CVE-2015-3206

NameCVE-2015-3206
DescriptionThe checkPassword function in python-kerberos does not authenticate the KDC it attempts to communicate with, which allows remote attackers to cause a denial of service (bad response), or have other unspecified impact by performing a man-in-the-middle attack.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-265-1, DLA-265-2
Debian Bugs796195

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
pykerberos (PTS)buster1.1.14-2fixed
sid, trixie, bookworm, bullseye1.1.14-3.1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
pykerberossourcesqueeze1.1+svn4895-1+deb6u2DLA-265-2
pykerberossourcewheezy1.1+svn4895-1+deb7u1
pykerberossourcejessie1.1.5-0.1+deb8u1
pykerberossource(unstable)1.1.5-1796195

Notes

CVE originally assigned for python-kerberos, pykerberos is a fork of the
former.
KDC verification support in pykerberos added in https://github.com/02strich/pykerberos/commit/02d13860b25fab58e739f0e000bed0067b7c6f9c
Using the above code as is might break existing installations since a keytab is required to call krb5_verify_init_creds
Search for package or bug name: Reporting problems