SB2015050604 - Fedora 21 update for krb5

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2015050604

SB2015050604 - Fedora 21 update for krb5

Published: May 6, 2015 Updated: April 24, 2025

Security Bulletin ID SB2015050604
Severity
Medium
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 50% Low 50%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.


1) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2015-2694)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The kdcpreauth modules in MIT Kerberos 5 (aka krb5) 1.12.x and 1.13.x before 1.13.2 do not properly track whether a client's request has been validated, which allows remote attackers to bypass an intended preauthentication requirement by providing (1) zero bytes of data or (2) an arbitrary realm name, related to plugins/preauth/otp/main.c and plugins/preauth/pkinit/pkinit_srv.c.


2) Input validation error (CVE-ID: CVE-2014-5353)

The vulnerability allows remote authenticated users to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can cause a denial of service (daemon crash) via a successful LDAP query with no results, as demonstrated by using an incorrect object type for a password policy.


Remediation

Install update from vendor's website.

References