[3.7] heimdal: man-in-the-middle attack in function krb5_init_creds_step in lib/krb5/init_creds_pw.c (CVE-2019-12098)
In the client side of Heimdal before 7.6.0, failure to verify anonymous
PKINIT PA-PKINIT-KX key exchange permits a
man-in-the-middle attack. This issue is in krb5_init_creds_step in
lib/krb5/init_creds_pw.c.
References:
http://www.h5l.org/pipermail/heimdal-announce/2019-May/000009.html
https://nvd.nist.gov/vuln/detail/CVE-2019-12098
Patch:
Fixed by:
https://github.com/heimdal/heimdal/commit/2f7f3d9960aa6ea21358bdf3687cee5149aa35cf
(7.6.0)
Introduced by:
https://github.com/heimdal/heimdal/commit/a1ef548600c5bb51cf52a9a9ea12676506ede19f
(1.4.0)
(from redmine: issue id 10555, created on 2019-06-12)
- Relations:
- parent #10551 (closed)
- Changesets:
- Revision c29e49eb by Natanael Copa on 2019-07-11T16:17:41Z:
main/heimdal: security fix for CVE-2019-12098
fixes #10555