CVE-2019-12098
Published: 15 May 2019
In the client side of Heimdal before 7.6.0, failure to verify anonymous PKINIT PA-PKINIT-KX key exchange permits a man-in-the-middle attack. This issue is in krb5_init_creds_step in lib/krb5/init_creds_pw.c.
Priority
CVSS 3 base score: 7.4
Status
Package | Release | Status |
---|---|---|
heimdal Launchpad, Ubuntu, Debian |
Upstream |
Needs triage
|
Ubuntu 20.10 (Groovy Gorilla) |
Not vulnerable
(7.5.0+dfsg-3build1)
|
|
Ubuntu 20.04 LTS (Focal Fossa) |
Not vulnerable
(7.5.0+dfsg-3build1)
|
|
Ubuntu 18.04 LTS (Bionic Beaver) |
Needed
|
|
Ubuntu 16.04 LTS (Xenial Xerus) |
Needed
|
|
Ubuntu 14.04 ESM (Trusty Tahr) |
Needed
|
|
Patches: Upstream: https://github.com/heimdal/heimdal/commit/2f7f3d9960aa6ea21358bdf3687cee5149aa35cf |
Notes
Author | Note |
---|---|
leosilva | it fails with a FTBFS on certs tests. This issue is probably related: https://github.com/heimdal/heimdal/issues/533. |