CVE-2019-12098

Published: 15 May 2019

In the client side of Heimdal before 7.6.0, failure to verify anonymous PKINIT PA-PKINIT-KX key exchange permits a man-in-the-middle attack. This issue is in krb5_init_creds_step in lib/krb5/init_creds_pw.c.

Priority

Low

CVSS 3 base score: 7.4

Status

Package Release Status
heimdal
Launchpad, Ubuntu, Debian 		Upstream Needs triage

Ubuntu 21.04 (Hirsute Hippo) Not vulnerable
(7.5.0+dfsg-3build1)
Ubuntu 20.10 (Groovy Gorilla) Not vulnerable
(7.5.0+dfsg-3build1)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(7.5.0+dfsg-3build1)
Ubuntu 18.04 LTS (Bionic Beaver) Needed

Ubuntu 16.04 ESM (Xenial Xerus) Needed

Ubuntu 14.04 ESM (Trusty Tahr) Needed

Patches:
Upstream: https://github.com/heimdal/heimdal/commit/2f7f3d9960aa6ea21358bdf3687cee5149aa35cf

Notes

AuthorNote
leosilva 
it fails with a FTBFS on certs tests. This issue is probably related:
https://github.com/heimdal/heimdal/issues/533.

References

Join the discussion

Canonical is offering Extended Security Maintenance

Canonical is offering Ubuntu 14.04 Extended Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM

Further reading