oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2015-3206 python-kerberos: checkPassword() does not verify KDC authenticity

From: Martin Prpic <mprpic () redhat com>
Date: Thu, 21 May 2015 15:29:23 +0200
Hello!

Red Hat has assigned CVE-2015-3206 to the following issue:

https://www.calendarserver.org/ticket/833
"The python-kerberos checkPassword() does verify that it actually spoke
to a trusted KDC"

Upstream has not fixed it, rather documented the insecurity of the
checkPassword() function. We feel that this is not a proper solution
given the fact that the pykerberos fork of this library did fix this
issue by adding KDC validation:

https://github.com/02strich/pykerberos/commit/02d13860b25fab58e739f0e000bed0067b7c6f9c

Red Hat bug:

https://bugzilla.redhat.com/show_bug.cgi?id=1223802

--
Martin Prpič / Red Hat Product Security
Previous By Date Next
Previous By Thread Next

Current thread: