CVE-2014-4343: Double Free
First published: Tue Jul 22 2014(Updated: )
A double-free flaw was found in the MIT Kerberos SPNEGO initiators. An attacker able to spoof packets to appear as though they are from an GSSAPI acceptor could use this flaw to crash a client application that uses MIT Kerberos. It is reported that this issue affects version 1.10 and later. Upstream commit and further details: <a href="https://github.com/krb5/krb5/commit/f18ddf5d82de0ab7591a36e465bc24225776940f">https://github.com/krb5/krb5/commit/f18ddf5d82de0ab7591a36e465bc24225776940f</a>
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Debian Debian Linux | =7.0 | |
| MIT Kerberos 5 | =1.10 | |
| MIT Kerberos 5 | =1.10.1 | |
| MIT Kerberos 5 | =1.10.2 | |
| MIT Kerberos 5 | =1.10.3 | |
| MIT Kerberos 5 | =1.10.4 | |
| MIT Kerberos 5 | =1.11 | |
| MIT Kerberos 5 | =1.11.1 | |
| MIT Kerberos 5 | =1.11.2 | |
| MIT Kerberos 5 | =1.11.3 | |
| MIT Kerberos 5 | =1.11.4 | |
| MIT Kerberos 5 | =1.11.5 | |
| MIT Kerberos 5 | =1.12 | |
| MIT Kerberos 5 | =1.12.1 | |
| Redhat Enterprise Linux Desktop | =7.0 | |
| Redhat Enterprise Linux Hpc Node | =7.0 | |
| Redhat Enterprise Linux Server | =7.0 | |
| Redhat Enterprise Linux Workstation | =7.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/krb5/krb5/commit/f18ddf5d82de0ab7591a36e465bc24225776940f
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1121879
- https://rhn.redhat.com/errata/RHSA-2014-1389.html
- https://rhn.redhat.com/errata/RHSA-2015-0439.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1121876
- http://advisories.mageia.org/MGASA-2014-0345.html
- http://aix.software.ibm.com/aix/efixes/security/nas_advisory1.asc
- http://krbdev.mit.edu/rt/Ticket/Display.html?id=7969
- http://lists.fedoraproject.org/pipermail/package-announce/2014-August/136360.html
- http://rhn.redhat.com/errata/RHSA-2015-0439.html
- http://secunia.com/advisories/59102
- http://secunia.com/advisories/60082
- http://secunia.com/advisories/60448
- http://secunia.com/advisories/61052
- http://security.gentoo.org/glsa/glsa-201412-53.xml
- http://support.f5.com/kb/en-us/solutions/public/15000/500/sol15553.html
- http://www.debian.org/security/2014/dsa-3000
- http://www.osvdb.org/109390
- http://www.securityfocus.com/bid/69159
- http://www.securitytracker.com/id/1030706
- https://exchange.xforce.ibmcloud.com/vulnerabilities/95211
- agent/author
- agent/description
- agent/references
- agent/type
- collector/nvd-index
- collector/redhat-bugzilla
- alias/CVE-2014-4343
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/7.0
- vendor/mit
- canonical/mit kerberos 5
- version/mit kerberos 5/1.10
- version/mit kerberos 5/1.10.1
- version/mit kerberos 5/1.10.2
- version/mit kerberos 5/1.10.3
- version/mit kerberos 5/1.10.4
- version/mit kerberos 5/1.11
- version/mit kerberos 5/1.11.1
- version/mit kerberos 5/1.11.2
- version/mit kerberos 5/1.11.3
- version/mit kerberos 5/1.11.4
- version/mit kerberos 5/1.11.5
- version/mit kerberos 5/1.12
- version/mit kerberos 5/1.12.1
- vendor/redhat
- canonical/redhat enterprise linux desktop
- version/redhat enterprise linux desktop/7.0
- canonical/redhat enterprise linux hpc node
- version/redhat enterprise linux hpc node/7.0
- canonical/redhat enterprise linux server
- version/redhat enterprise linux server/7.0
- canonical/redhat enterprise linux workstation
- version/redhat enterprise linux workstation/7.0