Bug 1665296 (CVE-2018-20217)
Summary: | CVE-2018-20217 krb5: Reachable assertion in the KDC using S4U2Self requests | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Laura Pardo <lpardo> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | apmukher, cheimes, dpal, jplans, lpardo, nalin, pkis, rlinga, rschiron |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | krb5 1.17 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2021-10-27 03:19:05 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1665297, 1673016, 1673017, 1732339 | ||
Bug Blocks: | 1665299 |
Description
Laura Pardo
2019-01-10 21:45:52 UTC
Created krb5 tracking bugs for this issue: Affects: fedora-all [bug 1665297] Why is it that Status is New and Fixed In says 1.17? Is this bug really fixed in RHEL 7? If so, is there a CentOS 7.x RPM with this fix already? Hi Rama, 1.17 is the krb5 version that it's fixed in upstream. This is the RHEL/Fedora bugtracker; CentOS bugs are tracked separately (by different people) at https://bugs.centos.org Hi Robbie, We currently bundle krb5-libs-1.15.1-19.el7.x86_64 and krb5-devel-1.15.1-19.el7.x86_64 on the top of the CentOS 7.5.1804. And we are trying to fix cve-2018-20217. Idea is to apply the upstream patch onto this source and rebuild source RPM and RPM for 1.17. I will be raising this question on CentOS forum as suggested. Would appreciate if you can share your thoughts as you are involved with krb5 development. This vulnerability is out of security support scope for the following product: * Red Hat Enterprise Application Platform 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details. This vulnerability is out of security support scope for the following product: * Red Hat JBoss Core Services * Red Hat JBoss Enterprise Web Server 2 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details. |