[v2.6] Kerberos < krb5-1.11.3 CVE-2002-2443
A flaw in certain programs that handle UDP traffic was discovered and
assigned the name CVE-1999-0103 (that CVE specifically mentions echo and
chargen as vulnerable). In 2002, a Nessus plugin was included  that
reference this CVE name, but was for the kpasswd service. Until
recently, this issue had not been reported upstream. This issue has
since been reported upstream  and is now fixed .
If a malicious remote user were to spoof their IP address to that of
another server running kadmind with the password change port (kpasswd,
port 464), or to the target server’s IP address itself), kpasswd will
pass UDP packets to the spoofed address and reply each time. This can
be used to consume bandwidth and CPU on the affected servers running
This should be fixed in the for krb5-1.11.3 release.
After discussing with upstream and MITRE, it was decided that this
needed its own CVE name, so it was assigned CVE-2002-2443.
(from redmine: issue id 1928, created on 2013-05-21, closed on 2013-05-27)
- parent #1927 (closed)
- Revision b318a599 by Natanael Copa on 2013-05-22T09:39:05Z:
main/krb5: security fix (CVE-2002-2443) ref #1927 fixes #1928