Hi Sam, On Wed, Jul 21, 2021 at 10:01:23AM -0600, Sam Hartman wrote: > control: severity -1 important > > Salvatore> The following vulnerability was published for krb5. > > Salvatore> CVE-2021-36222[0]: | sending a request containing a > Salvatore> PA-ENCRYPTED-CHALLENGE padata element | without using > Salvatore> FAST could result in null dereference in the KDC which | > Salvatore> leads to DoS > > On a Debian system with systemd, the KDC will restart, significantly > limiting the impact of this bug.
Ack thanks for giving the background. > I'm going to argue for important, although if you want to push to > serious, I won't fight it. Don't worry I won't fight it as well. My reason for filling it as RC would be mainly to have some further weight towards hving the fix in time for bullseye before the bullseye release. > I'm busy with Family obligat scattered throughout the day ions, but > it sounded like Benjamin Kaduk might be available to help. > If not, I'll have some time and be back to general availability by > Sunday. Family has priority :). In any case given the question was raised, my feeling is the following: Try to get the fix in bullseye in time, via a targetted fix, ask release team for an unblock. Note here that when we fill bugs in the BTS, the choosen severity is more an indication how we feel the fix should land in the next stable release, and might be completely orthogonal to a DSA or no-DSA decision (in fact you fill all possible cases, from important filled bugs warranting a DSA, to RC severity bugs not warranting a DSA and asking to schedule fixes via point releases). About buster: Given the above we can fix via the upcoming point release for buster, I guess that can be enough in this case. What would happen if the unauthenticated user "hammers" with it the KDC which is then continously restarted, what would be the impact? Sorry for my ignorance. Thanks for your promt action! Regards, Salvatore
