[3.7] krb5: Ignore password attributes for S4U2Self requests (CVE-2018-20217) (#9804) · Issues · alpine / aports

[3.7] krb5: Ignore password attributes for S4U2Self requests (CVE-2018-20217)

A Reachable Assertion issue was discovered in the KDC in MIT Kerberos 5 (aka krb5) before 1.17. If an attacker can obtain a krbtgt ticket using
an older encryption type (single-DES, triple-DES, or RC4), the attacker can crash the KDC by making an S4U2Self request.

References:

https://nvd.nist.gov/vuln/detail/CVE-2018-20217
http://krbdev.mit.edu/rt/Ticket/Display.html?id=8763

Patch:

https://github.com/krb5/krb5/commit/5e6d1796106df8ba6bc1973ee0917c170d929086

(from redmine: issue id 9804, created on 2018-12-27, closed on 2019-01-09)

Relations:
- parent #9801 (closed)
Changesets:
- Revision 5cfdd452 on 2019-01-07T08:03:07Z:

main/krb5: upgrade to 1.15.4, security fix for CVE-2018-20217

Fixes #9804

Discussion
Designs

The one place for your designs

To enable design management, you'll need to meet the requirements. If you need help, reach out to our support team for assistance.