CVE-2014-4344

Publication date 21 July 2014

Last updated 24 July 2024

Ubuntu priority

The acc_ctx_cont function in the SPNEGO acceptor in lib/gssapi/spnego/spnego_mech.c in MIT Kerberos 5 (aka krb5) 1.5.x through 1.12.x before 1.12.2 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an empty continuation token at a certain point during a SPNEGO negotiation.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
krb5	14.04 LTS trusty	Fixed 1.12+dfsg-2ubuntu4.2
	13.10 saucy	Ignored end of life
	12.04 LTS precise	Fixed 1.10+dfsg~beta1-2ubuntu0.5
	10.04 LTS lucid	Fixed 1.8.1+dfsg-2ubuntu0.13

How can I get the fixes?
What do statuses mean?
Patch details

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
krb5	Upstream: 524688c

References

MITRE
NVD
Launchpad
Debian

Related Ubuntu Security Notices (USN)

USN-2310-1
Kerberos vulnerabilities
11 August 2014

Other references

https://github.com/krb5/krb5/commit/524688ce87a15fc75f87efc8c039ba4c7d5c197b
https://www.cve.org/CVERecord?id=CVE-2014-4344