Bug 743742 (CVE-2011-4151)

Summary: VUL-1: CVE-2011-4151: krb5: krb5_db2_lockout_audit() DoS (assertion failure)
Product: [Novell Products] SUSE Security Incidents Reporter: Matthias Weckbecker <mweckbecker>
Component: GeneralAssignee: Michael Calmer <mc>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P4 - Low CC: meissner, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: CVSSv2:NVD:CVE-2011-1528:7.8:(AV:N/AC:L/Au:N/C:N/I:N/A:C) CVSSv2:RedHat:CVE-2011-1528:5.0:(AV:N/AC:L/Au:N/C:N/I:N/A:P)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Matthias Weckbecker 2012-01-27 08:42:14 UTC
CVE-2011-4151
======================================================
Name: CVE-2011-4151
The krb5_db2_lockout_audit function in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.8 through 1.8.4, when the db2 (aka Berkeley DB) back end is used, allows remote attackers to cause a denial of service (assertion failure and daemon exit) via unspecified vectors, a different vulnerability than CVE-2011-1528.

Reference: CERT-VN: http://www.kb.cert.org/vuls/id/659251
Reference: XF: http://xforce.iss.net/xforce/xfdb/70891
Reference: CONFIRM: http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-006.txt
Comment 1 Michael Calmer 2012-01-27 10:00:46 UTC
The patch is already released. Only this CVE is missing in the changelog,
but the fix has not changed.

What should I do now?
Comment 3 Marcus Meissner 2012-01-27 13:22:33 UTC
for whic distros was it fixed? in the last update i guess?
Comment 5 Marcus Meissner 2012-01-27 15:09:58 UTC
I linked CVE-2011-4151 and CVE-2011-1527 also to 74772a873ea725240d9cf158c713b16f,
will appeae on the cve pages on next run.

no need for new submissions
Comment 6 Matthias Weckbecker 2013-03-21 09:47:04 UTC
(In reply to comment #4)
[...]
> It was fixed for:
> 
> oS 11.3
> oS 11.4
> os 12.1
> 
[...]

Stumbled across this. For the sake of completeness: 12.3 is also patched.