Bugzilla – Bug 963968
VUL-1: CVE-2015-8629: krb5: xdr_nullstring() doesn't check for terminating null character
Last modified: 2016-09-01 14:21:44 UTC
rh#1302617 It was reported that in all versions of MIT krb5, an authenticated attacker can cause kadmind to read beyond the end of allocated memory by sending a string without a terminating zero byte. Information leakage may be possible for an attacker with permission to modify the database. Upstream patch: https://github.com/krb5/krb5/commit/df17a1224a3406f57477bcd372c61e04c0e5a5bb References: https://bugzilla.redhat.com/show_bug.cgi?id=1302617 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8629 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8629
set to private
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2016-02-11. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/62471
bugbot adjusting priority
This is an autogenerated message for OBS integration: This bug (963968) was mentioned in https://build.opensuse.org/request/show/357307 13.2 / krb5
openSUSE-SU-2016:0406-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 963964,963968,963975 CVE References: CVE-2015-8629,CVE-2015-8630,CVE-2015-8631 Sources used: openSUSE 13.2 (src): krb5-1.12.2-21.1, krb5-mini-1.12.2-21.1
SUSE-SU-2016:0429-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 963964,963968,963975 CVE References: CVE-2015-8629,CVE-2015-8630,CVE-2015-8631 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP1 (src): krb5-1.12.1-25.1 SUSE Linux Enterprise Software Development Kit 12 (src): krb5-1.12.1-25.1 SUSE Linux Enterprise Server 12-SP1 (src): krb5-1.12.1-25.1 SUSE Linux Enterprise Server 12 (src): krb5-1.12.1-25.1 SUSE Linux Enterprise Desktop 12-SP1 (src): krb5-1.12.1-25.1 SUSE Linux Enterprise Desktop 12 (src): krb5-1.12.1-25.1
SUSE-SU-2016:0430-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 963968,963975 CVE References: CVE-2015-8629,CVE-2015-8631 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): krb5-1.6.3-133.49.106.1 SUSE Linux Enterprise Server 11-SP4 (src): krb5-1.6.3-133.49.106.1 SUSE Linux Enterprise Desktop 11-SP4 (src): krb5-1.6.3-133.49.106.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): krb5-1.6.3-133.49.106.1
openSUSE-SU-2016:0501-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 963964,963968,963975 CVE References: CVE-2015-8629,CVE-2015-8630,CVE-2015-8631 Sources used: openSUSE Leap 42.1 (src): krb5-1.12.1-27.1, krb5-mini-1.12.1-27.1
update has been released.