A vulnerability was found in in the KDC in MIT Kerberos 5 (aka krb5) before 1.17. An authenticated user who can obtain a TGT using an older encryption type (DES, DES3, or RC4) can cause an assertion failure in the KDC by sending an S4U2Self request. References: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8763 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2KNHELH4YHNT6H2ESJWX2UIDXLBNGB2O/ Upstream Patch: https://github.com/krb5/krb5/commit/94e5eda5bb94d1d44733a49c3d9b6d1e42c74def
Created krb5 tracking bugs for this issue: Affects: fedora-all [bug 1665297]
Why is it that Status is New and Fixed In says 1.17? Is this bug really fixed in RHEL 7? If so, is there a CentOS 7.x RPM with this fix already?
Hi Rama, 1.17 is the krb5 version that it's fixed in upstream. This is the RHEL/Fedora bugtracker; CentOS bugs are tracked separately (by different people) at https://bugs.centos.org
Hi Robbie, We currently bundle krb5-libs-1.15.1-19.el7.x86_64 and krb5-devel-1.15.1-19.el7.x86_64 on the top of the CentOS 7.5.1804. And we are trying to fix cve-2018-20217. Idea is to apply the upstream patch onto this source and rebuild source RPM and RPM for 1.17. I will be raising this question on CentOS forum as suggested. Would appreciate if you can share your thoughts as you are involved with krb5 development.
This vulnerability is out of security support scope for the following product: * Red Hat Enterprise Application Platform 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
This vulnerability is out of security support scope for the following product: * Red Hat JBoss Core Services * Red Hat JBoss Enterprise Web Server 2 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.