Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.6063 krb5 security update 21 November 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: krb5 Publisher: Debian Operating System: Debian GNU/Linux Resolution: Patch/Upgrade CVE Names: CVE-2022-42898 Original Bulletin: http://www.debian.org/security/2022/dsa-5286 Comment: CVSS (Max): 6.4 CVE-2022-42898 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L) CVSS Source: Red Hat Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-5286-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso November 19, 2022 https://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : krb5 CVE ID : CVE-2022-42898 Debian Bug : 1024267 Greg Hudson discovered integer overflow flaws in the PAC parsing in krb5, the MIT implementation of Kerberos, which may result in remote code execution (in a KDC, kadmin, or GSS or Kerberos application server process), information exposure (to a cross-realm KDC acting maliciously), or denial of service (KDC or kadmind process crash). For the stable distribution (bullseye), this problem has been fixed in version 1.18.3-6+deb11u3. We recommend that you upgrade your krb5 packages. For the detailed security status of krb5 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/krb5 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmN42JdfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0Ts8Q//XhOs3bCQ+xCaIy0cXiNxk4JwzjvBuBdWb5gdmavqO/yS31IfaM3s7WlV A6Y9g00qGjhtPyHbDTTu68gYQv5EuoVFZjYA3M51vdM+PxRN6po0QMvANAHhp1ow GbFkEflZblMqPHMsMuDt3C6D2hr+5aCOyNY4V20BJuLOkoKa8RBtxKo0Lcq1j5V2 PjLgX+dEvaz6ORpBGdNENmZFAwgllB1pXMoobLLJWLsaEvUrl6pQhwXRs+s5LHKr hAvhHnacShPNVgHq6uJ5s0PGsXlf/BeN2hWzQzgj16My+x3VbVc6TCHv5sD5L615 DiwXwC4sNIl1KYYd04Fnyi87Tpnp7fowyfgluPYLUAGX7srilCpmb8XBKeUHwlxG LWTYvlECryucUOWFMph6K/aHTIIItraqeFCQsGDcPa5x//LsF4RcfPt49u6jcig9 e6koCej6+DrBIvf8vDUyyDB8V4kk2jN4pzeTjpMiKAY8WBnBxQwfGGCGAu3FEoOk ijtxbLje+1DsgKivwEiakgg6rcabQ6yZmuK0Aspi/kw8U55ecr7lntBM03nfb8yr nfgDGWEaRkAAhEft80ajaC7Ym1tveDaq8FAiA4uk07FgOVF+iO3XX77zwrVuh2SP lsaeTC7AnRYIfqy6emRHLAVG9SJP+WMSiggi1SOEQaL1AN5YirQ= =dMbH - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY3sLWckNZI30y1K9AQjr1A//bolUkTC2BSbsZoVS8VrDZCWerO2Ynzr4 ApEdctdDo3vwNBylXgyviNcVevIcuLp1I3GANnbbMellUiqyndM8fRnXeDiRK4Ud wU19VkPx80JUPedQNCk7q7PiGn1CDENylYbb6GBrbZG2sWfoKOHhMOXlQV853rJi MiiBii6e9ioXG/MrRYYio8MynSAEDezZ+tLNJrR78poRcYcS0NLFk9NAKZBRVk/7 INF6GOm2Vp7OxeFqmcbYW4E6n0TgJvUU5AE79RUjP55oLFCVPvqdQqruXPK8mWYb ZHr95n8QkrO1Zl5ZlRPD02piSJAF7qkxi73XvvWHVE9p57bKVcqvEuKKmtkEfWis uJs4+3kODfKAU1/DEz/q1ZxXlCK6XadWKTz2AZ26a7AQSTo1CSTheju35lj2LoIC X5IzYdr8n/OB7me+eqYcDzA7EZiP24MQ32bJr9aTgE/u2dOWCicFlb4+uSh4Bb6Z 5x+uIx06s/jY1kLJ4OsvMYGE8Ib6CpYyQbulfQyVU1bXQkkOe6p3s9byMP/hVs85 QQvx8/tTeM1GT1UqGcIQFG3qDn2+I9c9K55BMb0ZNJ+UBtK1V5fm7RRTddkeh1eN mqcMuiEEC1zI/bDoj7rKkFIznAeLrFVmNKUrw7Rb8iIo4/yMUMGVJy5ym4Gyn5GF xxKxMv35S74= =5VAX -----END PGP SIGNATURE-----