Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.6063
krb5 security update
21 November 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: krb5
Publisher: Debian
Operating System: Debian GNU/Linux
Resolution: Patch/Upgrade
CVE Names: CVE-2022-42898
Original Bulletin:
http://www.debian.org/security/2022/dsa-5286
Comment: CVSS (Max): 6.4 CVE-2022-42898 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L)
CVSS Source: Red Hat
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- - -------------------------------------------------------------------------
Debian Security Advisory DSA-5286-1 security@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
November 19, 2022 https://www.debian.org/security/faq
- - -------------------------------------------------------------------------
Package : krb5
CVE ID : CVE-2022-42898
Debian Bug : 1024267
Greg Hudson discovered integer overflow flaws in the PAC parsing in
krb5, the MIT implementation of Kerberos, which may result in remote
code execution (in a KDC, kadmin, or GSS or Kerberos application server
process), information exposure (to a cross-realm KDC acting
maliciously), or denial of service (KDC or kadmind process crash).
For the stable distribution (bullseye), this problem has been fixed in
version 1.18.3-6+deb11u3.
We recommend that you upgrade your krb5 packages.
For the detailed security status of krb5 please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/krb5
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmN42JdfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0Ts8Q//XhOs3bCQ+xCaIy0cXiNxk4JwzjvBuBdWb5gdmavqO/yS31IfaM3s7WlV
A6Y9g00qGjhtPyHbDTTu68gYQv5EuoVFZjYA3M51vdM+PxRN6po0QMvANAHhp1ow
GbFkEflZblMqPHMsMuDt3C6D2hr+5aCOyNY4V20BJuLOkoKa8RBtxKo0Lcq1j5V2
PjLgX+dEvaz6ORpBGdNENmZFAwgllB1pXMoobLLJWLsaEvUrl6pQhwXRs+s5LHKr
hAvhHnacShPNVgHq6uJ5s0PGsXlf/BeN2hWzQzgj16My+x3VbVc6TCHv5sD5L615
DiwXwC4sNIl1KYYd04Fnyi87Tpnp7fowyfgluPYLUAGX7srilCpmb8XBKeUHwlxG
LWTYvlECryucUOWFMph6K/aHTIIItraqeFCQsGDcPa5x//LsF4RcfPt49u6jcig9
e6koCej6+DrBIvf8vDUyyDB8V4kk2jN4pzeTjpMiKAY8WBnBxQwfGGCGAu3FEoOk
ijtxbLje+1DsgKivwEiakgg6rcabQ6yZmuK0Aspi/kw8U55ecr7lntBM03nfb8yr
nfgDGWEaRkAAhEft80ajaC7Ym1tveDaq8FAiA4uk07FgOVF+iO3XX77zwrVuh2SP
lsaeTC7AnRYIfqy6emRHLAVG9SJP+WMSiggi1SOEQaL1AN5YirQ=
=dMbH
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY3sLWckNZI30y1K9AQjr1A//bolUkTC2BSbsZoVS8VrDZCWerO2Ynzr4
ApEdctdDo3vwNBylXgyviNcVevIcuLp1I3GANnbbMellUiqyndM8fRnXeDiRK4Ud
wU19VkPx80JUPedQNCk7q7PiGn1CDENylYbb6GBrbZG2sWfoKOHhMOXlQV853rJi
MiiBii6e9ioXG/MrRYYio8MynSAEDezZ+tLNJrR78poRcYcS0NLFk9NAKZBRVk/7
INF6GOm2Vp7OxeFqmcbYW4E6n0TgJvUU5AE79RUjP55oLFCVPvqdQqruXPK8mWYb
ZHr95n8QkrO1Zl5ZlRPD02piSJAF7qkxi73XvvWHVE9p57bKVcqvEuKKmtkEfWis
uJs4+3kODfKAU1/DEz/q1ZxXlCK6XadWKTz2AZ26a7AQSTo1CSTheju35lj2LoIC
X5IzYdr8n/OB7me+eqYcDzA7EZiP24MQ32bJr9aTgE/u2dOWCicFlb4+uSh4Bb6Z
5x+uIx06s/jY1kLJ4OsvMYGE8Ib6CpYyQbulfQyVU1bXQkkOe6p3s9byMP/hVs85
QQvx8/tTeM1GT1UqGcIQFG3qDn2+I9c9K55BMb0ZNJ+UBtK1V5fm7RRTddkeh1eN
mqcMuiEEC1zI/bDoj7rKkFIznAeLrFVmNKUrw7Rb8iIo4/yMUMGVJy5ym4Gyn5GF
xxKxMv35S74=
=5VAX
-----END PGP SIGNATURE-----