[arch-security] [ASA-201710-8] krb5: multiple issues
anthraxx at archlinux.org
Fri Oct 6 10:42:52 UTC 2017
Arch Linux Security Advisory ASA-201710-8
Date : 2017-10-05
CVE-ID : CVE-2017-11368 CVE-2017-11462
Package : krb5
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-414
The package krb5 before version 1.15.2-1 is vulnerable to multiple
issues including arbitrary code execution and denial of service.
Upgrade to 1.15.2-1.
# pacman -Syu "krb5>=1.15.2-1"
The problems have been fixed upstream in version 1.15.2.
- CVE-2017-11368 (denial of service)
A denial of service flaw was found in MIT Kerberos krb5kdc service. An
authenticated attacker could use this flaw to cause krb5kdc to exit
with an assertion failure by making an invalid S4U2Self or S4U2Proxy
- CVE-2017-11462 (arbitrary code execution)
A double free vulnerability has been discovered in MIT Kerberos 5 (aka
krb5) allowing attackers to crash the application or possibly execute
arbitrary code via vectors involving automatic deletion of security
contexts on error.
A remote attacker is able to crash the application or possibly execute
arbitrary code on the affected host.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 866 bytes
Desc: OpenPGP digital signature
More information about the arch-security