MNBSD-2022-16: Multiple vulnerabilities in Heimdal Kerberos 5 and the KDC

Severity: Unknown

Affected Package: heimdal

Summary: Multiple vulnerabilities in Heimdal Kerberos 5 and the KDC

Description

Multiple security vulnerabilities were fixed in the Heimdal implementation of the Kerberos 5 network authentication protocols and KDC: a PAC parse integer overflow (CVE-2022-42898); overflows and non-constant-time leaks in DES/DES3 and arcfour (CVE-2022-3437); a NULL pointer dereference denial of service in SPNEGO acceptors (CVE-2021-44758); an invalid free in the ASN.1 codec in the KDC (CVE-2022-44640); and several protocol-transition issues covering validation of client attributes, applying the forwardable policy, and always looking up the impersonated client in the database (CVE-2019-14870).

Affected Versions

heimdal

Recommendations

No specific recommendations provided.

References

Additional Information

Aliases: CVE-2022-42898, CVE-2022-3437, CVE-2021-44758, CVE-2022-44640, CVE-2019-14870

Published: November 15, 2022
Last Modified: November 15, 2022