Bugzilla – Bug 910458
VUL-1: CVE-2014-5354: krb5: NULL pointer dereference when using keyless entries
Last modified: 2016-04-27 19:33:19 UTC
public via rh#1174546 plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c in MIT Kerberos 5 (aka krb5) 1.12.x and 1.13.x before 1.13.1, when the KDC uses LDAP, allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) by creating a database entry for a keyless principal, as demonstrated by a kadmin "add_principal -nokey" or "purgekeys -all" command. References: https://bugzilla.redhat.com/show_bug.cgi?id=1174546 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5354 http://seclists.org/oss-sec/2014/q4/1055 http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-5354.html https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773226 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5354 https://github.com/krb5/krb5/commit/04038bf3633c4b909b5ded3072dc88c8c419bf16 https://github.com/krb5/krb5/commit/d1f707024f1d0af6e54a18885322d70fa15ec4d3
bugbot adjusting priority
It is reported that versions prior to 1.12 are not affected. so just SLE-12 and OpenSUSE 13.2 are affected.
I checked the SLE-12 codestream and with the version 12.1.1, we are not affected.
This is an autogenerated message for OBS integration: This bug (910458) was mentioned in https://build.opensuse.org/request/show/286336 13.2 / krb5
This is an autogenerated message for OBS integration: This bug (910458) was mentioned in https://build.opensuse.org/request/show/290309 13.2+13.1 / krb5+krb5-mini
openSUSE-SU-2015:0542-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 910457,910458,918595 CVE References: CVE-2014-5353,CVE-2014-5354,CVE-2014-5355 Sources used: openSUSE 13.2 (src): krb5-1.12.2-12.1, krb5-mini-1.12.2-12.1 openSUSE 13.1 (src): krb5-1.11.3-3.18.1, krb5-mini-1.11.3-3.18.1
SUSE-SU-2015:1276-1: An update that fixes four vulnerabilities is now available. Category: security (moderate) Bug References: 910457,910458,918595,928978 CVE References: CVE-2014-5353,CVE-2014-5354,CVE-2014-5355,CVE-2015-2694 Sources used: SUSE Linux Enterprise Software Development Kit 12 (src): krb5-1.12.1-16.1 SUSE Linux Enterprise Server 12 (src): krb5-1.12.1-16.1
SUSE-SU-2015:1282-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 910457,910458,918595 CVE References: CVE-2014-5353,CVE-2014-5354,CVE-2014-5355 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): krb5-1.6.3-133.49.68.1 SUSE Linux Enterprise Software Development Kit 11-SP3 (src): krb5-1.6.3-133.49.68.1 SUSE Linux Enterprise Server for VMWare 11-SP3 (src): krb5-1.6.3-133.49.68.1, krb5-doc-1.6.3-133.49.68.2, krb5-plugins-1.6.3-133.49.68.1 SUSE Linux Enterprise Server 11-SP4 (src): krb5-1.6.3-133.49.68.1, krb5-doc-1.6.3-133.49.68.2, krb5-plugins-1.6.3-133.49.68.1 SUSE Linux Enterprise Server 11-SP3 (src): krb5-1.6.3-133.49.68.1, krb5-doc-1.6.3-133.49.68.2, krb5-plugins-1.6.3-133.49.68.1 SUSE Linux Enterprise Desktop 11-SP4 (src): krb5-1.6.3-133.49.68.1 SUSE Linux Enterprise Desktop 11-SP3 (src): krb5-1.6.3-133.49.68.1 SUSE Linux Enterprise Debuginfo 11-SP3 (src): krb5-1.6.3-133.49.68.1
This is an autogenerated message for OBS integration: This bug (910458) was mentioned in https://build.opensuse.org/request/show/320084 42 / krb5
released