CVE-2016-3119
Published: 26 March 2016
The process_db_args function in plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c in the LDAP KDB module in kadmind in MIT Kerberos 5 (aka krb5) through 1.13.4 and 1.14.x through 1.14.1 mishandles the DB argument, which allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted request to modify a principal.
From the Ubuntu security team
It was discovered that Kerberos incorrectly handled certain requests. A remote authenticated attacker could possibly use this issue to cause a denial of service.
Priority
Medium
CVSS 3 base score: 5.3
Status
| Package | Release | Status |
|---|---|---|
|
krb5 Launchpad, Ubuntu, Debian |
Upstream |
Released
(1.14.2+dfsg-1)
|
| Ubuntu 20.10 (Groovy Gorilla) |
Not vulnerable
(1.14.3+dfsg-2ubuntu1)
|
|
| Ubuntu 20.04 LTS (Focal Fossa) |
Not vulnerable
(1.14.3+dfsg-2ubuntu1)
|
|
| Ubuntu 18.04 LTS (Bionic Beaver) |
Not vulnerable
(1.14.3+dfsg-2ubuntu1)
|
|
| Ubuntu 16.04 LTS (Xenial Xerus) |
Released
(1.13.2+dfsg-5ubuntu2.1)
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Released
(1.12+dfsg-2ubuntu5.4)
|
|
| Ubuntu 12.04 ESM (Precise Pangolin) |
Needed
|
|
|
Patches: Upstream: https://github.com/krb5/krb5/commit/08c642c09c38a9c6454ab43a9b53b2a89b9eef99 |
||
| Binaries built from this source package are in Universe and so are supported by the community. | ||