Date: Thu, 21 May 2015 15:29:23 +0200 From: Martin Prpic <mprpic@...hat.com> To: "OSS Security Mailinglist" <oss-security@...ts.openwall.com> Subject: CVE-2015-3206 python-kerberos: checkPassword() does not verify KDC authenticity Hello! Red Hat has assigned CVE-2015-3206 to the following issue: https://www.calendarserver.org/ticket/833 "The python-kerberos checkPassword() does verify that it actually spoke to a trusted KDC" Upstream has not fixed it, rather documented the insecurity of the checkPassword() function. We feel that this is not a proper solution given the fact that the pykerberos fork of this library did fix this issue by adding KDC validation: https://github.com/02strich/pykerberos/commit/02d13860b25fab58e739f0e000bed0067b7c6f9c Red Hat bug: https://bugzilla.redhat.com/show_bug.cgi?id=1223802 -- Martin Prpič / Red Hat Product Security
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ