>>>>> "Salvatore" == Salvatore Bonaccorso <[email protected]> writes:
Salvatore> We were originally thinking so (and Moritz added krb5 to
Salvatore> the DSA needed list), as at least for 32bit architectures
Salvatore> it might be possible to go beyond denial of service and
Salvatore> potentially leading to remote code execution. But if your
Salvatore> assesment on the issue makes you confident it's not DSA
Salvatore> worthy we can re-evaluate.
So, looking at the code and the upstream advisory, it looks like the
information exposure vulnerability with cross-realm trust applies to
64-bit arches too.
Anyway I've fixed for unstable.
I have a proposed fix for bullseye on the bullseye branch of
https://salsa.debian.org/debian/krb5.
Can you take a look and see if I did that right? Do you want me to
upload that, or would you rather upload to the security queue?
signature.asc
Description: PGP signature
