CVE-2015-2698

2015-11-0600:00:00

ubuntu.com

8.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:S/C:C/I:C/A:C

0.007 Low

EPSS

Percentile

80.5%

JSON

The iakerb_gss_export_sec_context function in lib/gssapi/krb5/iakerb.c in
MIT Kerberos 5 (aka krb5) 1.14 pre-release 2015-09-14 improperly accesses a
certain pointer, which allows remote authenticated users to cause a denial
of service (memory corruption) or possibly have unspecified other impact by
interacting with an application that calls the gss_export_sec_context
function. NOTE: this vulnerability exists because of an incorrect fix for
CVE-2015-2696.

Notes

Author	Note
tyhicks	We’re not technically affected since CVE-2015-2696 hasn’t been fixed yet. Marking as needed so that we don’t miss this fix while fixing CVE-2015-2696.

OSVersionArchitecturePackageVersionFilename
ubuntu12.04noarchkrb5< 1.10+dfsg~beta1-2ubuntu0.7UNKNOWN
ubuntu14.04noarchkrb5< 1.12+dfsg-2ubuntu5.2UNKNOWN
ubuntu15.04noarchkrb5< 1.12.1+dfsg-18ubuntu0.1UNKNOWN
ubuntu15.10noarchkrb5< 1.13.2+dfsg-2ubuntu0.1UNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	12.04	noarch	krb5	< 1.10+dfsg~beta1-2ubuntu0.7	UNKNOWN
ubuntu	14.04	noarch	krb5	< 1.12+dfsg-2ubuntu5.2	UNKNOWN
ubuntu	15.04	noarch	krb5	< 1.12.1+dfsg-18ubuntu0.1	UNKNOWN
ubuntu	15.10	noarch	krb5	< 1.13.2+dfsg-2ubuntu0.1	UNKNOWN