Your submission was sent successfully! Close

CVE-2015-2694

Published: 25 May 2015

The kdcpreauth modules in MIT Kerberos 5 (aka krb5) 1.12.x and 1.13.x before 1.13.2 do not properly track whether a client's request has been validated, which allows remote attackers to bypass an intended preauthentication requirement by providing (1) zero bytes of data or (2) an arbitrary realm name, related to plugins/preauth/otp/main.c and plugins/preauth/pkinit/pkinit_srv.c.

Priority

Medium

Status

Package Release Status
krb5
Launchpad, Ubuntu, Debian
lucid Not vulnerable
(1.8.1+dfsg-2ubuntu0.14)
precise Not vulnerable
(1.10+dfsg~beta1-2ubuntu0.6)
trusty
Released (1.12+dfsg-2ubuntu5.2)
upstream
Released (1.13.2,1.12.1+dfsg-20)
utopic Ignored
(reached end-of-life)
vivid
Released (1.12.1+dfsg-18ubuntu0.1)
wily Not vulnerable
(1.13.2+dfsg-2)