[19819] in Kerberos_V5_Development
Re: Need suggestion/help in back porting the fix for vulnerability
daemon@ATHENA.MIT.EDU (Greg Hudson)
Fri Sep 21 10:18:22 2018
To: "Shivakumar Nadarajan -X (shinadar - HCL TECHNOLOGIES LIMITED at Cisco)"
<shinadar@cisco.com>,
"krbdev@mit.edu" <krbdev@mit.edu>
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <b50455d0-ad53-3db9-5954-be675bf24817@mit.edu>
Date: Fri, 21 Sep 2018 10:18:00 -0400
MIME-Version: 1.0
In-Reply-To: <be2eb68f8ad744b4b8d810d254b5af71@XCH-RCD-014.cisco.com>
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On 09/21/2018 02:04 AM, Shivakumar Nadarajan -X (shinadar - HCL
TECHNOLOGIES LIMITED at Cisco) wrote:> We are using Kerberos (version
1.9) in one of our components. We came across the vulnerability
CVE-2017-7562 being reported and fixed in Kerberos 1.16.1.
CVE-2017-7562 does not apply to version 1.9, so you should not need to
address it.
This vulnerability actually never appeared in any released version of
MIT krb5. It was introduced on the master branch and then fixed before
the release of 1.16. The CVE was assigned because the Fedora package
contained a backport of the feature before it was fixed.
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev