CVE-2014-4343

Publication date 21 July 2014

Last updated 24 July 2024

Ubuntu priority

Medium

Why this priority?

Double free vulnerability in the init_ctx_reselect function in the SPNEGO initiator in lib/gssapi/spnego/spnego_mech.c in MIT Kerberos 5 (aka krb5) 1.10.x through 1.12.x before 1.12.2 allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via network traffic that appears to come from an intended acceptor, but specifies a security mechanism different from the one proposed by the initiator.

Read the notes from the security team

Status

Package Ubuntu Release Status
krb5 14.04 LTS trusty
Fixed 1.12+dfsg-2ubuntu4.2
13.10 saucy Ignored end of life
12.04 LTS precise
Fixed 1.10+dfsg~beta1-2ubuntu0.5
10.04 LTS lucid
Fixed 1.8.1+dfsg-2ubuntu0.13

Notes

seth-arnold

Remote unauthenticated triggering is possible though the commit message for the patch indicates why it is unlikely; thus 'medium'.

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package Patch details
krb5

References

Related Ubuntu Security Notices (USN)

    • USN-2310-1
    • Kerberos vulnerabilities
    • 11 August 2014

Other references