On Wed, Jun 17, 2026 at 09:42:58PM -0600, Sam Hartman wrote:
> control: severity -1 minor
>
>
> >>>>> "Moritz" == Moritz Mühlenhoff <[email protected]> writes:
>
> Moritz> bounds read. The attack vector involves a malicious or
> Moritz> compromised | LDAP KDB backend returning a krbExtraData
> Moritz> attribute with bv_len < 2, | triggering the underflow when
> Moritz> the KDC or kadmind reads principal | data.
>
> The KDB backend (ldap or otherwsie) is fully within the trusted
> computing base of a Kerberos plus LDAP deployment.
> This is not asecurity bug.
> I've included the MR for this, but prefer not to see this NMUed; I'll
> include in unstable soon.
> Absolutely not worth fixing for stable.
Thanks, I've updated the Debian security tracker to mark this as not
having actual security impact.
Cheers,
Moritz
