Mageia: 2022-0468 Moderate: Heimdal KDC Denial Of Service Advisory
mageia
December 17, 2022
Isaac Boukris reported that the Heimdal KDC before 7.7.1 does not apply delegation_not_allowed (aka not-delegated) user attributes for S4U2Self
Summary
Isaac Boukris reported that the Heimdal KDC before 7.7.1 does not apply
delegation_not_allowed (aka not-delegated) user attributes for S4U2Self.
Instead the forwardable flag is set even if the impersonated client has
the not-delegated flag set. (CVE-2019-14870)
Joseph Sutton discovered that the Heimdal KDC before 7.7.1 does not check
for missing missing sname in TGS-REQ (Ticket Granting Server Request)
before before dereferencing. An authenticated user could use this flaw to
crash the KDC. (CVE-2021-3671)
It was discovered that Heimdal is prone to a NULL dereference in acceptorswhen the initial SPNEGO token has no acceptable mechanisms, which may
result in denial of service for a server application that uses the Simple
and Protected GSSAPI Negotiation Mechanism (SPNEGO). (CVE-2021-44758)
Evgeny Legerov reported that the DES and Triple-DES decryption routines in
the Heimdal GSSAPI library before 7.7.1 were prone to buffer overflow on
malloc() allocated memory when presented with a ma...
References
- https://bugs.mageia.org/show_bug.cgi?id=31172
- https://lists.debian.org/debian-security-announce/2022/msg00257.html
- https://lists.debian.org/debian-security-announce/2022/msg00258.html
- https://lists.debian.org/debian-lts-announce/2022/11/msg00034.html
- https://github.com/heimdal/heimdal/security/advisories/GHSA-q77c-9qvp-qfw4
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/AYXWFESBZJMBNACFDHWWH7KETGKUXDPO/
- https://www.cve.org/CVERecord?id=CVE-2019-14870
- https://www.cve.org/CVERecord?id=CVE-2021-3671
- https://www.cve.org/CVERecord?id=CVE-2021-44758
- https://www.cve.org/CVERecord?id=CVE-2022-3437
- https://www.cve.org/CVERecord?id=CVE-2022-41916
- https://www.cve.org/CVERecord?id=CVE-2022-42898
- https://www.cve.org/CVERecord?id=CVE-2022-44640
Topics Covered
Resolution
SRPMS
- 8/core/heimdal-7.7.1-1.2.mga8
PREVIOUS
NEXT
Publication date: 17 Dec 2022
URL: https://advisories.mageia.org/MGASA-2022-0468.html
Type: security
CVE: CVE-2019-14870,
CVE-2021-3671,
CVE-2021-44758,
CVE-2022-3437,
CVE-2022-41916,
CVE-2022-42898,
CVE-2022-44640
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!