1
PublicDateAtUSN: 2015-05-25
2
Candidate: CVE-2015-2694
5
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2694
6
https://usn.ubuntu.com/usn/usn-2810-1
8
The kdcpreauth modules in MIT Kerberos 5 (aka krb5) 1.12.x and 1.13.x
9
before 1.13.2 do not properly track whether a client's request has been
10
validated, which allows remote attackers to bypass an intended
11
preauthentication requirement by providing (1) zero bytes of data or (2) an
12
arbitrary realm name, related to plugins/preauth/otp/main.c and
13
plugins/preauth/pkinit/pkinit_srv.c.
16
tyhicks> affects 1.12 and later
18
http://krbdev.mit.edu/rt/Ticket/Display.html?id=8160
19
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783557
24
Tags_krb5: universe-binary
26
upstream: https://github.com/krb5/krb5/commit/e3b5a5e5267818c97750b266df50b6a3d4649604
27
upstream_krb5: released (1.13.2,1.12.1+dfsg-20)
28
lucid_krb5: not-affected (1.8.1+dfsg-2ubuntu0.14)
29
precise_krb5: not-affected (1.10+dfsg~beta1-2ubuntu0.6)
30
trusty_krb5: released (1.12+dfsg-2ubuntu5.2)
31
utopic_krb5: ignored (reached end-of-life)
32
vivid_krb5: released (1.12.1+dfsg-18ubuntu0.1)
33
wily_krb5: not-affected (1.13.2+dfsg-2)
34
devel_krb5: not-affected (1.13.2+dfsg-3)
35
vivid/stable-phone-overlay_krb5: released (1.12.1+dfsg-18ubuntu0.1)
36
vivid/ubuntu-core_krb5: released (1.12.1+dfsg-18ubuntu0.1)