[19820] in Kerberos_V5_Development

home help back first fref pref prev next nref lref last post

RE: Need suggestion/help in back porting the fix for vulnerability

daemon@ATHENA.MIT.EDU (daemon@ATHENA.MIT.EDU)
Fri Sep 21 10:37:34 2018

From: "Shivakumar Nadarajan -X (shinadar - HCL TECHNOLOGIES LIMITED at Cisco)"
	<shinadar@cisco.com>
To: Greg Hudson <ghudson@mit.edu>, "krbdev@mit.edu" <krbdev@mit.edu>
Date: Fri, 21 Sep 2018 14:37:19 +0000
Message-ID: <b252593633fa414795916c4b55008a87@XCH-RCD-014.cisco.com>
In-Reply-To: <b50455d0-ad53-3db9-5954-be675bf24817@mit.edu>
Content-Language: en-US
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu

Hi Greg,

	Thanks for your interest in this issue. But I am still not clear that how this vulnerability is not applicable to kerberos 1.9 .
Because as per the git link https://github.com/krb5/krb5/pull/694 it seems that this functionality is present in kerberos 1.9 also.

Please can you help in elaborate more on how the fix is not applicable for kerberos 1.9

Thanks and Regards!
Shiva

-----Original Message-----
From: Greg Hudson [mailto:ghudson@mit.edu] 
Sent: 21 September 2018 19:48
To: Shivakumar Nadarajan -X (shinadar - HCL TECHNOLOGIES LIMITED at Cisco) <shinadar@cisco.com>; krbdev@mit.edu
Subject: Re: Need suggestion/help in back porting the fix for vulnerability CVE-2017-7562 (backporting from Kerberos 1.16.1 to Kerberos 1.9)

On 09/21/2018 02:04 AM, Shivakumar Nadarajan -X (shinadar - HCL TECHNOLOGIES LIMITED at Cisco) wrote:> We are using Kerberos (version
1.9) in one of our components. We came across the vulnerability
CVE-2017-7562 being reported and fixed in Kerberos 1.16.1.

CVE-2017-7562 does not apply to version 1.9, so you should not need to address it.

This vulnerability actually never appeared in any released version of MIT krb5.  It was introduced on the master branch and then fixed before the release of 1.16.  The CVE was assigned because the Fedora package contained a backport of the feature before it was fixed.

_______________________________________________
krbdev mailing list             krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev

home help back first fref pref prev next nref lref last post