Moderate: gssntlmssp security update

2023-05-1600:00:00

errata.almalinux.org

gssapi

ntlm

authentication

security fix

out-of-bounds read

memory corruption

incorrect free

memory leak

parsing usernames

cve

unix

CVSS3

8.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

EPSS

0.001

Percentile

45.8%

JSON

The gssntlmssp is a GSSAPI NTLM mechanism that allows to perform NTLM authentication in GSSAPI programs.

Security Fix(es):

gssntlmssp: multiple out-of-bounds read when decoding NTLM fields (CVE-2023-25563)
gssntlmssp: memory corruption when decoding UTF16 strings (CVE-2023-25564)
gssntlmssp: incorrect free when decoding target information (CVE-2023-25565)
gssntlmssp: memory leak when parsing usernames (CVE-2023-25566)
gssntlmssp: out-of-bounds read when decoding target information (CVE-2023-25567)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

OSVersionArchitecturePackageVersionFilename
almalinux8x86_64gssntlmssp< 1.2.0-1.el8_8gssntlmssp-1.2.0-1.el8_8.x86_64.rpm
almalinux8aarch64gssntlmssp< 1.2.0-1.el8_8gssntlmssp-1.2.0-1.el8_8.aarch64.rpm
almalinux8ppc64legssntlmssp< 1.2.0-1.el8_8gssntlmssp-1.2.0-1.el8_8.ppc64le.rpm
almalinux8s390xgssntlmssp< 1.2.0-1.el8_8gssntlmssp-1.2.0-1.el8_8.s390x.rpm

OS	Version	Architecture	Package	Version	Filename
almalinux	8	x86_64	gssntlmssp	< 1.2.0-1.el8_8	gssntlmssp-1.2.0-1.el8_8.x86_64.rpm
almalinux	8	aarch64	gssntlmssp	< 1.2.0-1.el8_8	gssntlmssp-1.2.0-1.el8_8.aarch64.rpm
almalinux	8	ppc64le	gssntlmssp	< 1.2.0-1.el8_8	gssntlmssp-1.2.0-1.el8_8.ppc64le.rpm
almalinux	8	s390x	gssntlmssp	< 1.2.0-1.el8_8	gssntlmssp-1.2.0-1.el8_8.s390x.rpm