Bug 1753589 (CVE-2019-14844)
Summary: | CVE-2019-14844 krb5: reversed strlcpy() allows client to crash the KDC | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | msiddiqu |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED NOTABUG | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | abokovoy, csutherl, dblechte, dfediuck, dpal, eedri, gzaronik, jclere, jplans, j, lgao, mbabacek, mgoldboi, michal.skrivanek, mturk, myarboro, nalin, npmccallum, pkis, rharwood, sbonazzo, sbose, security-response-team, sherold, ssorce, twalsh, weli, yturgema |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: |
A flaw was found in the way a Kerberos client could crash the KDC by sending one of the RFC 4556 "enctypes". A remote unauthenticated user could use this flaw to crash the KDC.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2019-11-20 06:51:12 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1754369 | ||
Bug Blocks: | 1753106 |
Description
msiddiqu
2019-09-19 11:19:57 UTC
This issue is caused by backporting commits due to the following bug: https://bugzilla.redhat.com/show_bug.cgi?id=1664157 External References: https://github.com/krb5/krb5/pull/981 Note: This flaw was introduced in upstream commit: https://github.com/krb5/krb5/commit/a649279727490687d54becad91fde8cf7429d951 and fixed via https://github.com/krb5/krb5/pull/981/commits/275c9a1aad36a1a7b56042f1a2c21c33e7d16eaf This flaw does not affect any MIT krb5 upstream releases. Fedora versions of MIT krb5 are affected and fixed via the following updates: https://bodhi.fedoraproject.org/updates/FEDORA-2019-f939e79e24 https://bodhi.fedoraproject.org/updates/FEDORA-2019-2323661e5f https://bodhi.fedoraproject.org/updates/FEDORA-2019-320a5a6a68 https://bodhi.fedoraproject.org/updates/FEDORA-2019-dc4e1d0fb6 Statement: This flaw affects the krb5 server only; client-side packages are not affected. This flaw does not affect any krb5 packages shipped with Red Hat products. This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-14844 |