oss-sec mailing list archives
CVE-2015-3206 python-kerberos: checkPassword() does not verify KDC authenticity
From: Martin Prpic <mprpic () redhat com>
Date: Thu, 21 May 2015 15:29:23 +0200
Hello! Red Hat has assigned CVE-2015-3206 to the following issue: https://www.calendarserver.org/ticket/833 "The python-kerberos checkPassword() does verify that it actually spoke to a trusted KDC" Upstream has not fixed it, rather documented the insecurity of the checkPassword() function. We feel that this is not a proper solution given the fact that the pykerberos fork of this library did fix this issue by adding KDC validation: https://github.com/02strich/pykerberos/commit/02d13860b25fab58e739f0e000bed0067b7c6f9c Red Hat bug: https://bugzilla.redhat.com/show_bug.cgi?id=1223802 -- Martin Prpič / Red Hat Product Security
Current thread:
- CVE-2015-3206 python-kerberos: checkPassword() does not verify KDC authenticity Martin Prpic (May 21)