Hi Brian, On Tue, May 14, 2019 at 06:11:05PM +1000, Brian May wrote: > Salvatore Bonaccorso <car...@debian.org> writes: > > > Source: heimdal > > Version: 7.5.0+dfsg-2.1 > > Severity: important > > Tags: security upstream > > Control: found -1 7.1.0+dfsg-13+deb9u2 > > Control: found -1 7.1.0+dfsg-13 > > > > Hi, > > > > The following vulnerability was published for heimdal, actually just > > what is affecting samba embedded copy of heimdal. > > > > CVE-2018-16860[0]: > > Samba AD DC S4U2Self/S4U2Proxy unkeyed checksum > > > > If you fix the vulnerability please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > > > For further information see: > > > > [0] https://security-tracker.debian.org/tracker/CVE-2018-16860 > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16860 > > > > Please adjust the affected versions in the BTS as needed, all versions > > starting from 0.8 upwards including 7.5.0 are affected. > > > > What is your take on this? Does this need a DSA or is an update via an > > upcoming point release enough? > > I am hardly authoritative on this, however my rough take right now is: > > * There is a vulerability. > * The fix is simple. Looking at the Samba patches, I suspect we only > need the bit that alters krb5tgs.c - below. > * Not convinced this can actually be exploited without AD. It is > unlikely you would be using the stock Heimdal with AD. So possible > we don't need to worry.
Alright, I will mark it no-dsa for stretch then at least. For buster, might be still good to have the fix go in? Regards, Salvatore
