Source: krb5 Version: 1.7dfsg~beta1-1 Severity: important Tags: patch security upstream
Hi, the following vulnerabilities were published for krb5. CVE-2018-5729[0]: |In MIT krb5 1.6 or later, an authenticated kadmin user with permission |to add principals to an LDAP Kerberos database can cause a null |dereference in kadmind, or circumvent a DN container check, by |supplying tagged data intended to be internal to the database module. |Thanks to Sharwan Ram and Pooja Anil for discovering the potential |null dereference. CVE-2018-5730[1]: |In MIT krb5 1.6 or later, an authenticated kadmin user with permission |to add principals to an LDAP Kerberos database can circumvent a DN |containership check by supplying both a "linkdn" and "containerdn" |database argument, or by supplying a DN string which is a left |extension of a container DN string but is not hierarchically within |the container DN. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see (but not much, most information is only in the upstream commit): [0] https://security-tracker.debian.org/tracker/CVE-2018-5729 [1] https://security-tracker.debian.org/tracker/CVE-2018-5730 Regards, Salvatore