Advisories » MGASA-2016-0123

Updated krb5 packages fix security vulnerability

Publication date: 25 Mar 2016
Modification date: 25 Mar 2016
Type: security
Affected Mageia releases : 5
CVE: CVE-2016-3119

Description

It was reported that in all versions of MIT krb5, an authenticated
attacker with permission to modify a principal entry can cause kadmind to
dereference a null pointer by supplying an empty DB argument to the
modify_principal command, if kadmind is configured to use the LDAP KDB
module (CVE-2016-3119).

The krb5 package has been updated to version 1.12.5 and patched to fix
this issue and other bugs.
                

References

• https://bugs.mageia.org/show_bug.cgi?id=18058
• http://web.mit.edu/kerberos/krb5-1.12/krb5-1.12.5.html
• https://lists.fedoraproject.org/pipermail/package-announce/2016-March/179220.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3119

SRPMS

5/core

• krb5-1.12.5-1.mga5