CVE-2019-12098

Priority
Description
In the client side of Heimdal before 7.6.0, failure to verify anonymous
PKINIT PA-PKINIT-KX key exchange permits a man-in-the-middle attack. This
issue is in krb5_init_creds_step in lib/krb5/init_creds_pw.c.
Notes
leosilvait fails with a FTBFS on certs tests. This issue is probably related:
https://github.com/heimdal/heimdal/issues/533.
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):needed
Ubuntu 14.04 ESM (Trusty Tahr):needed
Ubuntu 16.04 LTS (Xenial Xerus):needed
Ubuntu 18.04 LTS (Bionic Beaver):needed
Ubuntu 19.04 (Disco Dingo):ignored (reached end-of-life)
Ubuntu 19.10 (Eoan Ermine):not-affected (7.5.0+dfsg-3build1)
Ubuntu 20.04 (Focal Fossa):not-affected (7.5.0+dfsg-3build1)
Patches:
Upstream:https://github.com/heimdal/heimdal/commit/2f7f3d9960aa6ea21358bdf3687cee5149aa35cf
More Information

Updated: 2020-01-23 20:46:25 UTC (commit b4629892d998f2ede31f59bb7508dc50a92ac664)