[prev in list] [next in list] [prev in thread] [next in thread]
List: krbdev
Subject: Re: Is the vulnerability CVE-2017-11462 applicable to older MIT Kerberos 5 releases?
From: Greg Hudson <ghudson () mit ! edu>
Date: 2017-12-03 18:22:18
Message-ID: f9534ab2-e3db-fbc5-f403-d9143131934d () mit ! edu
[Download RAW message or body]
On 12/03/2017 05:10 AM, Sergey Emantayev wrote:
> We're using a 3rd party software integrated with the MIT Kerberos 5 library version \
> 1.9.1. This is used to communicate to MS Active Directory in Linux. I found a fix \
> is available for the latest versions 1.13, 1.14, 1.15: \
> http://krbdev.mit.edu/rt/Ticket/Display.html?id=8598. However should we apply (back \
> port) the fix to our library 1.9.1? I know that they made few patches in the \
> original MIT Kerberos code, I'm in doubt about an upgrade option.
The accept_sec_context part of the change affects 1.9, but the
init_sec_context part does not.
You may also be able to ignore this CVE, if your application correctly
uses the GSS-API. An exploitable vulnerability only arises when an
application incorrectly uses gss_init_sec_context() or
gss_accept_sec_context(). This was a weird case where we assigned a CVE
based on conformant but less-than-ideally-safe API behavior, because we
knew it had contributed to a vulnerability in at least one caller.
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic