CVE-2018-5710

Published: 16 January 2018

An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. The pre-defined function "strlen" is getting a "NULL" string as a parameter value in plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c in the Key Distribution Center (KDC), which allows remote authenticated users to cause a denial of service (NULL pointer dereference) via a modified kadmin client.

Priority

CVSS 3 base score: 6.5

Status

Package	Release	Status
krb5 Launchpad, Ubuntu, Debian	Upstream	Released (1.16.1-1)

	Ubuntu 20.10 (Groovy Gorilla)	Not vulnerable (1.16.1-1)
	Ubuntu 20.04 LTS (Focal Fossa)	Not vulnerable (1.16.1-1)
	Ubuntu 18.04 LTS (Bionic Beaver)	Not vulnerable (1.16.1-1)
	Ubuntu 16.04 LTS (Xenial Xerus)	Needed
	Ubuntu 14.04 ESM (Trusty Tahr)	Needed
	Binaries built from this source package are in Universe and so are supported by the community.

References

Bugs

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=889685

Join the discussion

Canonical is offering Extended Security Maintenance

Canonical is offering Ubuntu 14.04 Extended Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM