Bug#1024267: marked as done (krb5: CVE-2022-42898: integer overflows in PAC parsing)

[Debian Bug Tracking System]

Your message dated Sat, 19 Nov 2022 19:47:26 +0000
with message-id <e1owtoe-005qpv...@fasolo.debian.org>
and subject line Bug#1024267: fixed in krb5 1.18.3-6+deb11u3
has caused the Debian Bug report #1024267,
regarding krb5: CVE-2022-42898: integer overflows in PAC parsing
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1024267: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024267
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: krb5
Version: 1.20-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Control: found -1 1.18.3-6+deb11u2
Control: found -1 1.18.3-6
Control: found -1 1.8+dfsg-1

Hi,

The following vulnerability was published for krb5.

CVE-2022-42898[0]:
| integer overflows in PAC parsing

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2022-42898
    https://www.cve.org/CVERecord?id=CVE-2022-42898
[1] https://github.com/krb5/krb5/commit/b99de751dd35360c0fccac74a40f4a60dbf1ceea

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: krb5
Source-Version: 1.18.3-6+deb11u3
Done: Sam Hartman <hartm...@debian.org>

We believe that the bug you reported is fixed in the latest version of
krb5, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1024...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sam Hartman <hartm...@debian.org> (supplier of updated krb5 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 17 Nov 2022 12:41:46 -0700
Source: krb5
Architecture: source
Version: 1.18.3-6+deb11u3
Distribution: bullseye-security
Urgency: high
Maintainer: Sam Hartman <hartm...@debian.org>
Changed-By: Sam Hartman <hartm...@debian.org>
Closes: 1024267
Changes:
 krb5 (1.18.3-6+deb11u3) bullseye-security; urgency=high
 .
   * Integer overflows in PAC parsing; potentially critical for 32-bit
     KDCs or when cross-realm acts maliciously; DOS in other conditions;
     CVE-2022-42898, Closes: #1024267
Checksums-Sha1:
 4563ee77b2b1f9f687870218a3f120185f87d521 3209 krb5_1.18.3-6+deb11u3.dsc
 fdbb31fab5bdea24fc464d09bdbc245740648f1a 8715312 krb5_1.18.3.orig.tar.gz
 909b9c68601cf999cd2697c83a0f56efd0faba6d 833 krb5_1.18.3.orig.tar.gz.asc
 3fb20afe28c1028005895e089327aa9b42d8572a 108804 
krb5_1.18.3-6+deb11u3.debian.tar.xz
 765dda2737715a73f4257f36aa23709d6dbfea6b 5299 
krb5_1.18.3-6+deb11u3_source.buildinfo
Checksums-Sha256:
 539d8a8df5c181b5c16cab487fef4d192f934a170dcfe507e76020132fdb5399 3209 
krb5_1.18.3-6+deb11u3.dsc
 e61783c292b5efd9afb45c555a80dd267ac67eebabca42185362bee6c4fbd719 8715312 
krb5_1.18.3.orig.tar.gz
 ded19808ba7320ad0bb3ddfb5202845b2ff36a50613af7832f78dd3cb4437419 833 
krb5_1.18.3.orig.tar.gz.asc
 5efc82324430be1c2e12a6f0b40dd27b149f5f77cfe10a9ed0b8567a07f08981 108804 
krb5_1.18.3-6+deb11u3.debian.tar.xz
 010da2ea85740fd7c3aa006e18737aac611036e763369cea85bd0e2655d6204a 5299 
krb5_1.18.3-6+deb11u3_source.buildinfo
Files:
 bf71dfd670a582099641ffe284d25c3c 3209 net optional krb5_1.18.3-6+deb11u3.dsc
 a64e8018a7572e0b4bd477c745129ffc 8715312 net optional krb5_1.18.3.orig.tar.gz
 bca804e12e8dc2de6930e916cd7a2ce3 833 net optional krb5_1.18.3.orig.tar.gz.asc
 2f8366885ca14a369e53dfa6290d70a5 108804 net optional 
krb5_1.18.3-6+deb11u3.debian.tar.xz
 85ac8d7fcd056cc14c9fdeaf27049b10 5299 net optional 
krb5_1.18.3-6+deb11u3_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iHUEARYIAB0WIQSj2jRwbAdKzGY/4uAsbEw8qDeGdAUCY3edjAAKCRAsbEw8qDeG
dMeHAPwMg8/Dx2M51bFuxWo2fE/1mokrUxL7e0oJgdxNICXJwwEA2yTWOhMdTupp
U/WQkuML2jqLSLDIek4IjsAEo0N0OgQ=
=cMjT
-----END PGP SIGNATURE-----

--- End Message ---