Security update for krb5 SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2017:2993-1 Final 1 1 2017-11-10T13:07:27Z current 2017-11-10T13:07:27Z 2017-11-10T13:07:27Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for krb5 This update for krb5 fixes the following securitz issue - CVE-2017-15088: A buffer overflow in get_matching_data() was fixed that could under specific circumstances be used to execute code (bsc#1065274) This update was imported from the SUSE:SLE-12-SP2:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) http://lists.opensuse.org/opensuse-security-announce/2017-11/msg00020.html E-Mail link for openSUSE-SU-2017:2993-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.2 openSUSE Leap 42.3 krb5-1.12.5-12.1 krb5-32bit-1.12.5-12.1 krb5-client-1.12.5-12.1 krb5-devel-1.12.5-12.1 krb5-devel-32bit-1.12.5-12.1 krb5-doc-1.12.5-12.1 krb5-mini-1.12.5-12.1 krb5-mini-devel-1.12.5-12.1 krb5-plugin-kdb-ldap-1.12.5-12.1 krb5-plugin-preauth-otp-1.12.5-12.1 krb5-plugin-preauth-pkinit-1.12.5-12.1 krb5-server-1.12.5-12.1 krb5-1.12.5-12.1 as a component of openSUSE Leap 42.2 krb5-1.12.5-12.1 as a component of openSUSE Leap 42.3 krb5-32bit-1.12.5-12.1 as a component of openSUSE Leap 42.2 krb5-32bit-1.12.5-12.1 as a component of openSUSE Leap 42.3 krb5-client-1.12.5-12.1 as a component of openSUSE Leap 42.2 krb5-client-1.12.5-12.1 as a component of openSUSE Leap 42.3 krb5-devel-1.12.5-12.1 as a component of openSUSE Leap 42.2 krb5-devel-1.12.5-12.1 as a component of openSUSE Leap 42.3 krb5-devel-32bit-1.12.5-12.1 as a component of openSUSE Leap 42.2 krb5-devel-32bit-1.12.5-12.1 as a component of openSUSE Leap 42.3 krb5-doc-1.12.5-12.1 as a component of openSUSE Leap 42.2 krb5-doc-1.12.5-12.1 as a component of openSUSE Leap 42.3 krb5-mini-1.12.5-12.1 as a component of openSUSE Leap 42.2 krb5-mini-1.12.5-12.1 as a component of openSUSE Leap 42.3 krb5-mini-devel-1.12.5-12.1 as a component of openSUSE Leap 42.2 krb5-mini-devel-1.12.5-12.1 as a component of openSUSE Leap 42.3 krb5-plugin-kdb-ldap-1.12.5-12.1 as a component of openSUSE Leap 42.2 krb5-plugin-kdb-ldap-1.12.5-12.1 as a component of openSUSE Leap 42.3 krb5-plugin-preauth-otp-1.12.5-12.1 as a component of openSUSE Leap 42.2 krb5-plugin-preauth-otp-1.12.5-12.1 as a component of openSUSE Leap 42.3 krb5-plugin-preauth-pkinit-1.12.5-12.1 as a component of openSUSE Leap 42.2 krb5-plugin-preauth-pkinit-1.12.5-12.1 as a component of openSUSE Leap 42.3 krb5-server-1.12.5-12.1 as a component of openSUSE Leap 42.2 krb5-server-1.12.5-12.1 as a component of openSUSE Leap 42.3 plugins/preauth/pkinit/pkinit_crypto_openssl.c in MIT Kerberos 5 (aka krb5) through 1.15.2 mishandles Distinguished Name (DN) fields, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) in situations involving untrusted X.509 data, related to the get_matching_data and X509_NAME_oneline_ex functions. NOTE: this has security relevance only in use cases outside of the MIT Kerberos distribution, e.g., the use of get_matching_data in KDC certauth plugin code that is specific to Red Hat. CVE-2017-15088 openSUSE Leap 42.2:krb5-1.12.5-12.1 openSUSE Leap 42.2:krb5-32bit-1.12.5-12.1 openSUSE Leap 42.2:krb5-client-1.12.5-12.1 openSUSE Leap 42.2:krb5-devel-1.12.5-12.1 openSUSE Leap 42.2:krb5-devel-32bit-1.12.5-12.1 openSUSE Leap 42.2:krb5-doc-1.12.5-12.1 openSUSE Leap 42.2:krb5-mini-1.12.5-12.1 openSUSE Leap 42.2:krb5-mini-devel-1.12.5-12.1 openSUSE Leap 42.2:krb5-plugin-kdb-ldap-1.12.5-12.1 openSUSE Leap 42.2:krb5-plugin-preauth-otp-1.12.5-12.1 openSUSE Leap 42.2:krb5-plugin-preauth-pkinit-1.12.5-12.1 openSUSE Leap 42.2:krb5-server-1.12.5-12.1 openSUSE Leap 42.3:krb5-1.12.5-12.1 openSUSE Leap 42.3:krb5-32bit-1.12.5-12.1 openSUSE Leap 42.3:krb5-client-1.12.5-12.1 openSUSE Leap 42.3:krb5-devel-1.12.5-12.1 openSUSE Leap 42.3:krb5-devel-32bit-1.12.5-12.1 openSUSE Leap 42.3:krb5-doc-1.12.5-12.1 openSUSE Leap 42.3:krb5-mini-1.12.5-12.1 openSUSE Leap 42.3:krb5-mini-devel-1.12.5-12.1 openSUSE Leap 42.3:krb5-plugin-kdb-ldap-1.12.5-12.1 openSUSE Leap 42.3:krb5-plugin-preauth-otp-1.12.5-12.1 openSUSE Leap 42.3:krb5-plugin-preauth-pkinit-1.12.5-12.1 openSUSE Leap 42.3:krb5-server-1.12.5-12.1 important 7.1 AV:N/AC:H/Au:S/C:C/I:C/A:C Please Install the update. http://lists.opensuse.org/opensuse-security-announce/2017-11/msg00020.html https://www.suse.com/security/cve/CVE-2017-15088.html CVE-2017-15088 https://bugzilla.suse.com/1065274 SUSE Bug 1065274