Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 21 May 2015 15:29:23 +0200
From: Martin Prpic <mprpic@...hat.com>
To: "OSS Security Mailinglist" <oss-security@...ts.openwall.com>
Subject:  CVE-2015-3206 python-kerberos: checkPassword() does not verify KDC authenticity

Hello!

Red Hat has assigned CVE-2015-3206 to the following issue:

https://www.calendarserver.org/ticket/833
"The python-kerberos checkPassword() does verify that it actually spoke
to a trusted KDC"

Upstream has not fixed it, rather documented the insecurity of the
checkPassword() function. We feel that this is not a proper solution
given the fact that the pykerberos fork of this library did fix this
issue by adding KDC validation:

https://github.com/02strich/pykerberos/commit/02d13860b25fab58e739f0e000bed0067b7c6f9c

Red Hat bug:

https://bugzilla.redhat.com/show_bug.cgi?id=1223802

--
Martin Prpič / Red Hat Product Security

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ