CVE-2017-15088
Published: 23 November 2017
plugins/preauth/pkinit/pkinit_crypto_openssl.c in MIT Kerberos 5 (aka krb5) through 1.15.2 mishandles Distinguished Name (DN) fields, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) in situations involving untrusted X.509 data, related to the get_matching_data and X509_NAME_oneline_ex functions. NOTE: this has security relevance only in use cases outside of the MIT Kerberos distribution, e.g., the use of get_matching_data in KDC certauth plugin code that is specific to Red Hat.
Priority
Negligible
CVSS 3 base score: 9.8
Status
| Package | Release | Status |
|---|---|---|
|
krb5 Launchpad, Ubuntu, Debian |
Upstream |
Released
(1.15.2-2)
|
| Ubuntu 21.04 (Hirsute Hippo) |
Not vulnerable
(1.15.2-2)
|
|
| Ubuntu 20.10 (Groovy Gorilla) |
Not vulnerable
(1.15.2-2)
|
|
| Ubuntu 20.04 LTS (Focal Fossa) |
Not vulnerable
(1.15.2-2)
|
|
| Ubuntu 18.04 LTS (Bionic Beaver) |
Not vulnerable
(1.15.2-2)
|
|
| Ubuntu 16.04 ESM (Xenial Xerus) |
Needed
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Needed
|
|
| Binaries built from this source package are in Universe and so are supported by the community. | ||