Your submission was sent successfully! Close

CVE-2011-4862

Published: 25 December 2011

Buffer overflow in libtelnet/encrypt.c in telnetd in FreeBSD 7.3 through 9.0, MIT Kerberos Version 5 Applications (aka krb5-appl) 1.0.2 and earlier, Heimdal 1.5.1 and earlier, GNU inetutils, and possibly other products allows remote attackers to execute arbitrary code via a long encryption key, as exploited in the wild in December 2011.

Notes

AuthorNote
jdstrand
from DSA: "Kerberos support for telnetd contains a
pre-authentication buffer overflow".
did not check if this is protected via stack-protector yet
mdeslaur
all affected code is in universe binaries
Priority

Medium

Status

Package Release Status
heimdal
Launchpad, Ubuntu, Debian
hardy Ignored
(reached end-of-life)
lucid Ignored
(reached end-of-life)
maverick Ignored
(reached end-of-life)
natty Ignored
(reached end-of-life)
oneiric Ignored
(reached end-of-life)
precise Not vulnerable
(1.6git20120311.dfsg.1-2)
quantal Ignored
(reached end-of-life)
raring Ignored
(reached end-of-life)
saucy Ignored
(reached end-of-life)
trusty Not vulnerable
(1.6git20120311.dfsg.1-2)
upstream
Released (1.5.2)
utopic Not vulnerable
(1.6git20120311.dfsg.1-2)
vivid Not vulnerable
(1.6git20120311.dfsg.1-2)
wily Not vulnerable
(1.6git20120311.dfsg.1-2)
xenial Not vulnerable
(1.6git20120311.dfsg.1-2)
yakkety Not vulnerable
(1.6git20120311.dfsg.1-2)
zesty Not vulnerable
(1.6git20120311.dfsg.1-2)
Patches:
vendor: http://www.debian.org/security/2011/dsa-2372



Binaries built from this source package are in Universe and so are supported by the community.
inetutils
Launchpad, Ubuntu, Debian
hardy Ignored
(reached end-of-life)
lucid Ignored
(reached end-of-life)
maverick Ignored
(reached end-of-life)
natty Ignored
(reached end-of-life)
oneiric Ignored
(reached end-of-life)
precise Does not exist
(precise was not-affected [2:1.8-6])
quantal Ignored
(reached end-of-life)
raring Ignored
(reached end-of-life)
saucy Ignored
(reached end-of-life)
trusty Not vulnerable
(2:1.8-6)
upstream
Released (1.9)
utopic Not vulnerable
(2:1.8-6)
vivid Not vulnerable
(2:1.8-6)
wily Not vulnerable
(2:1.8-6)
xenial Not vulnerable
(2:1.8-6)
yakkety Not vulnerable
(2:1.8-6)
zesty Not vulnerable
(2:1.8-6)
Patches:

vendor: http://www.debian.org/security/2011/dsa-2373


krb5
Launchpad, Ubuntu, Debian
hardy Ignored
(reached end-of-life)
lucid Not vulnerable
(code not present)
maverick Not vulnerable
(code not present)
natty Not vulnerable
(code not present)
oneiric Not vulnerable
(code not present)
precise Not vulnerable
(code not present)
quantal Not vulnerable
(code not present)
raring Not vulnerable
(code not present)
saucy Not vulnerable
(code not present)
trusty Not vulnerable
(code not present)
upstream Needs triage

utopic Not vulnerable
(code not present)
vivid Not vulnerable
(code not present)
wily Not vulnerable
(code not present)
xenial Not vulnerable
(code not present)
yakkety Not vulnerable
(code not present)
zesty Not vulnerable
(code not present)
Patches:


vendor: http://www.debian.org/security/2011/dsa-2375

Binaries built from this source package are in Universe and so are supported by the community.
krb5-appl
Launchpad, Ubuntu, Debian
hardy Does not exist

lucid Ignored
(reached end-of-life)
maverick Ignored
(reached end-of-life)
natty Ignored
(reached end-of-life)
oneiric Ignored
(reached end-of-life)
precise Does not exist
(precise was needed)
quantal Ignored
(reached end-of-life)
raring Ignored
(reached end-of-life)
saucy Ignored
(reached end-of-life)
trusty Does not exist

upstream Needs triage

utopic Does not exist

vivid Does not exist

wily Does not exist

xenial Does not exist

yakkety Does not exist

zesty Does not exist

Patches:



vendor: http://www.debian.org/security/2011/dsa-2375