CVE-2014-5353

Publication date 16 December 2014

Last updated 24 July 2024

The krb5_ldap_get_password_policy_from_dn function in plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c in MIT Kerberos 5 (aka krb5) before 1.13.1, when the KDC uses LDAP, allows remote authenticated users to cause a denial of service (daemon crash) via a successful LDAP query with no results, as demonstrated by using an incorrect object type for a password policy.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
krb5	14.10 utopic	Fixed 1.12.1+dfsg-10ubuntu0.1
	14.04 LTS trusty	Fixed 1.12+dfsg-2ubuntu5.1
	12.04 LTS precise	Fixed 1.10+dfsg~beta1-2ubuntu0.6
	10.04 LTS lucid	Fixed 1.8.1+dfsg-2ubuntu0.14

How can I get the fixes?
What do statuses mean?
Patch details

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
krb5	Upstream: d1f7070

References

MITRE
NVD
Launchpad
Debian

Related Ubuntu Security Notices (USN)

USN-2498-1
Kerberos vulnerabilities
10 February 2015

Other references

https://www.cve.org/CVERecord?id=CVE-2014-5353