[ubuntu/lucid-security] krb5 1.8.1+dfsg-2ubuntu0.13 (Accepted)

[Marc Deslauriers]

krb5 (1.8.1+dfsg-2ubuntu0.13) lucid-security; urgency=medium

  * SECURITY UPDATE: denial of service via malformed KRB5_PADATA_PK_AS_REQ
    AS-REQ request
    - src/plugins/preauth/pkinit/pkinit_crypto_openssl.c: don't dereference
      null pointer.
    - c773d3c775e9b2d88bcdff5f8a8ba88d7ec4e8ed
    - CVE-2013-1415
  * SECURITY UPDATE: denial of service via crafted TGS-REQ request
    - src/kdc/do_tgs_req.c: don't pass null pointer to strlcpy().
    - 8ee70ec63931d1e38567905387ab9b1d45734d81
    - CVE-2013-1416
  * SECURITY UPDATE: multi-realm denial of service via crafted request
    - src/kdc/main.c: don't dereference a null pointer.
    - c2ccf4197f697c4ff143b8a786acdd875e70a89d
    - CVE-2013-1418
    - CVE-2013-6800
  * SECURITY UPDATE: denial of service via invalid tokens
    - src/lib/gssapi/krb5/k5unseal.c, src/lib/gssapi/krb5/k5unsealiov.c:
      handle invalid tokens.
    - fb99962cbd063ac04c9a9d2cc7c75eab73f3533d
    - CVE-2014-4341
    - CVE-2014-4342
  * SECURITY UPDATE: denial of service via double-free in SPNEGO
    - src/lib/gssapi/spnego/spnego_mech.c: fix double-free.
    - f18ddf5d82de0ab7591a36e465bc24225776940f
    - CVE-2014-4343
  * SECURITY UPDATE: denial of service via null deref in SPNEGO acceptor
    - src/lib/gssapi/spnego/spnego_mech.c: validate REMAIN.
    - 524688ce87a15fc75f87efc8c039ba4c7d5c197b
    - CVE-2014-4344
  * SECURITY UPDATE: denial of service and possible code execution in
    kadmind with LDAP backend
    - src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c: fix off-by-one
    - 81c332e29f10887c6b9deb065f81ba259f4c7e03
    - CVE-2014-4345

Date: 2014-08-08 19:17:20.570845+00:00
Changed-By: Marc Deslauriers <marc.deslauriers at canonical.com>
https://launchpad.net/ubuntu/lucid/+source/krb5/1.8.1+dfsg-2ubuntu0.13
-------------- next part --------------
Sorry, changesfile not available.