Debian: DSA-3395-2: krb5 security update
Debian: DSA-3395-2: krb5 security update
Marc Deslauriers reported that the update for krb5 issued as DSA-3395-1 did not contain the patch to address CVE-2015-2697 for the packages built for the oldstable distribution (wheezy). Updated packages are now available to address this issue. For reference, the relevant part of the
- ------------------------------------------------------------------------- Debian Security Advisory DSA-3395-2 This email address is being protected from spambots. You need JavaScript enabled to view it. https://www.debian.org/security/ Salvatore Bonaccorso November 12, 2015 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : krb5 CVE ID : CVE-2015-2697 Debian Bug : 803088 Marc Deslauriers reported that the update for krb5 issued as DSA-3395-1 did not contain the patch to address CVE-2015-2697 for the packages built for the oldstable distribution (wheezy). Updated packages are now available to address this issue. For reference, the relevant part of the original advisory text follows. CVE-2015-2697 It was discovered that the build_principal_va() function incorrectly handles input strings. An authenticated attacker can take advantage of this flaw to cause a KDC to crash using a TGS request with a large realm field beginning with a null byte. For the oldstable distribution (wheezy), this problem has been fixed in version 1.10.1+dfsg-5+deb7u6. We recommend that you upgrade your krb5 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.