Bug 730393 - (CVE-2011-1530) VUL-0: CVE-2011-1530: krb5: KDC null pointer dereference in TGS handling
(CVE-2011-1530)
VUL-0: CVE-2011-1530: krb5: KDC null pointer dereference in TGS handling
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: General
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2011-11-15 09:57 UTC by Ludwig Nussel
Modified: 2017-07-03 07:34 UTC (History)
2 users (show)

See Also:
Found By: Other
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ludwig Nussel 2011-11-15 09:57:35 UTC
Your friendly security team received the following report via security@suse.de.
Please respond ASAP.
This issue is not public yet, please keep any information about it inside SUSE.
Note that build.opensuse.org *cannot* be used to prepare embargoed updates.

It was found that krb5's KDC since version 1.9 could be made to crash on a NULL pointer deref. Remote authenticated users could exploit that to crash KDC.
Comment 2 Michael Calmer 2011-11-15 10:07:42 UTC
We have krb5 1.9 only on 12.1 and FACTORY.
Comment 3 Swamp Workflow Management 2011-11-15 23:00:14 UTC
bugbot adjusting priority
Comment 5 Michael Calmer 2011-11-21 10:36:52 UTC
See Bug 731648 for the 

  fix KDC HA feature introduced with implementing KDC poll
Comment 6 Michael Calmer 2011-12-07 08:58:18 UTC
This bug is public now. I have performed a submit request to openSUSE 12.1 and Factory.
Both SRs also include the fix for Bug 731648.

Re-assign to security team for tracking.
Comment 7 Bernhard Wiedemann 2011-12-07 09:00:18 UTC
This is an autogenerated message for OBS integration:
This bug (730393) was mentioned in
https://build.opensuse.org/request/show/95685 12.1 / krb5
https://build.opensuse.org/request/show/95686 Factory / krb5
Comment 8 Matthias Weckbecker 2011-12-07 10:27:30 UTC
CVE-2011-1530
Comment 9 Ludwig Nussel 2011-12-08 16:39:34 UTC
released