CVE-2015-2698
Published: 6 November 2015
The iakerb_gss_export_sec_context function in lib/gssapi/krb5/iakerb.c in MIT Kerberos 5 (aka krb5) 1.14 pre-release 2015-09-14 improperly accesses a certain pointer, which allows remote authenticated users to cause a denial of service (memory corruption) or possibly have unspecified other impact by interacting with an application that calls the gss_export_sec_context function. NOTE: this vulnerability exists because of an incorrect fix for CVE-2015-2696.
Notes
| Author | Note |
|---|---|
| tyhicks | We're not technically affected since CVE-2015-2696 hasn't been fixed yet. Marking as needed so that we don't miss this fix while fixing CVE-2015-2696. |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
krb5 Launchpad, Ubuntu, Debian |
precise |
Released
(1.10+dfsg~beta1-2ubuntu0.7)
|
| trusty |
Released
(1.12+dfsg-2ubuntu5.2)
|
|
| upstream |
Released
(1.13.2+dfsg-4)
|
|
| vivid |
Released
(1.12.1+dfsg-18ubuntu0.1)
|
|
| wily |
Released
(1.13.2+dfsg-2ubuntu0.1)
|
|
|
Patches: upstream: https://github.com/krb5/krb5/commit/3db8dfec1ef50ddd78d6ba9503185995876a39fd |
||