Bugzilla – Bug 888697
VUL-0: krb5: CVE-2014-4343 CVE-2014-4344: krb5: multiple flaws in SPNEGO
Last modified: 2014-09-01 09:57:23 UTC
CVE-2014-4343: double-free flaw in SPNEGO initiators A double-free flaw was found in the MIT Kerberos SPNEGO initiators. An attacker able to spoof packets to appear as though they are from an GSSAPI acceptor could use this flaw to crash a client application that uses MIT Kerberos. It is reported that this issue affects version 1.10 and later. Upstream commit and further details: https://github.com/krb5/krb5/commit/f18ddf5d82de0ab7591a36e465bc24225776940f CVE-2014-4344: pointer dereference flaw in SPNEGO acceptor for continuation A NULL pointer dereference flaw was found in the MIT Kerberos SPNEGO acceptor for continuation tokens. An unauthenticated attacker could use this flaw to crash the server acceptor. It is reported that this issue affects version 1.5 and later. Upstream commit and further details: https://github.com/krb5/krb5/commit/524688ce87a15fc75f87efc8c039ba4c7d5c197b References: https://bugzilla.redhat.com/show_bug.cgi?id=1121876 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4343 http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-4343.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4343
bugbot adjusting priority
This is an autogenerated message for OBS integration: This bug (888697) was mentioned in https://build.opensuse.org/request/show/242701 13.1+12.3 / krb5+krb5-mini+krb5-doc
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2014-08-12. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/58451
Affected packages: SLE-11-SP3: krb5
Affected packages: SLE-10-SP3-TERADATA: krb5 SLE-11-SP3: krb5
openSUSE-SU-2014:0977-1: An update that fixes four vulnerabilities is now available. Category: security (low) Bug References: 886016,888697 CVE References: CVE-2014-4341,CVE-2014-4342,CVE-2014-4343,CVE-2014-4344 Sources used: openSUSE 13.1 (src): krb5-1.11.3-3.8.1, krb5-mini-1.11.3-3.8.1 openSUSE 12.3 (src): krb5-1.10.2-10.26.1, krb5-doc-1.10.2-10.26.2, krb5-mini-1.10.2-10.26.1
SUSE-SU-2014:0989-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 886016,888697 CVE References: CVE-2014-4341,CVE-2014-4342,CVE-2014-4343,CVE-2014-4344 Sources used: SUSE Linux Enterprise Software Development Kit 11 SP3 (src): krb5-1.6.3-133.49.60.1 SUSE Linux Enterprise Server 11 SP3 for VMware (src): krb5-1.6.3-133.49.60.1, krb5-doc-1.6.3-133.49.60.1, krb5-plugins-1.6.3-133.49.60.1 SUSE Linux Enterprise Server 11 SP3 (src): krb5-1.6.3-133.49.60.1, krb5-doc-1.6.3-133.49.60.1, krb5-plugins-1.6.3-133.49.60.1 SUSE Linux Enterprise Desktop 11 SP3 (src): krb5-1.6.3-133.49.60.1
was released