CVE-2014-9423

NameCVE-2014-9423
DescriptionThe svcauth_gss_accept_sec_context function in lib/rpc/svc_auth_gss.c in MIT Kerberos 5 (aka krb5) 1.11.x through 1.11.5, 1.12.x through 1.12.2, and 1.13.x before 1.13.1 transmits uninitialized interposer data to clients, which allows remote attackers to obtain sensitive information from process heap memory by sniffing the network for data in a handle field.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-146-1, DSA-3153-1
NVD severitymedium

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
krb5 (PTS)stretch1.15-1+deb9u1fixed
stretch (security)1.15-1+deb9u2fixed
buster1.17-3fixed
buster (security)1.17-3+deb10u1fixed
bullseye, sid1.18.3-4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
krb5sourcesqueeze1.8.3+dfsg-4squeeze9DLA-146-1
krb5sourcewheezy1.10.1+dfsg-5+deb7u3DSA-3153-1
krb5source(unstable)1.12.1+dfsg-17

Search for package or bug name: Reporting problems