DebianDEBIAN:DSA-3466-1:2A566[SECURITY] [DSA 3466-1] krb5 security update
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
AI Score
Confidence
High
EPSS
Percentile
94.1%
Debian Security Advisory DSA-3466-1 [email protected]
https://www.debian.org/security/ Salvatore Bonaccorso
February 04, 2016 https://www.debian.org/security/faq
Package : krb5
CVE ID : CVE-2015-8629 CVE-2015-8630 CVE-2015-8631
Debian Bug : 813126 813127 813296
Several vulnerabilities were discovered in krb5, the MIT implementation
of Kerberos. The Common Vulnerabilities and Exposures project identifies
the following problems:
CVE-2015-8629
It was discovered that an authenticated attacker can cause kadmind
to read beyond the end of allocated memory by sending a string
without a terminating zero byte. Information leakage may be possible
for an attacker with permission to modify the database.
CVE-2015-8630
It was discovered that an authenticated attacker with permission to
modify a principal entry can cause kadmind to dereference a null
pointer by supplying a null policy value but including KADM5_POLICY
in the mask.
CVE-2015-8631
It was discovered that an authenticated attacker can cause kadmind
to leak memory by supplying a null principal name in a request which
uses one. Repeating these requests will eventually cause kadmind to
exhaust all available memory.
For the oldstable distribution (wheezy), these problems have been fixed
in version 1.10.1+dfsg-5+deb7u7. The oldstable distribution (wheezy) is
not affected by CVE-2015-8630.
For the stable distribution (jessie), these problems have been fixed in
version 1.12.1+dfsg-19+deb8u2.
We recommend that you upgrade your krb5 packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: [email protected]
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| Debian | 8 | ppc64el | libk5crypto3 | < 1.12.1+dfsg-19+deb8u2 | libk5crypto3_1.12.1+dfsg-19+deb8u2_ppc64el.deb |
| Debian | 7 | mips | libkdb5-6 | < 1.10.1+dfsg-5+deb7u7 | libkdb5-6_1.10.1+dfsg-5+deb7u7_mips.deb |
| Debian | 8 | kfreebsd-i386 | krb5-gss-samples | < 1.12.1+dfsg-19+deb8u2 | krb5-gss-samples_1.12.1+dfsg-19+deb8u2_kfreebsd-i386.deb |
| Debian | 8 | powerpc | libkadm5clnt-mit9 | < 1.12.1+dfsg-19+deb8u2 | libkadm5clnt-mit9_1.12.1+dfsg-19+deb8u2_powerpc.deb |
| Debian | 7 | mipsel | krb5-user | < 1.10.1+dfsg-5+deb7u7 | krb5-user_1.10.1+dfsg-5+deb7u7_mipsel.deb |
| Debian | 8 | armhf | libgssapi-krb5-2 | < 1.12.1+dfsg-19+deb8u2 | libgssapi-krb5-2_1.12.1+dfsg-19+deb8u2_armhf.deb |
| Debian | 7 | armhf | krb5-multidev | < 1.10.1+dfsg-5+deb7u7 | krb5-multidev_1.10.1+dfsg-5+deb7u7_armhf.deb |
| Debian | 6 | i386 | libkrb5-dev | < 1.8.3+dfsg-4squeeze11 | libkrb5-dev_1.8.3+dfsg-4squeeze11_i386.deb |
| Debian | 7 | ia64 | libkadm5clnt-mit8 | < 1.10.1+dfsg-5+deb7u7 | libkadm5clnt-mit8_1.10.1+dfsg-5+deb7u7_ia64.deb |
| Debian | 8 | arm64 | libk5crypto3 | < 1.12.1+dfsg-19+deb8u2 | libk5crypto3_1.12.1+dfsg-19+deb8u2_arm64.deb |
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
AI Score
Confidence
High
EPSS
Percentile
94.1%