DSA-3395-2 krb5 -- krb5ID: oval:org.secpod.oval:def:602275 | Date: (C)2015-11-24 (M)2023-12-07 |
Class: PATCH | Family: unix |
Marc Deslauriers reported that the update for krb5 issued as DSA-3395-1 did not contain the patch to address CVE-2015-2697 for the packages built for the oldstable distribution . Updated packages are now available to address this issue. For reference, the relevant part of the original advisory text follows. CVE-2015-2697 It was discovered that the build_principal_va function incorrectly handles input strings. An authenticated attacker can take advantage of this flaw to cause a KDC to crash using a TGS request with a large realm field beginning with a null byte.
Product: |
krb5-kdc |
krb5-kdc-ldap |
krb5-admin-server |