On Sun, Oct 29, 2017 at 01:02:56PM +0100, Salvatore Bonaccorso wrote: > Hi > > On Fri, Oct 27, 2017 at 08:25:04PM -0500, Benjamin Kaduk wrote: > > I think upstream actually did the backport earlier today, already. > > I retitled the bug (Red Hat has assigned a CVE for the issue > (https://bugzilla.redhat.com/show_bug.cgi?id=1504045) (and added tag > security).
Red Hat uses this code in their KDC, but for upstream and Debian it's only used in the kinit(1) client, with a user-specified input certificate, so upstream (and I) believe that no CVE is needed for our usage. -Ben
