Your submission was sent successfully! Close

CVE-2019-12098

Published: 15 May 2019

In the client side of Heimdal before 7.6.0, failure to verify anonymous PKINIT PA-PKINIT-KX key exchange permits a man-in-the-middle attack. This issue is in krb5_init_creds_step in lib/krb5/init_creds_pw.c.

Notes

AuthorNote
leosilva
it fails with a FTBFS on certs tests. This issue is probably related:
https://github.com/heimdal/heimdal/issues/533.
Priority

Low

CVSS 3 base score: 7.4

Status

Package Release Status
heimdal
Launchpad, Ubuntu, Debian
bionic
Released (7.5.0+dfsg-1ubuntu0.1)
cosmic Ignored
(reached end-of-life)
disco Ignored
(reached end-of-life)
eoan Not vulnerable
(7.5.0+dfsg-3build1)
focal Not vulnerable
(7.5.0+dfsg-3build1)
groovy Not vulnerable
(7.5.0+dfsg-3build1)
hirsute Not vulnerable
(7.5.0+dfsg-3build1)
impish Not vulnerable
(7.5.0+dfsg-3build1)
jammy Not vulnerable
(7.5.0+dfsg-3build1)
kinetic Not vulnerable
(7.5.0+dfsg-3build1)
precise Ignored
(end of ESM support, was needed)
trusty
Released (1.6~git20131207+dfsg-1ubuntu1.2+esm1)
upstream
Released (7.6)
xenial
Released (1.7~git20150920+dfsg-4ubuntu1.16.04.1+esm1)
Patches:
upstream: https://github.com/heimdal/heimdal/commit/2f7f3d9960aa6ea21358bdf3687cee5149aa35cf