1
PublicDateAtUSN: 2014-07-21
2
Candidate: CVE-2014-4343
5
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4343
6
https://usn.ubuntu.com/usn/usn-2310-1
8
Double free vulnerability in the init_ctx_reselect function in the SPNEGO
9
initiator in lib/gssapi/spnego/spnego_mech.c in MIT Kerberos 5 (aka krb5)
10
1.10.x through 1.12.x before 1.12.2 allows remote attackers to cause a
11
denial of service (memory corruption) or possibly execute arbitrary code
12
via network traffic that appears to come from an intended acceptor, but
13
specifies a security mechanism different from the one proposed by the
17
sarnold> Remote unauthenticated triggering is possible though the commit
18
message for the patch indicates why it is unlikely; thus 'medium'.
20
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=755520
26
upstream: https://github.com/krb5/krb5/commit/f18ddf5d82de0ab7591a36e465bc24225776940f
27
upstream_krb5: released (1.12.1+dfsg-5)
28
lucid_krb5: released (1.8.1+dfsg-2ubuntu0.13)
29
precise_krb5: released (1.10+dfsg~beta1-2ubuntu0.5)
30
saucy_krb5: ignored (reached end-of-life)
31
trusty_krb5: released (1.12+dfsg-2ubuntu4.2)
32
devel_krb5: not-affected (1.12.1+dfsg-6)