In the client side of Heimdal before 7.6.0, failure to verify anonymous PKINIT PA-PKINIT-KX key exchange permits a man-in-the-middle attack. This issue is in krb5_init_creds_step in lib/krb5/init_creds_pw.c. Reference: http://www.h5l.org/pipermail/heimdal-announce/2019-May/000009.html Upstream commit: https://github.com/heimdal/heimdal/commit/2f7f3d9960aa6ea21358bdf3687cee5149aa35cf
Created heimdal tracking bugs for this issue: Affects: fedora-all [bug 1710841] Created heimdall tracking bugs for this issue: Affects: fedora-all [bug 1710842]
Created heimdal tracking bugs for this issue: Affects: epel-all [bug 1710843]
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.