CVE-2019-3467

NameCVE-2019-3467
DescriptionDebian-edu-config all versions < 2.11.10, a set of configuration files used for Debian Edu, and debian-lan-config < 0.26, configured too permissive ACLs for the Kerberos admin server, which allowed password changes for other Kerberos user principals.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-2041-1, DLA-2063-1, DSA-4589-1, DSA-4595-1
NVD severityhigh
Debian Bugs946797, 947459

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
debian-edu-config (PTS)stretch (security), stretch1.929+deb9u4fixed
buster2.10.65+deb10u6fixed
buster (security)2.10.65+deb10u3fixed
bullseye2.11.32fixed
sid2.11.33fixed
debian-lan-config (PTS)stretch (security), stretch0.23+deb9u1fixed
buster, buster (security)0.25+deb10u1fixed
sid0.27fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
debian-edu-configsourcejessie1.818+deb8u3DLA-2041-1
debian-edu-configsourcestretch1.929+deb9u4DSA-4589-1
debian-edu-configsourcebuster2.10.65+deb10u3DSA-4589-1
debian-edu-configsource(unstable)2.11.10946797
debian-lan-configsourcejessie0.19+deb8u2DLA-2063-1
debian-lan-configsourcestretch0.23+deb9u1DSA-4595-1
debian-lan-configsourcebuster0.25+deb10u1DSA-4595-1
debian-lan-configsource(unstable)0.26947459

Notes

debian-lan-config is effectively the same issue as in debian-edu-config and a somewhat
derived codebase, so same CVE ID is used

Search for package or bug name: Reporting problems