INFSA-2024:5312: krb5 security update
Information about definition
Identificator: INFSA-2024:5312
Type: security
Release date: 2024-08-27 10:09:40 UTC
Information about package
Kerberos is a network authentication system, which can improve the security of your network by eliminating the insecure practice of sending passwords over the network in unencrypted form. It allows clients and servers to authenticate to each other with the help of a trusted third party, the Kerberos key distribution center (KDC).
Vulnerabilities description
- CVE-2024-37370
In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the application.
- CVE-2024-37371
In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message token handling by sending message tokens with invalid length fields.
Severity level
| CVE | Score CVSS 2.0 | Score CVSS 3.x | Score CVSS 4.0 |
|---|---|---|---|
|
NIST — CVE-2024-37370
|
no information | 7.4 | no information |
|
NIST — CVE-2024-37371
|
no information | 6.5 | no information |
Updated packages