Advisories » MGASA-2016-0306

Updated krb5 packages fix security vulnerability

Publication date: 16 Sep 2016
Modification date: 08 Sep 2016
Type: security
Affected Mageia releases : 5
CVE: CVE-2016-3120

Description

The validate_as_request function in kdc_util.c in the Key Distribution
Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.14.3, when
restrict_anonymous_to_tgt is enabled, uses an incorrect client data
structure, which allows remote
authenticated users to cause a denial of service (NULL pointer dereference
and daemon crash) via an S4U2Self request (CVE-2016-3120).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=19277
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/AWL3KYFRJIX37EAM4DKCQQIQP2WBKL35/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3120

SRPMS

5/core

• krb5-1.12.5-1.1.mga5