Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2017-6594

Published: 28 August 2017

The transit path validation code in Heimdal before 7.3 might allow attackers to bypass the capath policy protection mechanism by leveraging failure to add the previous hop realm to the transit path of issued tickets.

Notes

AuthorNote
ratliff
Upstream: "[the fix] may break sites that rely on the bug."
mdeslaur
heimdal-kdc package is in universe
ccdm94
in the commit that fixes this issue, upstream mentions that
there might be applications that use this bug as a "feature"
when sometimes authenticating in cross-realm configurations,
meaning that applying the proposed fix could end up breaking
said applications. In order to avoid regressions for
applications that use heimdal in xenial and earlier, this
issue will be marked as ignored for those releases.

Priority

Low

Cvss 3 Severity Score

7.5

Score breakdown

Status

Package Release Status
heimdal
Launchpad, Ubuntu, Debian
groovy Not vulnerable
(7.4.0.dfsg.1-2)
hirsute Not vulnerable
(7.4.0.dfsg.1-2)
kinetic Not vulnerable
(7.4.0.dfsg.1-2)
artful Not vulnerable
(7.4.0.dfsg.1-2)
bionic Not vulnerable
(7.4.0.dfsg.1-2)
cosmic Not vulnerable
(7.4.0.dfsg.1-2)
disco Not vulnerable
(7.4.0.dfsg.1-2)
eoan Not vulnerable
(7.4.0.dfsg.1-2)
focal Not vulnerable
(7.4.0.dfsg.1-2)
impish Not vulnerable
(7.4.0.dfsg.1-2)
jammy Not vulnerable
(7.4.0.dfsg.1-2)
precise Ignored
(end of life)
trusty Ignored
(regressions likely)
upstream
Released (7.1.0+dfsg-12)
xenial Ignored
(regressions likely)
yakkety Ignored
(end of life)
zesty Ignored
(end of life)
Patches:
upstream: https://github.com/heimdal/heimdal/commit/b1e699103f08d6a0ca46a122193c9da65f6cf837
Binaries built from this source package are in Universe and so are supported by the community.

Severity score breakdown

Parameter Value
Base score 7.5
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Scope Unchanged
Confidentiality None
Integrity impact High
Availability impact None
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N