In versions of gsasl < 2.0.1, a malicious client can after it has authenticated with Kerberos send a specially crafted message that causes Libgsasl to read out of bounds and cause a crash in the GSSAPI server. References: https://lists.gnu.org/archive/html/info-gnu/2022-07/msg00003.html https://www.debian.org/security/2022/dsa-5189
Created libgsasl tracking bugs for this issue: Affects: epel-7 [bug 2119151] Affects: epel-8 [bug 2119152] Affects: fedora-35 [bug 2119153] Affects: fedora-36 [bug 2119154]
Upstream patch: https://gitlab.com/gsasl/gsasl/-/commit/796e4197f696261c1f872d7576371232330bcc30
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.