Debian Bug report logs - #683429
CVE-2012-1014/CVE-2012-1015: KDC heap corruption and crash vulnerabilities

version graph

Package: krb5; Maintainer for krb5 is Sam Hartman <hartmans@debian.org>;

Reported by: Henri Salo <henri@nerv.fi>

Date: Tue, 31 Jul 2012 18:45:02 UTC

Severity: important

Tags: security

Found in version 1.8.3+dfsg-4squeeze5

Fixed in versions krb5/1.8.3+dfsg-4squeeze6, 1.10.1+dfsg-2

Done: Yves-Alexis Perez <corsac@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Sam Hartman <hartmans@debian.org>:
Bug#683429; Package krb5. (Tue, 31 Jul 2012 18:45:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Henri Salo <henri@nerv.fi>:
New Bug report received and forwarded. Copy sent to Sam Hartman <hartmans@debian.org>. (Tue, 31 Jul 2012 18:45:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Henri Salo <henri@nerv.fi>
To: submit@bugs.debian.org
Subject: CVE-2012-1014/CVE-2012-1015: KDC heap corruption and crash vulnerabilities
Date: Tue, 31 Jul 2012 21:41:02 +0300
Package: krb5
Version: 1.8.3+dfsg-4squeeze5
Severity: important
Tags: security

Original report in here: http://seclists.org/bugtraq/2012/Jul/171

I haven't verified this manually in Debian-packages. Please ask if you need me to do it, thanks.

-- System Information:
Debian Release: 6.0.5
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.4.1 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash



Reply sent to Sam Hartman <hartmans@debian.org>:
You have taken responsibility. (Tue, 31 Jul 2012 19:39:07 GMT) Full text and rfc822 format available.

Notification sent to Henri Salo <henri@nerv.fi>:
Bug acknowledged by developer. (Tue, 31 Jul 2012 19:39:07 GMT) Full text and rfc822 format available.

Message #10 received at 683429-done@bugs.debian.org (full text, mbox):

From: Sam Hartman <hartmans@debian.org>
To: Henri Salo <henri@nerv.fi>
Cc: 683429-done@bugs.debian.org, submit@bugs.debian.org
Subject: Re: [SPAM] Bug#683429: CVE-2012-1014/CVE-2012-1015: KDC heap corruption and crash vulnerabilities
Date: Tue, 31 Jul 2012 15:30:13 -0400
source: krb5
source-version: 1.8.3+dfsg-4squeeze6

I expect the security team will be issuing a DSA within a couple of
days.
Also, for unstable, fixed in 1.10.1+dfsg-2

The uploads happened before you opened the bug so they are not reflected
in the changelog.
Note that squeeze is vulnerable only to one of the two CVEs.



Reply sent to Yves-Alexis Perez <corsac@debian.org>:
You have taken responsibility. (Tue, 31 Jul 2012 20:03:08 GMT) Full text and rfc822 format available.

Notification sent to Henri Salo <henri@nerv.fi>:
Bug acknowledged by developer. (Tue, 31 Jul 2012 20:03:08 GMT) Full text and rfc822 format available.

Message #15 received at 683429-done@bugs.debian.org (full text, mbox):

From: Yves-Alexis Perez <corsac@debian.org>
To: 683429-done@bugs.debian.org
Subject: closing
Date: Tue, 31 Jul 2012 22:01:16 +0200
[Message part 1 (text/plain, inline)]
Version: 1.10.1+dfsg-2
-- 
Yves-Alexis
[signature.asc (application/pgp-signature, inline)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 31 Aug 2012 07:27:38 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 07:47:27 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.