1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
|
PublicDateAtUSN: 2011-10-18
Candidate: CVE-2011-1527
PublicDate: 2011-10-20
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1527
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-006.txt
http://www.ubuntu.com/usn/usn-1233-1
Description:
The kdb_ldap plugin in the Key Distribution Center (KDC) in MIT Kerberos 5
(aka krb5) 1.9 through 1.9.1, when the LDAP back end is used, allows remote
attackers to cause a denial of service (NULL pointer dereference and daemon
crash) via a kinit operation with incorrect string case for the realm,
related to the is_principal_in_realm, krb5_set_error_message,
krb5_ldap_get_principal, and process_as_req functions.
Ubuntu-Description:
Notes:
sbeattie> CRD Tuesday, 18 October 2011, at 14:00 US/Eastern time
sbeattie> krb5 1.9 only
Bugs:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=629558
Priority: medium
Discovered-by: Nalin Dahyabhai, Andrej Ota, and Kyle Moffett
Assigned-to:
Patches_krb5:
upstream: http://web.mit.edu/kerberos/advisories/2011-006-patch-r18.txt
upstream_krb5: needs-triage
hardy_krb5: not-affected
lucid_krb5: not-affected
maverick_krb5: not-affected
natty_krb5: not-affected
oneiric_krb5: released (1.9.1+dfsg-1ubuntu1.1)
devel_krb5: not-affected (1.9.1+dfsg-1ubuntu2.1)
|