Bugzilla – Bug 719393
VUL-0: krb5: kdc remote denial of service
Last modified: 2019-05-01 15:59:32 UTC
Your friendly security team received the following report via security@suse.de. Please respond ASAP. This issue is not public yet, please keep any information about it inside SUSE. Note that build.opensuse.org *cannot* be used to prepare embargoed updates. CVE-2011-1527: In releases krb5-1.9 and later, the KDC can crash due to a null pointer dereference if configured to use the LDAP back end. CVE-2011-1528: In releases krb5-1.8 and later, the KDC can crash due to an assertion failure. CVE-2011-1529: In releases krb5-1.8 and later, the KDC can crash due to a null pointer dereference. All bugs can be triggered by unauthenticated remote attackers.
JFYI: SLES10 has 1.4.x and SLES11 has 1.6.x. So both are not affected. openSUSE 11.3 and 11.4 has krb5-1.8.x So they are affected by CVE-2011-1528 and CVE-2011-1529 Factory aka 12.1 has 1.9.x and is affected by all of these. I will update openSUSE after 18 October 2011 (CRD)
Patches ready on my HD. JFYI: 12.1 not yet released. This means that I will submit the fix to Factory as soon as CRD reached.
The SWAMPID for this issue is 43703. This issue was rated as important. Please submit fixed packages until 2011-10-25. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
There is also bnc#698471 on the planned update list. Can you incorporate these?
See Bug 698471 Comment #4: package krb5-appl: openSUSE 11.3, 11.4, Factory This means, that a different package is affected. krb5-appl is already submitted to 11.3 and 11.4. If you want to include them too, take care to add the package to the patchinfo file. In SLES 11 SP1 this fix is part of the main krb5 package which is also submitted, but not checked in yet. But *this* Bug does not affect SLES11 SP1. What do you want to release?
I added krb5-appl to the swamp. So, for SLE it seems 698471 stays on the planned list since we are not doing updates for this one either as its not affected. So at the end we just have box updates for both bugs handled by swamp 43703.
Ok, fine. I will submit krb5 packages tomorrow to OBS after the announcement is out.
Packages submited.
This is an autogenerated message for OBS integration: This bug (719393) was mentioned in https://build.opensuse.org/request/show/88659 Factory / krb5 https://build.opensuse.org/request/show/88660 11.3 / krb5 https://build.opensuse.org/request/show/88661 11.4 / krb5
Update released for: krb5, krb5-appl, krb5-appl-clients, krb5-appl-clients-debuginfo, krb5-appl-debugsource, krb5-appl-servers, krb5-appl-servers-debuginfo, krb5-client, krb5-client-debuginfo, krb5-debuginfo, krb5-debugsource, krb5-devel, krb5-plugin-kdb-ldap, krb5-plugin-kdb-ldap-debuginfo, krb5-plugin-preauth-pkinit, krb5-plugin-preauth-pkinit-debuginfo, krb5-server, krb5-server-debuginfo Products: openSUSE 11.3 (debug, i586, x86_64) openSUSE 11.4 (debug, i586, x86_64)
done