CVE-2010-4021
Published: 2 December 2010
The Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.7 does not properly restrict the use of TGT credentials for armoring TGS requests, which might allow remote authenticated users to impersonate a client by rewriting an inner request, aka a "KrbFastReq forgery issue."
Notes
Author | Note |
---|---|
mdeslaur | 1.7 only |
Priority
Status
Package | Release | Status |
---|---|---|
krb5 Launchpad, Ubuntu, Debian |
dapper |
Not vulnerable
(1.4.3-5ubuntu0.11)
|
hardy |
Not vulnerable
(1.6.dfsg.3~beta1-2ubuntu1.5)
|
|
karmic |
Released
(1.7dfsg~beta3-1ubuntu0.7)
|
|
lucid |
Not vulnerable
(1.8.1+dfsg-2ubuntu0.3)
|
|
maverick |
Not vulnerable
(1.8.1+dfsg-5ubuntu0.1)
|
|
upstream |
Released
(1.7.1)
|
|
Patches: upstream: http://anonsvn.mit.edu/viewvc/krb5?view=revision&revision=23643 |