ASA-201710-8 generated external raw

[ASA-201710-8] krb5: multiple issues
Arch Linux Security Advisory ASA-201710-8 ========================================= Severity: High Date : 2017-10-05 CVE-ID : CVE-2017-11368 CVE-2017-11462 Package : krb5 Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-414 Summary ======= The package krb5 before version 1.15.2-1 is vulnerable to multiple issues including arbitrary code execution and denial of service. Resolution ========== Upgrade to 1.15.2-1. # pacman -Syu "krb5>=1.15.2-1" The problems have been fixed upstream in version 1.15.2. Workaround ========== None. Description =========== - CVE-2017-11368 (denial of service) A denial of service flaw was found in MIT Kerberos krb5kdc service. An authenticated attacker could use this flaw to cause krb5kdc to exit with an assertion failure by making an invalid S4U2Self or S4U2Proxy request. - CVE-2017-11462 (arbitrary code execution) A double free vulnerability has been discovered in MIT Kerberos 5 (aka krb5) allowing attackers to crash the application or possibly execute arbitrary code via vectors involving automatic deletion of security contexts on error. Impact ====== A remote attacker is able to crash the application or possibly execute arbitrary code on the affected host. References ========== https://web.mit.edu/kerberos/krb5-1.15/ https://github.com/krb5/krb5/commit/ffb35baac6981f9e8914f8f3bffd37f284b85970 http://krbdev.mit.edu/rt/Ticket/Display.html?id=8598 https://bugzilla.redhat.com/show_bug.cgi?id=1488873 https://github.com/krb5/krb5/commit/56f7b1bc95a2a3eeb420e069e7655fb181ade5cf https://security.archlinux.org/CVE-2017-11368 https://security.archlinux.org/CVE-2017-11462