Bugzilla – Bug 849240
VUL-0: CVE-2013-1418: krb5: multi-realm KDC null dereference leads to crash
Last modified: 2014-03-04 15:48:16 UTC
via rh bugzilla Multi-realm KDC null deref [CVE-2013-1418] If a KDC serves multiple realms, certain requests can cause setup_server_realm() to dereference a null pointer, crashing the KDC. CVSSv2: AV:N/AC:M/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C A related but more minor vulnerability requires authentication to exploit, and is only present if a third-party KDC database module can dereference a null pointer under certain conditions. (back ported from commit 5d2d9a1abe46a2c1a8614d4672d08d9d30a5f8bf) http://mailman.mit.edu/pipermail/krb5-bugs/2013-November/010206.html https://github.com/krb5/krb5/commit/5d2d9a1abe46a2c1a8614d4672d08d9d30a5f8bf https://bugzilla.redhat.com/show_bug.cgi?id=1026942 http://krbdev.mit.edu/rt/Ticket/Display.html?id=7757
The SWAMPID for this issue is 54995. This issue was rated as moderate. Please submit fixed packages until 2013-11-21. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
packages submitted, assigning to security team
This is an autogenerated message for OBS integration: This bug (849240) was mentioned in https://build.opensuse.org/request/show/206311 12.2+12.3 / krb5+krb5-mini+krb5-doc
bugbot adjusting priority
This is an autogenerated message for OBS integration: This bug (849240) was mentioned in https://build.opensuse.org/request/show/207086 Evergreen:11.2:Test / krb5
openSUSE-SU-2013:1738-1: An update that fixes one vulnerability is now available. Category: security (low) Bug References: 849240 CVE References: CVE-2013-1418 Sources used: openSUSE 12.3 (src): krb5-1.10.2-10.22.1, krb5-doc-1.10.2-10.22.2, krb5-mini-1.10.2-10.22.1 openSUSE 12.2 (src): krb5-1.10.2-3.25.1, krb5-doc-1.10.2-3.25.2, krb5-mini-1.10.2-3.25.1
This is an autogenerated message for OBS integration: This bug (849240) was mentioned in https://build.opensuse.org/request/show/207858 13.1+12.2+12.3 / krb5+krb5-mini+krb5-doc
This is an autogenerated message for OBS integration: This bug (849240) was mentioned in https://build.opensuse.org/request/show/207880 13.1 / krb5
openSUSE-SU-2013:1751-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 849240 CVE References: CVE-2013-1418 Sources used: openSUSE 11.4 (src): krb5-1.8.3-67.1
This is an autogenerated message for OBS integration: This bug (849240) was mentioned in https://build.opensuse.org/request/show/208985 Evergreen:11.2 / krb5
openSUSE-SU-2013:1833-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 849240,850660 CVE References: CVE-2013-1417,CVE-2013-1418 Sources used: openSUSE 13.1 (src): krb5-1.11.3-3.4.1, krb5-mini-1.11.3-3.4.1
Update released for: krb5, krb5-32bit, krb5-apps-clients, krb5-apps-servers, krb5-client, krb5-debuginfo, krb5-debuginfo-32bit, krb5-debugsource, krb5-devel, krb5-devel-32bit, krb5-doc, krb5-plugin-kdb-ldap, krb5-plugin-preauth-pkinit, krb5-plugins, krb5-server Products: SLE-SERVER 11-SP1-TERADATA (x86_64)
Update released for: krb5, krb5-32bit, krb5-apps-clients, krb5-apps-servers, krb5-client, krb5-debuginfo, krb5-devel, krb5-devel-32bit, krb5-server Products: SLE-SERVER 10-SP3-TERADATA (x86_64)
Update released for: krb5, krb5-32bit, krb5-apps-clients, krb5-apps-servers, krb5-client, krb5-debuginfo, krb5-debuginfo-32bit, krb5-debuginfo-x86, krb5-debugsource, krb5-devel, krb5-devel-32bit, krb5-doc, krb5-plugin-kdb-ldap, krb5-plugin-preauth-pkinit, krb5-plugins, krb5-server, krb5-x86 Products: SLE-DEBUGINFO 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLE-DESKTOP 11-SP3 (i386, x86_64) SLE-SDK 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLES4VMWARE 11-SP3 (i386, x86_64)
Update released for: krb5, krb5-32bit, krb5-apps-clients, krb5-apps-servers, krb5-client, krb5-debuginfo, krb5-debuginfo-32bit, krb5-debuginfo-x86, krb5-debugsource, krb5-devel, krb5-devel-32bit, krb5-doc, krb5-plugin-kdb-ldap, krb5-plugin-preauth-pkinit, krb5-plugins, krb5-server, krb5-x86 Products: SLE-DEBUGINFO 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLE-DESKTOP 11-SP2 (i386, x86_64) SLE-SDK 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLES4VMWARE 11-SP2 (i386, x86_64)
fixed
*** Bug 866059 has been marked as a duplicate of this bug. ***