Bugzilla – Bug 850660
VUL-0: CVE-2013-1417: krb5: KDC null deref due to referrals
Last modified: 2013-12-07 22:21:08 UTC
CVE-2013-1417 An authenticated remote client can cause a KDC to crash by making a valid TGS-REQ to a KDC serving a realm with a single-component name. The process_tgs_req() function dereferences a null pointer because an unusual failure condition causes a helper function to return success. The vulnerable configuration is not likely to arise in practice. (Realm names that have a single component are likely to be test realms.) Releases prior to krb5-1.11 are not vulnerable. References: https://github.com/krb5/krb5/commit/4c023ba43c16396f0d199e2df1cfa59b88b62acc http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1417 https://bugzilla.redhat.com/show_bug.cgi?id=1030743
bugbot adjusting priority
SLES 11 has 1.6.3, so SLES 11 and older are not affected. openSUSE probably needs updates.
This is an autogenerated message for OBS integration: This bug (850660) was mentioned in https://build.opensuse.org/request/show/207858 13.1+12.2+12.3 / krb5+krb5-mini+krb5-doc
This is an autogenerated message for OBS integration: This bug (850660) was mentioned in https://build.opensuse.org/request/show/207880 13.1 / krb5
openSUSE-SU-2013:1833-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 849240,850660 CVE References: CVE-2013-1417,CVE-2013-1418 Sources used: openSUSE 13.1 (src): krb5-1.11.3-3.4.1, krb5-mini-1.11.3-3.4.1
released