>>>>> "Benjamin" == Benjamin Kaduk <ka...@mit.edu> writes:
Benjamin> On Wed, Jul 21, 2021 at 10:01:23AM -0600, Sam Hartman wrote:
>> control: severity -1 important
>>
Salvatore> The following vulnerability was published for krb5.
>>
Salvatore> CVE-2021-36222[0]: | sending a request containing a
Salvatore> PA-ENCRYPTED-CHALLENGE padata element | without using
Salvatore> FAST could result in null dereference in the KDC which |
Salvatore> leads to DoS
>>
>> On a Debian system with systemd, the KDC will restart,
>> significantly limiting the impact of this bug. I'm going to
>> argue for important, although if you want to push to serious, I
>> won't fight it. I'm busy with Family obligat scattered
>> throughout the day ions, but it sounded like Benjamin Kaduk might
>> be available to help.
Benjamin> Yes, I have some time to help. Given that Salvatore filed
Benjamin> the report, I am assuming that this would qualify for a
Benjamin> security upload for stretch.
It looks like stretch has version 1.15, but buster is vulnerable, and
I'd assume you could coordinate with the security team for a buster
security upload.
Benjamin> However, the upstream commit
Benjamin> claims that only krb5 1.16 and later are affected, so I
Benjamin> will attempt to check whether stretch is actually
Benjamin> affected.
Benjamin> If I understand correctly given the current state of
Benjamin> buster freeze, I will need to upload the targeted fix to
Benjamin> sid and request an unblock (as opposed to being able to do
Benjamin> a security upload).
s^buster^bullseye
and yes.
