Launchpad has imported 8 comments from the remote bug at https://bugzilla.redhat.com/show_bug.cgi?id=827517.
If you reply to an imported comment from within Launchpad, your comment will be sent to the remote bug automatically. Read more about Launchpad's inter-bugtracker facilities at https://help.launchpad.net/InterBugTracking. ------------------------------------------------------------------------ On 2012-06-01T16:42:30+00:00 Vincent wrote: MIT Kerberos 5 version 1.10.2 was released [1] and noted as fixing: * Fix a kadmind denial of service issue (null pointer dereference), which could only be triggered by an administrator with the "create" privilege. [CVE-2012-1013] No information is currently available on which versions are affected by this flaw. [1] http://mailman.mit.edu/pipermail/kerberos- announce/2012q2/000136.html Reply at: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1009422/comments/0 ------------------------------------------------------------------------ On 2012-06-01T20:17:27+00:00 Vincent wrote: Upstream bug report: http://krbdev.mit.edu/rt/Ticket/Display.html?id=7152 And the upstream fix: https://github.com/krb5/krb5/commit/c5be6209311d4a8f10fda37d0d3f876c1b33b77b This only affects krb5 1.8 and higher, and only clients authorized to create principals can trigger the bug (so requires administrative privileges). Reply at: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1009422/comments/1 ------------------------------------------------------------------------ On 2012-06-01T20:18:28+00:00 Vincent wrote: Created krb5 tracking bugs for this issue Affects: fedora-all [bug 827598] Reply at: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1009422/comments/2 ------------------------------------------------------------------------ On 2012-06-13T21:34:03+00:00 Fedora wrote: krb5-1.10-7.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. Reply at: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1009422/comments/4 ------------------------------------------------------------------------ On 2012-06-13T21:35:17+00:00 Fedora wrote: krb5-1.9.3-2.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report. Reply at: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1009422/comments/5 ------------------------------------------------------------------------ On 2012-06-13T21:36:27+00:00 Fedora wrote: krb5-1.9.3-2.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report. Reply at: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1009422/comments/6 ------------------------------------------------------------------------ On 2012-07-31T18:56:57+00:00 errata-xmlrpc wrote: This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2012:1131 https://rhn.redhat.com/errata/RHSA-2012-1131.html Reply at: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1009422/comments/10 ------------------------------------------------------------------------ On 2012-07-31T21:43:19+00:00 Vincent wrote: Statement: Not vulnerable. This issue did not affect the versions of krb5 as shipped with Red Hat Enterprise Linux 4 and 5. Reply at: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1009422/comments/11 ** Changed in: krb5 (Fedora) Status: Unknown => Fix Released ** Changed in: krb5 (Fedora) Importance: Unknown => Low ** Bug watch added: krbdev.mit.edu/rt/ #7152 http://krbdev.mit.edu/rt/Ticket/Display.html?id=7152 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to krb5 in Ubuntu. https://bugs.launchpad.net/bugs/1009422 Title: (CVE-2012-1013) krb5 : kadmind denial of service Status in krb5 package in Ubuntu: Fix Released Status in krb5 package in Fedora: Fix Released Bug description: https://secunia.com/advisories/49346/ Description A weakness has been reported in Kerberos, which can be exploited by malicious users to cause a DoS (Denial of Service). The vulnerability is caused due to a NULL pointer dereference error in the "check_1_6_dummy()" function in src/lib/kadm5/srv/svr_principal.c. This can be exploited to cause a crash via a create-principal request containing no password but the KRB5_KDB_DISALLOW_ALL_TIX flag. Successful exploitation requires an administrator account with "create" privileges. The weakness is reported in versions prior to 1.10.2. Solution Update to version 1.10.2. Provided and/or discovered by Reported by the vendor. Original Advisory http://web.mit.edu/kerberos/krb5-1.10/ To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1009422/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
