krb5 -- requires_preauth bypass in PKINIT-enabled KDC
2015-05-25T00:00:00
ID 406636FE-055D-11E5-AAB1-D050996490D0 Type freebsd Reporter FreeBSD Modified 2015-05-25T00:00:00
Description
MIT reports:
In MIT krb5 1.12 and later, when the KDC is configured
with PKINIT support, an unauthenticated remote attacker
can bypass the requires_preauth flag on a client principal
and obtain a ciphertext encrypted in the principal's
long-term key. This ciphertext could be used to conduct
an off-line dictionary attack against the user's password.
{"bulletinFamily": "unix", "reporter": "FreeBSD", "edition": 1, "viewCount": 0, "published": "2015-05-25T00:00:00", "cvelist": ["CVE-2015-2694"], "type": "freebsd", "id": "406636FE-055D-11E5-AAB1-D050996490D0", "objectVersion": "1.2", "references": ["http://krbdev.mit.edu/rt/Ticket/Display.html?id=8160"], "hashmap": [{"key": "affectedPackage", "hash": "71004da733a0a656bcbcd46d2b40e652"}, {"key": "bulletinFamily", "hash": "4913a9178621eadcdf191db17915fbcb"}, {"key": "cvelist", "hash": "9a3333883ad440a1d43d0153e4411727"}, {"key": "cvss", "hash": "aa48a6bdcab91a600eca490863982fbd"}, {"key": "description", "hash": "737f11507db614f0b2a1f344339a9ed2"}, {"key": "href", "hash": "c60196e01534f1ca181c6933b432a9eb"}, {"key": "modified", "hash": "1e9048f729e1a6713c28543c89ace717"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "1e9048f729e1a6713c28543c89ace717"}, {"key": "references", "hash": "cae7b4d2b500aed77a43f88fee867559"}, {"key": "reporter", "hash": "a3dc630729e463135f4e608954fa6e19"}, {"key": "title", "hash": "f57d57e232e24cdbd43e81175f0b45c5"}, {"key": "type", "hash": "1527e888767cdce15d200b870b39cfd0"}, {"key": "viewCount", "hash": "cfcd208495d565ef66e7dff9f98764da"}], "description": "\nMIT reports:\n\nIn MIT krb5 1.12 and later, when the KDC is configured\n\t with PKINIT support, an unauthenticated remote attacker\n\t can bypass the requires_preauth flag on a client principal\n\t and obtain a ciphertext encrypted in the principal's\n\t long-term key. This ciphertext could be used to conduct\n\t an off-line dictionary attack against the user's password.\n\n", "affectedPackage": [{"operator": "lt", "packageFilename": "UNKNOWN", "packageName": "krb5-112", "OSVersion": "any", "OS": "FreeBSD", "arch": "noarch", "packageVersion": "1.12.3_2"}, {"operator": "lt", "packageFilename": "UNKNOWN", "packageName": "krb5", "OSVersion": "any", "OS": "FreeBSD", "arch": "noarch", "packageVersion": "1.13.2"}], "modified": "2015-05-25T00:00:00", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}, "href": "https://vuxml.freebsd.org/freebsd/406636fe-055d-11e5-aab1-d050996490d0.html", "title": "krb5 -- requires_preauth bypass in PKINIT-enabled KDC", "hash": "78f42b7cfb51986aa5559c3203d55ad52ced9a24197f6fdc05f1bd58f21059c9", "lastseen": "2016-09-26T17:24:19", "history": [], "enchantments": {"vulnersScore": 9.0}}
{"result": {"cve": [{"id": "CVE-2015-2694", "type": "cve", "title": "CVE-2015-2694", "description": "The kdcpreauth modules in MIT Kerberos 5 (aka krb5) 1.12.x and 1.13.x before 1.13.2 do not properly track whether a client's request has been validated, which allows remote attackers to bypass an intended preauthentication requirement by providing (1) zero bytes of data or (2) an arbitrary realm name, related to plugins/preauth/otp/main.c and plugins/preauth/pkinit/pkinit_srv.c.", "published": "2015-05-25T15:59:02", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2694", "cvelist": ["CVE-2015-2694"], "lastseen": "2017-04-18T15:56:30"}], "nessus": [{"id": "FREEBSD_PKG_406636FE055D11E5AAB1D050996490D0.NASL", "type": "nessus", "title": "FreeBSD : krb5 -- requires_preauth bypass in PKINIT-enabled KDC (406636fe-055d-11e5-aab1-d050996490d0)", "description": "MIT reports :\n\nIn MIT krb5 1.12 and later, when the KDC is configured with PKINIT support, an unauthenticated remote attacker can bypass the requires_preauth flag on a client principal and obtain a ciphertext encrypted in the principal's long-term key. This ciphertext could be used to conduct an off-line dictionary attack against the user's password.", "published": "2015-05-29T00:00:00", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=83901", "cvelist": ["CVE-2015-2694"], "lastseen": "2017-10-29T13:42:32"}, {"id": "FEDORA_2015-7866.NASL", "type": "nessus", "title": "Fedora 22 : krb5-1.13.1-3.fc22 (2015-7866)", "description": "Security fix for CVE-2015-2694\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2015-05-12T00:00:00", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=83340", "cvelist": ["CVE-2015-2694"], "lastseen": "2017-10-29T13:40:02"}, {"id": "SL_20151119_KRB5_ON_SL7_X.NASL", "type": "nessus", "title": "Scientific Linux Security Update : krb5 on SL7.x x86_64", "description": "It was found that the krb5_read_message() function of MIT Kerberos did not correctly sanitize input, and could create invalid krb5_data objects. A remote, unauthenticated attacker could use this flaw to crash a Kerberos child process via a specially crafted request.\n(CVE-2014-5355)\n\nA flaw was found in the OTP kdcpreauth module of MIT kerberos. An unauthenticated remote attacker could use this flaw to bypass the requires_preauth flag on a client principal and obtain a ciphertext encrypted in the principal's long-term key. This ciphertext could be used to conduct an off-line dictionary attack against the user's password. (CVE-2015-2694)\n\nThe krb5 packages have been upgraded to upstream version 1.13.2, which provides a number of bug fixes and enhancements over the previous version.\n\nNotably, this update fixes the following bugs :\n\n - Previously, the RADIUS support (libkrad) in krb5 was sending krb5 authentication for Transmission Control Protocol (TCP) transports multiple times, accidentally using a code path intended to be used only for unreliable transport types, for example User Datagram Protocol (UDP) transports. A patch that fixes the problem by disabling manual retries for reliable transports, such as TCP, has been applied, and the correct code path is now used in this situation.\n\n - Attempts to use Kerberos single sign-on (SSO) to access SAP NetWeaver systems sometimes failed. The SAP NetWeaver developer trace displayed the following error message :\n\nNo credentials were supplied, or the credentials were unavailable or inaccessible Unable to establish the security context\n\nQuerying SSO credential lifetime has been modified to trigger credential acquisition, thus preventing the error from occurring. Now, the user can successfully use Kerberos SSO for accessing SAP NetWeaver systems.", "published": "2015-12-22T00:00:00", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=87560", "cvelist": ["CVE-2014-5355", "CVE-2015-2694"], "lastseen": "2017-10-29T13:32:45"}, {"id": "REDHAT-RHSA-2015-2154.NASL", "type": "nessus", "title": "RHEL 7 : krb5 (RHSA-2015:2154)", "description": "Updated krb5 packages that fix two security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nKerberos is a network authentication system, which can improve the security of your network by eliminating the insecure practice of sending passwords over the network in unencrypted form. It allows clients and servers to authenticate to each other with the help of a trusted third party, the Kerberos key distribution center (KDC).\n\nIt was found that the krb5_read_message() function of MIT Kerberos did not correctly sanitize input, and could create invalid krb5_data objects. A remote, unauthenticated attacker could use this flaw to crash a Kerberos child process via a specially crafted request.\n(CVE-2014-5355)\n\nA flaw was found in the OTP kdcpreauth module of MIT kerberos. An unauthenticated remote attacker could use this flaw to bypass the requires_preauth flag on a client principal and obtain a ciphertext encrypted in the principal's long-term key. This ciphertext could be used to conduct an off-line dictionary attack against the user's password. (CVE-2015-2694)\n\nThe krb5 packages have been upgraded to upstream version 1.13.2, which provides a number of bug fixes and enhancements over the previous version. (BZ#1203889)\n\nNotably, this update fixes the following bugs :\n\n* Previously, the RADIUS support (libkrad) in krb5 was sending krb5 authentication for Transmission Control Protocol (TCP) transports multiple times, accidentally using a code path intended to be used only for unreliable transport types, for example User Datagram Protocol (UDP) transports. A patch that fixes the problem by disabling manual retries for reliable transports, such as TCP, has been applied, and the correct code path is now used in this situation. (BZ#1251586)\n\n* Attempts to use Kerberos single sign-on (SSO) to access SAP NetWeaver systems sometimes failed. The SAP NetWeaver developer trace displayed the following error message :\n\nNo credentials were supplied, or the credentials were unavailable or inaccessible Unable to establish the security context\n\nQuerying SSO credential lifetime has been modified to trigger credential acquisition, thus preventing the error from occurring. Now, the user can successfully use Kerberos SSO for accessing SAP NetWeaver systems. (BZ#1252454)\n\nAll krb5 users are advised to upgrade to these updated packages, which correct these issues and add these enhancements.", "published": "2015-11-19T00:00:00", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=86933", "cvelist": ["CVE-2014-5355", "CVE-2015-2694"], "lastseen": "2017-10-29T13:40:28"}, {"id": "CENTOS_RHSA-2015-2154.NASL", "type": "nessus", "title": "CentOS 7 : krb5 (CESA-2015:2154)", "description": "Updated krb5 packages that fix two security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nKerberos is a network authentication system, which can improve the security of your network by eliminating the insecure practice of sending passwords over the network in unencrypted form. It allows clients and servers to authenticate to each other with the help of a trusted third party, the Kerberos key distribution center (KDC).\n\nIt was found that the krb5_read_message() function of MIT Kerberos did not correctly sanitize input, and could create invalid krb5_data objects. A remote, unauthenticated attacker could use this flaw to crash a Kerberos child process via a specially crafted request.\n(CVE-2014-5355)\n\nA flaw was found in the OTP kdcpreauth module of MIT kerberos. An unauthenticated remote attacker could use this flaw to bypass the requires_preauth flag on a client principal and obtain a ciphertext encrypted in the principal's long-term key. This ciphertext could be used to conduct an off-line dictionary attack against the user's password. (CVE-2015-2694)\n\nThe krb5 packages have been upgraded to upstream version 1.13.2, which provides a number of bug fixes and enhancements over the previous version. (BZ#1203889)\n\nNotably, this update fixes the following bugs :\n\n* Previously, the RADIUS support (libkrad) in krb5 was sending krb5 authentication for Transmission Control Protocol (TCP) transports multiple times, accidentally using a code path intended to be used only for unreliable transport types, for example User Datagram Protocol (UDP) transports. A patch that fixes the problem by disabling manual retries for reliable transports, such as TCP, has been applied, and the correct code path is now used in this situation. (BZ#1251586)\n\n* Attempts to use Kerberos single sign-on (SSO) to access SAP NetWeaver systems sometimes failed. The SAP NetWeaver developer trace displayed the following error message :\n\nNo credentials were supplied, or the credentials were unavailable or inaccessible Unable to establish the security context\n\nQuerying SSO credential lifetime has been modified to trigger credential acquisition, thus preventing the error from occurring. Now, the user can successfully use Kerberos SSO for accessing SAP NetWeaver systems. (BZ#1252454)\n\nAll krb5 users are advised to upgrade to these updated packages, which correct these issues and add these enhancements.", "published": "2015-12-02T00:00:00", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=87136", "cvelist": ["CVE-2014-5355", "CVE-2015-2694"], "lastseen": "2017-10-29T13:40:39"}, {"id": "FEDORA_2015-7878.NASL", "type": "nessus", "title": "Fedora 21 : krb5-1.12.2-17.fc21 (2015-7878)", "description": "Security fix for CVE-2015-2694 Security fix for CVE-2014-5353 (this was fixed in an older build but the announcement was lost)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2015-06-22T00:00:00", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=84305", "cvelist": ["CVE-2014-5353", "CVE-2015-2694"], "lastseen": "2017-10-29T13:36:37"}, {"id": "ORACLELINUX_ELSA-2015-2154.NASL", "type": "nessus", "title": "Oracle Linux 7 : krb5 (ELSA-2015-2154)", "description": "From Red Hat Security Advisory 2015:2154 :\n\nUpdated krb5 packages that fix two security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nKerberos is a network authentication system, which can improve the security of your network by eliminating the insecure practice of sending passwords over the network in unencrypted form. It allows clients and servers to authenticate to each other with the help of a trusted third party, the Kerberos key distribution center (KDC).\n\nIt was found that the krb5_read_message() function of MIT Kerberos did not correctly sanitize input, and could create invalid krb5_data objects. A remote, unauthenticated attacker could use this flaw to crash a Kerberos child process via a specially crafted request.\n(CVE-2014-5355)\n\nA flaw was found in the OTP kdcpreauth module of MIT kerberos. An unauthenticated remote attacker could use this flaw to bypass the requires_preauth flag on a client principal and obtain a ciphertext encrypted in the principal's long-term key. This ciphertext could be used to conduct an off-line dictionary attack against the user's password. (CVE-2015-2694)\n\nThe krb5 packages have been upgraded to upstream version 1.13.2, which provides a number of bug fixes and enhancements over the previous version. (BZ#1203889)\n\nNotably, this update fixes the following bugs :\n\n* Previously, the RADIUS support (libkrad) in krb5 was sending krb5 authentication for Transmission Control Protocol (TCP) transports multiple times, accidentally using a code path intended to be used only for unreliable transport types, for example User Datagram Protocol (UDP) transports. A patch that fixes the problem by disabling manual retries for reliable transports, such as TCP, has been applied, and the correct code path is now used in this situation. (BZ#1251586)\n\n* Attempts to use Kerberos single sign-on (SSO) to access SAP NetWeaver systems sometimes failed. The SAP NetWeaver developer trace displayed the following error message :\n\nNo credentials were supplied, or the credentials were unavailable or inaccessible Unable to establish the security context\n\nQuerying SSO credential lifetime has been modified to trigger credential acquisition, thus preventing the error from occurring. Now, the user can successfully use Kerberos SSO for accessing SAP NetWeaver systems. (BZ#1252454)\n\nAll krb5 users are advised to upgrade to these updated packages, which correct these issues and add these enhancements.", "published": "2015-11-24T00:00:00", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=87026", "cvelist": ["CVE-2014-5355", "CVE-2015-2694"], "lastseen": "2017-10-29T13:43:24"}, {"id": "ALA_ALAS-2015-624.NASL", "type": "nessus", "title": "Amazon Linux AMI : krb5 (ALAS-2015-624)", "description": "A flaw was found in the OTP kdcpreauth module of MIT Kerberos. A remote attacker could use this flaw to bypass the requires_preauth flag on a client principal and obtain a ciphertext encrypted in the principal's long-term key. This ciphertext could be used to conduct an off-line dictionary attack against the user's password.\n\nIt was found that the krb5_read_message() function of MIT Kerberos did not correctly sanitize input, and could create invalid krb5_data objects. A remote, unauthenticated attacker could use this flaw to crash a Kerberos child process via a specially crafted request.", "published": "2015-12-15T00:00:00", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=87350", "cvelist": ["CVE-2014-5355", "CVE-2015-2694"], "lastseen": "2018-04-19T07:43:46"}, {"id": "SUSE_SU-2015-1276-1.NASL", "type": "nessus", "title": "SUSE SLES12 Security Update : krb5 (SUSE-SU-2015:1276-1)", "description": "krb5 was updated to fix four security issues.\n\nThese security issues were fixed :\n\n - CVE-2014-5353: NULL pointer dereference when using a ticket policy name as password name (bsc#910457).\n\n - CVE-2014-5354: NULL pointer dereference when using keyless entries (bsc#910458).\n\n - CVE-2014-5355: Denial of service in krb5_read_message (bsc#918595).\n\n - CVE-2015-2694: OTP and PKINIT kdcpreauth modules leading to requires_preauth bypass (bsc#928978).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2015-07-22T00:00:00", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=84914", "cvelist": ["CVE-2014-5355", "CVE-2014-5354", "CVE-2014-5353", "CVE-2015-2694"], "lastseen": "2017-10-29T13:36:46"}, {"id": "UBUNTU_USN-2810-1.NASL", "type": "nessus", "title": "Ubuntu 12.04 LTS / 14.04 LTS / 15.04 / 15.10 : krb5 vulnerabilities (USN-2810-1)", "description": "It was discovered that the Kerberos kpasswd service incorrectly handled certain UDP packets. A remote attacker could possibly use this issue to cause resource consumption, resulting in a denial of service.\nThis issue only affected Ubuntu 12.04 LTS. (CVE-2002-2443)\n\nIt was discovered that Kerberos incorrectly handled null bytes in certain data fields. A remote attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2014-5355)\n\nIt was discovered that the Kerberos kdcpreauth modules incorrectly tracked certain client requests. A remote attacker could possibly use this issue to bypass intended preauthentication requirements. This issue only affected Ubuntu 14.04 LTS and Ubuntu 15.04. (CVE-2015-2694)\n\nIt was discovered that Kerberos incorrectly handled certain SPNEGO packets. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2015-2695)\n\nIt was discovered that Kerberos incorrectly handled certain IAKERB packets. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2015-2696, CVE-2015-2698)\n\nIt was discovered that Kerberos incorrectly handled certain TGS requests. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2015-2697).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2015-11-13T00:00:00", "cvss": {"score": 8.5, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=86872", "cvelist": ["CVE-2015-2696", "CVE-2014-5355", "CVE-2015-2695", "CVE-2015-2697", "CVE-2015-2698", "CVE-2015-2694", "CVE-2002-2443"], "lastseen": "2017-10-29T13:38:46"}], "openvas": [{"id": "OPENVAS:1361412562310869488", "type": "openvas", "title": "Fedora Update for krb5 FEDORA-2015-7866", "description": "Check the version of krb5", "published": "2015-07-07T00:00:00", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310869488", "cvelist": ["CVE-2015-2694"], "lastseen": "2017-07-25T10:52:42"}, {"id": "OPENVAS:1361412562310120614", "type": "openvas", "title": "Amazon Linux Local Check: alas-2015-624", "description": "Amazon Linux Local Security Checks", "published": "2015-12-15T00:00:00", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310120614", "cvelist": ["CVE-2014-5355", "CVE-2015-2694"], "lastseen": "2017-07-24T12:53:26"}, {"id": "OPENVAS:1361412562310871493", "type": "openvas", "title": "RedHat Update for krb5 RHSA-2015:2154-07", "description": "Check the version of krb5", "published": "2015-11-20T00:00:00", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310871493", "cvelist": ["CVE-2014-5355", "CVE-2015-2694"], "lastseen": "2017-07-27T10:52:49"}, {"id": "OPENVAS:1361412562310122742", "type": "openvas", "title": "Oracle Linux Local Check: ELSA-2015-2154", "description": "Oracle Linux Local Security Checks ELSA-2015-2154", "published": "2015-11-24T00:00:00", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310122742", "cvelist": ["CVE-2014-5355", "CVE-2015-2694"], "lastseen": "2017-07-24T12:53:54"}, {"id": "OPENVAS:1361412562310869458", "type": "openvas", "title": "Fedora Update for krb5 FEDORA-2015-7878", "description": "Check the version of krb5", "published": "2015-06-21T00:00:00", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310869458", "cvelist": ["CVE-2014-9422", "CVE-2014-5355", "CVE-2014-5354", "CVE-2014-5352", "CVE-2014-5353", "CVE-2014-9421", "CVE-2015-2694", "CVE-2014-9423"], "lastseen": "2017-07-25T10:53:04"}, {"id": "OPENVAS:1361412562310842532", "type": "openvas", "title": "Ubuntu Update for krb5 USN-2810-1", "description": "Check the version of krb5", "published": "2015-11-13T00:00:00", "cvss": {"score": 8.5, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310842532", "cvelist": ["CVE-2015-2696", "CVE-2014-5355", "CVE-2015-2695", "CVE-2015-2697", "CVE-2015-2698", "CVE-2015-2694", "CVE-2002-2443"], "lastseen": "2017-12-04T11:23:16"}], "archlinux": [{"id": "ASA-201507-11", "type": "archlinux", "title": "lib32-krb5: multiple issues", "description": "- CVE-2014-5355 (denial of service)\n\nWhen a server process uses the krb5_recvauth function, an\nunauthenticated remote attacker can cause a NULL dereference by sending\na zero-byte version string, or a read beyond the end of allocated\nstorage by sending a non-null-terminated version string. The example\nuser-to-user server application (uuserver) is similarly vulnerable to a\nzero-length or non-null-terminated principal name string.\n\nThe krb5_recvauth function reads two version strings from the client\nusing krb5_read_message(), which produces a krb5_data structure\ncontaining a length and a pointer to an octet sequence. krb5_recvaut\nassumes that the data pointer is a valid C string and passes it to\nstrcmp() to verify the versions. If the client sends an empty octet\nsequence, the data pointer will be NULL and strcmp() will dereference a\nNULL pointer, causing the process to crash. If the client sends a\nnon-null-terminated octet sequence, strcmp() will read beyond the end of\nthe allocated storage, possibly causing the process to crash.\n\n- CVE-2015-2694 (preauthentication requirement bypass)\n\nIt has been discovered that, when the KDC is configured with PKINIT\nsupport, an unauthenticated remote attacker can bypass the\nrequires_preauth flag on a client principal and obtain a ciphertext\nencrypted in the principal's long-term key. This ciphertext could be\nused to conduct an off-line dictionary attack against the user's password.", "published": "2015-07-12T00:00:00", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}, "href": "https://lists.archlinux.org/pipermail/arch-security/2015-July/000365.html", "cvelist": ["CVE-2014-5355", "CVE-2015-2694"], "lastseen": "2016-09-02T18:44:36"}, {"id": "ASA-201507-10", "type": "archlinux", "title": "krb5: multiple issues", "description": "- CVE-2014-5355 (denial of service)\n\nWhen a server process uses the krb5_recvauth function, an\nunauthenticated remote attacker can cause a NULL dereference by sending\na zero-byte version string, or a read beyond the end of allocated\nstorage by sending a non-null-terminated version string. The example\nuser-to-user server application (uuserver) is similarly vulnerable to a\nzero-length or non-null-terminated principal name string.\n\nThe krb5_recvauth function reads two version strings from the client\nusing krb5_read_message(), which produces a krb5_data structure\ncontaining a length and a pointer to an octet sequence. krb5_recvaut\nassumes that the data pointer is a valid C string and passes it to\nstrcmp() to verify the versions. If the client sends an empty octet\nsequence, the data pointer will be NULL and strcmp() will dereference a\nNULL pointer, causing the process to crash. If the client sends a\nnon-null-terminated octet sequence, strcmp() will read beyond the end of\nthe allocated storage, possibly causing the process to crash.\n\n- CVE-2015-2694 (preauthentication requirement bypass)\n\nIt has been discovered that, when the KDC is configured with PKINIT\nsupport, an unauthenticated remote attacker can bypass the\nrequires_preauth flag on a client principal and obtain a ciphertext\nencrypted in the principal's long-term key. This ciphertext could be\nused to conduct an off-line dictionary attack against the user's password.", "published": "2015-07-12T00:00:00", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}, "href": "https://lists.archlinux.org/pipermail/arch-security/2015-July/000364.html", "cvelist": ["CVE-2014-5355", "CVE-2015-2694"], "lastseen": "2016-09-02T18:44:47"}], "centos": [{"id": "CESA-2015:2154", "type": "centos", "title": "krb5 security update", "description": "**CentOS Errata and Security Advisory** CESA-2015:2154\n\n\nKerberos is a network authentication system, which can improve the security\nof your network by eliminating the insecure practice of sending passwords\nover the network in unencrypted form. It allows clients and servers to\nauthenticate to each other with the help of a trusted third party, the\nKerberos key distribution center (KDC).\n\nIt was found that the krb5_read_message() function of MIT Kerberos did not\ncorrectly sanitize input, and could create invalid krb5_data objects.\nA remote, unauthenticated attacker could use this flaw to crash a Kerberos\nchild process via a specially crafted request. (CVE-2014-5355)\n\nA flaw was found in the OTP kdcpreauth module of MIT kerberos.\nAn unauthenticated remote attacker could use this flaw to bypass the\nrequires_preauth flag on a client principal and obtain a ciphertext\nencrypted in the principal's long-term key. This ciphertext could be used\nto conduct an off-line dictionary attack against the user's password.\n(CVE-2015-2694)\n\nThe krb5 packages have been upgraded to upstream version 1.13.2, which\nprovides a number of bug fixes and enhancements over the previous version.\n(BZ#1203889)\n\nNotably, this update fixes the following bugs:\n\n* Previously, the RADIUS support (libkrad) in krb5 was sending krb5\nauthentication for Transmission Control Protocol (TCP) transports multiple\ntimes, accidentally using a code path intended to be used only for\nunreliable transport types, for example User Datagram Protocol (UDP)\ntransports. A patch that fixes the problem by disabling manual retries for\nreliable transports, such as TCP, has been applied, and the correct code\npath is now used in this situation. (BZ#1251586)\n\n* Attempts to use Kerberos single sign-on (SSO) to access SAP NetWeaver\nsystems sometimes failed. The SAP NetWeaver developer trace displayed the\nfollowing error message:\n\n No credentials were supplied, or the credentials were\n unavailable or inaccessible\n Unable to establish the security context\n\nQuerying SSO credential lifetime has been modified to trigger credential\nacquisition, thus preventing the error from occurring. Now, the user can\nsuccessfully use Kerberos SSO for accessing SAP NetWeaver systems.\n(BZ#1252454)\n\nAll krb5 users are advised to upgrade to these updated packages, which\ncorrect these issues and add these enhancements.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-cr-announce/2015-November/002350.html\n\n**Affected packages:**\nkrb5-devel\nkrb5-libs\nkrb5-pkinit\nkrb5-server\nkrb5-server-ldap\nkrb5-workstation\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2015-2154.html", "published": "2015-11-30T19:36:32", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}, "href": "http://lists.centos.org/pipermail/centos-cr-announce/2015-November/002350.html", "cvelist": ["CVE-2014-5355", "CVE-2015-2694"], "lastseen": "2017-10-03T18:24:37"}], "amazon": [{"id": "ALAS-2015-624", "type": "amazon", "title": "Medium: krb5", "description": "**Issue Overview:**\n\nA flaw was found in the OTP kdcpreauth module of MIT Kerberos. A remote attacker could use this flaw to bypass the requires_preauth flag on a client principal and obtain a ciphertext encrypted in the principal's long-term key. This ciphertext could be used to conduct an off-line dictionary attack against the user's password.\n\nIt was found that the krb5_read_message() function of MIT Kerberos did not correctly sanitize input, and could create invalid krb5_data objects. A remote, unauthenticated attacker could use this flaw to crash a Kerberos child process via a specially crafted request.\n\n \n**Affected Packages:** \n\n\nkrb5\n\n \n**Issue Correction:** \nRun _yum update krb5_ to update your system. \n\n \n**New Packages:**\n \n \n i686: \n krb5-server-1.13.2-10.39.amzn1.i686 \n krb5-libs-1.13.2-10.39.amzn1.i686 \n krb5-debuginfo-1.13.2-10.39.amzn1.i686 \n krb5-workstation-1.13.2-10.39.amzn1.i686 \n krb5-server-ldap-1.13.2-10.39.amzn1.i686 \n krb5-devel-1.13.2-10.39.amzn1.i686 \n krb5-pkinit-openssl-1.13.2-10.39.amzn1.i686 \n \n src: \n krb5-1.13.2-10.39.amzn1.src \n \n x86_64: \n krb5-devel-1.13.2-10.39.amzn1.x86_64 \n krb5-pkinit-openssl-1.13.2-10.39.amzn1.x86_64 \n krb5-debuginfo-1.13.2-10.39.amzn1.x86_64 \n krb5-server-1.13.2-10.39.amzn1.x86_64 \n krb5-workstation-1.13.2-10.39.amzn1.x86_64 \n krb5-libs-1.13.2-10.39.amzn1.x86_64 \n krb5-server-ldap-1.13.2-10.39.amzn1.x86_64 \n \n \n", "published": "2015-12-14T10:00:00", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}, "href": "https://alas.aws.amazon.com/ALAS-2015-624.html", "cvelist": ["CVE-2014-5355", "CVE-2015-2694"], "lastseen": "2016-09-28T21:04:13"}], "oraclelinux": [{"id": "ELSA-2015-2154", "type": "oraclelinux", "title": "krb5 security, bug fix, and enhancement update", "description": "[1.13.2-9]\n- Add patch and test case for 'KDC does not return proper\n client principal for client referrals'\n- Resolves: #1259846\n[1.13.2-9]\n- Ammend patch for RedHat bug #1252454 ('testsuite complains\n 'Lifetime has increased by 32436 sec while 0 sec passed!',\n while rhel5-libkrb5 passes') to handle the newly introduced\n valgrind hits.\n[1.13.2-8]\n- Add a patch to fix RH Bug #1250154 ('[s390x, ppc64, ppc64le]:\n kadmind does not accept ACL if kadm5.acl does not end with EOL')\n The code 'accidently' works on x86/AMD64 because declaring a\n variable |char| results in an |unsigned char| by default while\n most other platforms (e.g. { s390x, ppc64, ppc64le, ...})\n default to |signed char| (still have to use lint(1) to clean\n up 38 more instances of this kind of bug).\n[1.13.2-7]\n- Obsolete multilib versions of server packages to fix RH\n bug #1251913 ('krb5 should obsolete the multilib versions\n of krb5-server and krb5-server-ldap').\n The following packages are declared obsolete:\n - krb5-server-1.11.3-49.el7.i686\n - krb5-server-1.11.3-49.el7.ppc\n - krb5-server-1.11.3-49.el7.s390\n - krb5-server-ldap-1.11.3-49.el7.i686\n - krb5-server-ldap-1.11.3-49.el7.ppc\n - krb5-server-ldap-1.11.3-49.el7.s390\n[1.13.2-6]\n- Add a patch to fix RedHat bug #1252454 ('testsuite complains\n 'Lifetime has increased by 32436 sec while 0 sec passed!',\n while rhel5-libkrb5 passes') so that krb5 resolves GSS creds\n if |time_rec| is requested.\n[1.13.2-5]\n- Add a patch to fix RedHat bug #1251586 ('KDC sends multiple\n requests to ipa-otpd for the same authentication') which causes\n the KDC to send multiple retries to ipa-otpd for TCP transports\n while it should only be done for UDP.\n[1.13.2-4]\n- the rebase to krb5 1.13.2 in vers 1.13.2-0 also fixed:\n - Redhat Bug #1247761 ('RFE: Minor krb5 spec file cleanup and sync\n with recent Fedora 22/23 changes')\n - Redhat Bug #1247751 ('krb5-config returns wrong -specs path')\n - Redhat Bug #1247608 ('Add support for multi-hop preauth mechs\n via |KDC_ERR_MORE_PREAUTH_DATA_REQUIRED| for RFC 6113 ('A\n Generalized Framework for Kerberos Pre-Authentication')')\n- Removed 'krb5-1.10-kprop-mktemp.patch' and\n 'krb5-1.3.4-send-pr-tempfile.patch', both are no longer used since\n the rebase to krb5 1.13.1\n[1.13.2-3]\n- Add patch to fix Redhat Bug #1222903 ('[SELinux] AVC denials may appear\n when kadmind starts'). The issue was caused by an unneeded |htons()|\n which triggered SELinux AVC denials due to the 'random' port usage.\n[1.13.2-2]\n- Add fix for RedHat Bug #1164304 ('Upstream unit tests loads\n the installed shared libraries instead the ones from the build')\n[1.13.2-1]\n- the rebase to krb5 1.13.1 in vers 1.13.1-0 also fixed:\n - Bug 1144498 ('Fix the race condition in the libkrb5 replay cache')\n - Bug 1163402 ('kdb5_ldap_util view_policy does not shows ticket flags on s390x and ppc64')\n - Bug 1185770 ('Missing upstream test in krb5-1.12.2: src/tests/gssapi/t_invalid.c')\n - Bug 1204211 ('CVE-2014-5355 krb5: unauthenticated denial of service in recvauth_common() and other')\n[1.13.2-0]\n- Update to krb5-1.13.2\n - drop patch for krb5-1.13.2-CVE_2015_2694_requires_preauth_bypass_in_PKINIT_enabled_KDC, fixed in krb5-1.13.2\n - drop patch for krb5-1.12.1-CVE_2014_5355_fix_krb5_read_message_handling, fixed in krb5-1.13.2\n[1.13.1-2]\n- the rebase to krb5 1.13.1 in vers 1.13.1-0 also fixed RH\n bug #1156144 ('krb5 upstream test t_kdb.py failure')\n[1.13.1-1]\n- fix for CVE-2015-2694 (#1218020) 'requires_preauth bypass\n in PKINIT-enabled KDC'.\n In MIT krb5 1.12 and later, when the KDC is configured with\n PKINIT support, an unauthenticated remote attacker can\n bypass the requires_preauth flag on a client principal and\n obtain a ciphertext encrypted in the principal's long-term\n key. This ciphertext could be used to conduct an off-line\n dictionary attack against the user's password.\n[1.13.1-0]\n- Update to krb5-1.13.1\n - patch krb5-1.12-selinux-label was updated and renamed to krb5-1.13-selinux-label\n - patch krb5-1.11-dirsrv-accountlock was updated and renamed to krb5-1.13-dirsrv-accountlock\n - drop patch for krb5-1.12-pwdch-fast, fixed in krb5-1.13\n - drop patch for krb5-1.12ish-kpasswd_tcp, fixed in krb5-1.13\n - drop patch for krb5-master-rcache-internal-const, no longer needed\n - drop patch for krb5-master-rcache-acquirecred-cleanup, no longer needed\n - drop patch for krb5-master-rcache-acquirecred-source, no longer needed\n - drop patch for krb5-master-rcache-acquirecred-test, no longer needed\n - drop patch for krb5-master-move-otp-sockets, no longer needed\n - drop patch for krb5-master-mechd, no longer needed\n - drop patch for krb5-master-strdupcheck, no longer needed\n - drop patch for krb5-master-compatible-keys, no longer needed\n - drop patch for krb5-1.12-system-exts, fixed in krb5-1.13\n - drop patch for 0001-In-ksu-merge-krb5_ccache_copy-and-_restricted, no longer needed\n - drop patch for 0002-In-ksu-don-t-stat-not-on-disk-ccache-residuals, no longer needed\n - drop patch for 0003-Use-an-intermediate-memory-cache-in-ksu, no longer needed\n - drop patch for 0004-Make-ksu-respect-the-default_ccache_name-setting, no longer needed\n - drop patch for 0005-Copy-config-entries-to-the-ksu-target-ccache, no longer needed\n - drop patch for 0006-Use-more-randomness-for-ksu-secondary-cache-names, no longer needed\n - drop patch for 0007-Make-krb5_cc_new_unique-create-DIR-directories, no longer needed\n - drop patch for krb5-1.12-kpasswd-skip-address-check, fixed in krb5-1.13\n - drop patch for 0000-Refactor-cm-functions-in-sendto_kdc.c, no longer needed\n - drop patch for 0001-Simplify-sendto_kdc.c, no longer needed\n - drop patch for 0002-Add-helper-to-determine-if-a-KDC-is-the-master, no longer needed\n - drop patch for 0003-Use-k5_transport-_strategy-enums-for-k5_sendto, no longer needed\n - drop patch for 0004-Build-support-for-TLS-used-by-HTTPS-proxy-support, no longer needed\n - drop patch for 0005-Add-ASN.1-codec-for-KKDCP-s-KDC-PROXY-MESSAGE, no longer needed\n - drop patch for 0006-Dispatch-style-protocol-switching-for-transport, no longer needed\n - drop patch for 0007-HTTPS-transport-Microsoft-KKDCPP-implementation, no longer needed\n - drop patch for 0008-Load-custom-anchors-when-using-KKDCP, no longer needed\n - drop patch for 0009-Check-names-in-the-server-s-cert-when-using-KKDCP, no longer needed\n - drop patch for 0010-Add-some-longer-form-docs-for-HTTPS, no longer needed\n - drop patch for 0011-Have-k5test.py-provide-runenv-to-python-tests, no longer needed\n - drop patch for 0012-Add-a-simple-KDC-proxy-test-server, no longer needed\n - drop patch for 0013-Add-tests-for-MS-KKDCP-client-support, no longer needed\n - drop patch for krb5-1.12ish-tls-plugins, fixed in krb5-1.13.1\n - drop patch for krb5-1.12-nodelete-plugins, fixed in krb5-1.13.1\n - drop patch for krb5-1.12-ksu-untyped-default-ccache-name, fixed in krb5-1.13.1\n - drop patch for krb5-1.12-ksu-no-ccache, fixed in krb5-1.13.1\n - drop patch for krb5-ksu_not_working_with_default_principal, fixed in krb5-1.13.1\n - drop patch for CVE_2014_5353_fix_LDAP_misused_policy_name_crash, fixed in krb5-1.13.1\n - drop patch for CVE_2014_5354_support_keyless_principals_in_ldap, fixed in krb5-1.13.1\n - drop patch for kinit -C loops (MIT/krb5 bug #243), fixed in krb5-1.13.1\n - drop patch for CVEs { 2014-9421, 2014-9422, 2014-9423, 2014-5352 }, fixed in krb5-1.13.1\n - added patch krb5-1.14-Support-KDC_ERR_MORE_PREAUTH_DATA_REQUIRED\n - added patch krb5-1.12.1-CVE_2014_5355_fix_krb5_read_message_handling\n- Minor spec cleanup", "published": "2015-11-23T00:00:00", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}, "href": "http://linux.oracle.com/errata/ELSA-2015-2154.html", "cvelist": ["CVE-2014-5355", "CVE-2015-2694"], "lastseen": "2016-09-04T11:16:44"}], "redhat": [{"id": "RHSA-2015:2154", "type": "redhat", "title": "(RHSA-2015:2154) Moderate: krb5 security, bug fix, and enhancement update", "description": "Kerberos is a network authentication system, which can improve the security\nof your network by eliminating the insecure practice of sending passwords\nover the network in unencrypted form. It allows clients and servers to\nauthenticate to each other with the help of a trusted third party, the\nKerberos key distribution center (KDC).\n\nIt was found that the krb5_read_message() function of MIT Kerberos did not\ncorrectly sanitize input, and could create invalid krb5_data objects.\nA remote, unauthenticated attacker could use this flaw to crash a Kerberos\nchild process via a specially crafted request. (CVE-2014-5355)\n\nA flaw was found in the OTP kdcpreauth module of MIT kerberos.\nAn unauthenticated remote attacker could use this flaw to bypass the\nrequires_preauth flag on a client principal and obtain a ciphertext\nencrypted in the principal's long-term key. This ciphertext could be used\nto conduct an off-line dictionary attack against the user's password.\n(CVE-2015-2694)\n\nThe krb5 packages have been upgraded to upstream version 1.13.2, which\nprovides a number of bug fixes and enhancements over the previous version.\n(BZ#1203889)\n\nNotably, this update fixes the following bugs:\n\n* Previously, the RADIUS support (libkrad) in krb5 was sending krb5\nauthentication for Transmission Control Protocol (TCP) transports multiple\ntimes, accidentally using a code path intended to be used only for\nunreliable transport types, for example User Datagram Protocol (UDP)\ntransports. A patch that fixes the problem by disabling manual retries for\nreliable transports, such as TCP, has been applied, and the correct code\npath is now used in this situation. (BZ#1251586)\n\n* Attempts to use Kerberos single sign-on (SSO) to access SAP NetWeaver\nsystems sometimes failed. The SAP NetWeaver developer trace displayed the\nfollowing error message:\n\n No credentials were supplied, or the credentials were\n unavailable or inaccessible\n Unable to establish the security context\n\nQuerying SSO credential lifetime has been modified to trigger credential\nacquisition, thus preventing the error from occurring. Now, the user can\nsuccessfully use Kerberos SSO for accessing SAP NetWeaver systems.\n(BZ#1252454)\n\nAll krb5 users are advised to upgrade to these updated packages, which\ncorrect these issues and add these enhancements.", "published": "2015-11-19T19:40:51", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:NONE/"}, "href": "https://access.redhat.com/errata/RHSA-2015:2154", "cvelist": ["CVE-2014-5355", "CVE-2015-2694"], "lastseen": "2018-04-13T18:25:08"}], "ubuntu": [{"id": "USN-2810-1", "type": "ubuntu", "title": "Kerberos vulnerabilities", "description": "It was discovered that the Kerberos kpasswd service incorrectly handled certain UDP packets. A remote attacker could possibly use this issue to cause resource consumption, resulting in a denial of service. This issue only affected Ubuntu 12.04 LTS. (CVE-2002-2443)\n\nIt was discovered that Kerberos incorrectly handled null bytes in certain data fields. A remote attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2014-5355)\n\nIt was discovered that the Kerberos kdcpreauth modules incorrectly tracked certain client requests. A remote attacker could possibly use this issue to bypass intended preauthentication requirements. This issue only affected Ubuntu 14.04 LTS and Ubuntu 15.04. (CVE-2015-2694)\n\nIt was discovered that Kerberos incorrectly handled certain SPNEGO packets. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2015-2695)\n\nIt was discovered that Kerberos incorrectly handled certain IAKERB packets. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2015-2696, CVE-2015-2698)\n\nIt was discovered that Kerberos incorrectly handled certain TGS requests. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2015-2697)", "published": "2015-11-12T00:00:00", "cvss": {"score": 8.5, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://usn.ubuntu.com/2810-1/", "cvelist": ["CVE-2015-2696", "CVE-2014-5355", "CVE-2015-2695", "CVE-2015-2697", "CVE-2015-2698", "CVE-2015-2694", "CVE-2002-2443"], "lastseen": "2018-03-29T18:21:25"}]}}
