A vulnerability was found in in the KDC in MIT Kerberos 5 (aka krb5) before 1.17. An authenticated user who can obtain a TGT using an older encryption type (DES, DES3, or RC4) can cause an assertion failure in the KDC by sending an S4U2Self request.
Created krb5 tracking bugs for this issue:
Affects: fedora-all [bug 1665297]
Why is it that Status is New and Fixed In says 1.17? Is this bug really fixed in RHEL 7?
If so, is there a CentOS 7.x RPM with this fix already?
Hi Rama, 1.17 is the krb5 version that it's fixed in upstream.
This is the RHEL/Fedora bugtracker; CentOS bugs are tracked separately (by different people) at https://bugs.centos.org
We currently bundle krb5-libs-1.15.1-19.el7.x86_64 and krb5-devel-1.15.1-19.el7.x86_64 on the top of the CentOS 7.5.1804.
And we are trying to fix cve-2018-20217. Idea is to apply the upstream patch onto this source and rebuild source RPM and RPM for 1.17.
I will be raising this question on CentOS forum as suggested.
Would appreciate if you can share your thoughts as you are involved with krb5 development.
This vulnerability is out of security support scope for the following product:
* Red Hat Enterprise Application Platform 6
Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.