Advisories » MGASA-2014-0536

Updated krb5 packages fix CVE-2014-5353

Publication date: 19 Dec 2014
Modification date: 19 Dec 2014
Type: security
Affected Mageia releases : 4
CVE: CVE-2014-5353

Description

Updated krb5 packages fix security vulnerability:

In MIT krb5, when kadmind is configured to use LDAP for the KDC
database, an authenticated remote attacker can cause a NULL dereference
by attempting to use a named ticket policy object as a password policy
for a principal.  The attacker needs to be authenticated as a user who
has the elevated privilege for setting password policy by adding or
modifying principals (CVE-2014-5353).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=14816
• https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=773226
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5353

SRPMS

4/core

• krb5-1.11.4-1.3.mga4