[arch-dev-public] [signoff] krb5-1.9.1-5
Stéphane Gaudreault
stephane at archlinux.org
Tue Oct 18 22:10:01 EDT 2011
This update apply an upstream patch that fix the following KDC denial of
service vulnerabilities [1] :
CVE-2011-1527: In releases krb5-1.9 and later, the KDC can crash due
to a null pointer dereference if configured to use the LDAP back end.
A trigger condition is publicly known but not known to be widely
circulated.
CVE-2011-1528: In releases krb5-1.8 and later, the KDC can crash due
to an assertion failure. No exploit is known to exist, but there is
public evidence that the unidentified trigger condition occurs in the
field.
CVE-2011-1529: In releases krb5-1.8 and later, the KDC can crash due
to a null pointer dereference. No exploit is known to exist.
Please test and signoff.
I am not sure I will have internet access at the hotel in the next days, so
feel free to move this to [core] once it gets the required signoffs.
Cheers,
Stéphane
[1] http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-006.txt
More information about the arch-dev-public
mailing list