Hi Sam, On Wed, Nov 16, 2022 at 07:32:00PM -0700, Sam Hartman wrote: > >>>>> "Salvatore" == Salvatore Bonaccorso <car...@debian.org> writes: > Salvatore> Hi, > > Salvatore> The following vulnerability was published for krb5. > > Salvatore> CVE-2022-42898[0]: | integer overflows in PAC parsing > > Salvatore> If you fix the vulnerability please also make sure to > Salvatore> include the CVE (Common Vulnerabilities & Exposures) id > Salvatore> in your changelog entry. > > Will fix for unstable tomorrow.
Thank you. > I'm still trying to understand the practical impact. > Do you think you're going to want to issue a DSA for stable? We were originally thinking so (and Moritz added krb5 to the DSA needed list), as at least for 32bit architectures it might be possible to go beyond denial of service and potentially leading to remote code execution. But if your assesment on the issue makes you confident it's not DSA worthy we can re-evaluate. Regards, Salvatore
