Debian 10: DLA-3206-1 Critical: Resolved Heimdal Vulnerabilities
debian lts
November 26, 2022
Multiple security vulnerabilities were discovered in heimdal, an implementation of the Kerberos 5 authentication protocol, which may result in denial of service, information disclo...
Summary
CVE-2019-14870
Isaac Boukris reported that the Heimdal KDC before 7.7.1 does not
apply delegation_not_allowed (aka not-delegated) user attributes for
S4U2Self. Instead the forwardable flag is set even if the
impersonated client has the not-delegated flag set.
CVE-2021-3671
Joseph Sutton discovered that the Heimdal KDC before 7.7.1 does not
check for missing missing sname in TGS-REQ (Ticket Granting Server -
Request) before before dereferencing. An authenticated user could
use this flaw to crash the KDC.
CVE-2021-44758
It was discovered that Heimdal is prone to a NULL dereference in
acceptors when the initial SPNEGO token has no acceptable
mechanisms, which may result in denial of service for a server
application that uses the Simple and Protected GSSAPI Negotiation
Mechanism (SPNEGO).
CVE-2022-3437
Evgeny Legerov reported that the DES and Triple-DES decryption
routines in the Heimdal GSSAPI library before 7.7.1 were prone to
PREVIOUS 
NEXT Severity
critical
Lowest
Low
Medium
High
Critical
Package: heimdal
Version: 7.5.0+dfsg-3+deb10u1
CVE ID: CVE-2019-14870 CVE-2021-3671 CVE-2021-44758 CVE-2022-3437
Debian Bug: 946786 996586 1024187
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!