposures project identifies the following problems:

  • CVE-2015-2695

    It was discovered that applications which call gss_inquire_context() on a partially-established SPNEGO context can cause the GSS-API library to read from a pointer using the wrong type, leading to a process crash.

  • CVE-2015-2696

    It was discovered that applications which call gss_inquire_context() on a partially-established IAKERB context can cause the GSS-API library to read from a pointer using the wrong type, leading to a process crash.

  • CVE-2015-2697

    It was discovered that the build_principal_va() function incorrectly handles input strings. An authenticated attacker can take advantage of this flaw to cause a KDC to crash using a TGS request with a large realm field beginning with a null byte.

For the oldstable distribution (wheezy), these problems have been fixed in version 1.10.1+dfsg-5+deb7u4.

For the stable distribution (jessie), these problems have been fixed in version 1.12.1+dfsg-19+deb8u1.

For the testing distribution (stretch), these problems have been fixed in version 1.13.2+dfsg-3.

For the unstable distribution (sid), these problems have been fixed in version 1.13.2+dfsg-3.

We recommend that you upgrade your krb5 packages.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started