886016 – (CVE-2014-4341) VUL-0: CVE-2014-4341 CVE-2014-4342: krb5: denial of service flaws when handling RFC 1964 tokens

Bug 886016 (CVE-2014-4341) - VUL-0: CVE-2014-4341 CVE-2014-4342: krb5: denial of service flaws when handling RFC 1964 tokens

Summary: VUL-0: CVE-2014-4341 CVE-2014-4342: krb5: denial of service flaws when handli...

Status:	RESOLVED FIXED

Alias:	CVE-2014-4341

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Deadline:	2014-08-12
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/103322/
Whiteboard:	maint:released:sle11-sp1:58452 maint:...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2014-07-07 11:49 UTC by Victor Pereira
Modified:	2016-04-11 16:13 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Victor Pereira 2014-07-07 11:49:56 UTC

CVE-2014-4341 and CVE-2014-4342

Flaws were found in the way MIT Kerberos handled RFC 1964 tokens. A man-in-the-middle attacker able to inject packets into an application's GSS-API session could use this flaw to crash the application.

References:


References:
https://github.com/krb5/krb5/commit/fb99962cbd063ac04c9a9d2cc7c75eab73f3533d
https://bugzilla.redhat.com/show_bug.cgi?id=1116180
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4341
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4342
http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-4341.html
http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-4342.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4341
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4342

Comment 1 Swamp Workflow Management 2014-07-07 22:00:47 UTC

bugbot adjusting priority

Comment 9 Swamp Workflow Management 2014-07-29 06:44:21 UTC

An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2014-08-12.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/58451

Comment 10 Swamp Workflow Management 2014-08-11 08:06:18 UTC

openSUSE-SU-2014:0977-1: An update that fixes four vulnerabilities is now available.

Category: security (low)
Bug References: 886016,888697
CVE References: CVE-2014-4341,CVE-2014-4342,CVE-2014-4343,CVE-2014-4344
Sources used:
openSUSE 13.1 (src):    krb5-1.11.3-3.8.1, krb5-mini-1.11.3-3.8.1
openSUSE 12.3 (src):    krb5-1.10.2-10.26.1, krb5-doc-1.10.2-10.26.2, krb5-mini-1.10.2-10.26.1

Comment 11 Swamp Workflow Management 2014-08-11 17:04:40 UTC

SUSE-SU-2014:0989-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 886016,888697
CVE References: CVE-2014-4341,CVE-2014-4342,CVE-2014-4343,CVE-2014-4344
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    krb5-1.6.3-133.49.60.1
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    krb5-1.6.3-133.49.60.1, krb5-doc-1.6.3-133.49.60.1, krb5-plugins-1.6.3-133.49.60.1
SUSE Linux Enterprise Server 11 SP3 (src):    krb5-1.6.3-133.49.60.1, krb5-doc-1.6.3-133.49.60.1, krb5-plugins-1.6.3-133.49.60.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    krb5-1.6.3-133.49.60.1

Comment 12 Marcus Meissner 2014-09-01 09:58:47 UTC

was released