Debian Heimdal vulnerabilities

CVE-2022-44640 [CRITICAL] CVE-2022-44640: heimdal - Heimdal before 7.7.1 allows remote attackers to execute arbitrary code because o... Heimdal before 7.7.1 allows remote attackers to execute arbitrary code because of an invalid free in the ASN.1 codec used by the Key Distribution Center (KDC). Scope: local bookworm: resolved (fixed in 7.8.git20221115.a6cf945+dfsg-1) bullseye: resolved (fixed in 7.7.0+dfsg-2+deb11u2) forky: resolved (fixed in 7.8.git20221115.a6cf945+dfsg-1) sid: resolved (fixed

CVE-2022-42898 [HIGH] CVE-2022-42898: heimdal - PAC parsing in MIT Kerberos 5 (aka krb5) before 1.19.4 and 1.20.x before 1.20.1 ... PAC parsing in MIT Kerberos 5 (aka krb5) before 1.19.4 and 1.20.x before 1.20.1 has integer overflows that may lead to remote code execution (in KDC, kadmind, or a GSS or Kerberos application server) on 32-bit platforms (which have a resultant heap-based buffer overflow), and cause a denial of service on other platforms. This occurs in krb5_pac_parse in lib/krb5/krb

CVE-2022-3437 [MEDIUM] CVE-2022-3437: heimdal - A heap-based buffer overflow vulnerability was found in Samba within the GSSAPI ... A heap-based buffer overflow vulnerability was found in Samba within the GSSAPI unwrap_des() and unwrap_des3() routines of Heimdal. The DES and Triple-DES decryption routines in the Heimdal GSSAPI library allow a length-limited write buffer overflow on malloc() allocated memory when presented with a maliciously small packet. This flaw allows a remote user to send sp

CVE-2022-41916 [MEDIUM] CVE-2022-41916: heimdal - Heimdal is an implementation of ASN.1/DER, PKIX, and Kerberos. Versions prior to... Heimdal is an implementation of ASN.1/DER, PKIX, and Kerberos. Versions prior to 7.7.1 are vulnerable to a denial of service vulnerability in Heimdal's PKI certificate validation library, affecting the KDC (via PKINIT) and kinit (via PKINIT), as well as any third-party applications using Heimdal's libhx509. Users should upgrade to Heimdal 7.7.1 or 7.8. There are n

CVE-2022-45142 [MEDIUM] CVE-2022-45142: heimdal - The fix for CVE-2022-3437 included changing memcmp to be constant time and a wor... The fix for CVE-2022-3437 included changing memcmp to be constant time and a workaround for a compiler bug by adding "!= 0" comparisons to the result of memcmp. When these patches were backported to the heimdal-7.7.1 and heimdal-7.8.0 branches (and possibly other branches) a logic inversion sneaked in causing the validation of message integrity codes in gssapi/arc

CVE-2022-3116 [HIGH] CVE-2022-3116: heimdal - The Heimdal Software Kerberos 5 implementation is vulnerable to a null pointer d... The Heimdal Software Kerberos 5 implementation is vulnerable to a null pointer dereferance. An attacker with network access to an application that depends on the vulnerable code path can cause the application to crash. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved

CVE-2021-44758 [HIGH] CVE-2021-44758: heimdal - Heimdal before 7.7.1 allows attackers to cause a NULL pointer dereference in a S... Heimdal before 7.7.1 allows attackers to cause a NULL pointer dereference in a SPNEGO acceptor via a preferred_mech_type of GSS_C_NO_OID and a nonzero initial_response value to send_accept. Scope: local bookworm: resolved (fixed in 7.8.git20221115.a6cf945+dfsg-1) bullseye: resolved (fixed in 7.7.0+dfsg-2+deb11u2) forky: resolved (fixed in 7.8.git20221115.a6cf945+dfs

CVE-2021-3671 [MEDIUM] CVE-2021-3671: heimdal - A null pointer de-reference was found in the way samba kerberos server handled m... A null pointer de-reference was found in the way samba kerberos server handled missing sname in TGS-REQ (Ticket Granting Server - Request). An authenticated user could use this flaw to crash the samba server. Scope: local bookworm: resolved (fixed in 7.7.0+dfsg-3) bullseye: resolved (fixed in 7.7.0+dfsg-2+deb11u2) forky: resolved (fixed in 7.7.0+dfsg-3) sid: resolve

CVE-2019-12098 [HIGH] CVE-2019-12098: heimdal - In the client side of Heimdal before 7.6.0, failure to verify anonymous PKINIT P... In the client side of Heimdal before 7.6.0, failure to verify anonymous PKINIT PA-PKINIT-KX key exchange permits a man-in-the-middle attack. This issue is in krb5_init_creds_step in lib/krb5/init_creds_pw.c. Scope: local bookworm: resolved (fixed in 7.5.0+dfsg-3) bullseye: resolved (fixed in 7.5.0+dfsg-3) forky: resolved (fixed in 7.5.0+dfsg-3) sid: resolved (fixed

CVE-2019-14870 [MEDIUM] CVE-2019-14870: heimdal - All Samba versions 4.x.x before 4.9.17, 4.10.x before 4.10.11 and 4.11.x before ... All Samba versions 4.x.x before 4.9.17, 4.10.x before 4.10.11 and 4.11.x before 4.11.3 have an issue, where the S4U (MS-SFU) Kerberos delegation model includes a feature allowing for a subset of clients to be opted out of constrained delegation in any way, either S4U2Self or regular Kerberos authentication, by forcing all tickets for these clients to be non-forwar

CVE-2018-16860 [HIGH] CVE-2018-16860: heimdal - A flaw was found in samba's Heimdal KDC implementation, versions 4.8.x up to, ex... A flaw was found in samba's Heimdal KDC implementation, versions 4.8.x up to, excluding 4.8.12, 4.9.x up to, excluding 4.9.8 and 4.10.x up to, excluding 4.10.3, when used in AD DC mode. A man in the middle attacker could use this flaw to intercept the request to the KDC and replace the user name (principal) in the request with any desired user name (principal) that

CVE-2017-17439 [HIGH] CVE-2017-17439: heimdal - In Heimdal through 7.4, remote unauthenticated attackers are able to crash the K... In Heimdal through 7.4, remote unauthenticated attackers are able to crash the KDC by sending a crafted UDP packet containing empty data fields for client name or realm. The parser would unconditionally dereference NULL pointers in that case, leading to a segmentation fault. This is related to the _kdc_as_rep function in kdc/kerberos5.c and the der_length_visible_st

CVE-2017-11103 [HIGH] CVE-2017-11103: heimdal - Heimdal before 7.4 allows remote attackers to impersonate services with Orpheus'... Heimdal before 7.4 allows remote attackers to impersonate services with Orpheus' Lyre attacks because it obtains service-principal names in a way that violates the Kerberos 5 protocol specification. In _krb5_extract_ticket() the KDC-REP service name must be obtained from the encrypted version stored in 'enc_part' instead of the unencrypted version stored in 'ticket'

CVE-2017-6594 [HIGH] CVE-2017-6594: heimdal - The transit path validation code in Heimdal before 7.3 might allow attackers to ... The transit path validation code in Heimdal before 7.3 might allow attackers to bypass the capath policy protection mechanism by leveraging failure to add the previous hop realm to the transit path of issued tickets. Scope: local bookworm: resolved (fixed in 7.1.0+dfsg-12) bullseye: resolved (fixed in 7.1.0+dfsg-12) forky: resolved (fixed in 7.1.0+dfsg-12) sid: resolv

CVE-2011-4862 [CRITICAL] CVE-2011-4862: heimdal - Buffer overflow in libtelnet/encrypt.c in telnetd in FreeBSD 7.3 through 9.0, MI... Buffer overflow in libtelnet/encrypt.c in telnetd in FreeBSD 7.3 through 9.0, MIT Kerberos Version 5 Applications (aka krb5-appl) 1.0.2 and earlier, Heimdal 1.5.1 and earlier, GNU inetutils, and possibly other products allows remote attackers to execute arbitrary code via a long encryption key, as exploited in the wild in December 2011. Scope: local bookworm: reso

CVE-2010-1321 [MEDIUM] CVE-2010-1321: heimdal - The kg_accept_krb5 function in krb5/accept_sec_context.c in the GSS-API library ... The kg_accept_krb5 function in krb5/accept_sec_context.c in the GSS-API library in MIT Kerberos 5 (aka krb5) through 1.7.1 and 1.8 before 1.8.2, as used in kadmind and other applications, does not properly check for invalid GSS-API tokens, which allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via an AP-REQ m

CVE-2007-5939 [CRITICAL] CVE-2007-5939: heimdal - The gss_userok function in appl/ftp/ftpd/gss_userok.c in Heimdal 0.7.2 does not ... The gss_userok function in appl/ftp/ftpd/gss_userok.c in Heimdal 0.7.2 does not allocate memory for the ticketfile pointer before calling free, which allows remote attackers to have an unknown impact via an invalid username. NOTE: the vulnerability was originally reported for ftpd.c, but this is incorrect. Scope: local bookworm: resolved bullseye: resolved forky:

CVE-2006-0677 [HIGH] CVE-2006-0677: heimdal - telnetd in Heimdal 0.6.x before 0.6.6 and 0.7.x before 0.7.2 allows remote unaut... telnetd in Heimdal 0.6.x before 0.6.6 and 0.7.x before 0.7.2 allows remote unauthenticated attackers to cause a denial of service (server crash) via unknown vectors that trigger a null dereference. Scope: local bookworm: resolved (fixed in 0.7.2-1) bullseye: resolved (fixed in 0.7.2-1) forky: resolved (fixed in 0.7.2-1) sid: resolved (fixed in 0.7.2-1) trixie: resolve

CVE-2006-0582 [LOW] CVE-2006-0582: heimdal - Unspecified vulnerability in rshd in Heimdal 0.6.x before 0.6.6 and 0.7.x before... Unspecified vulnerability in rshd in Heimdal 0.6.x before 0.6.6 and 0.7.x before 0.7.2, when storing forwarded credentials, allows attackers to overwrite arbitrary files and change file ownership via unknown vectors. Scope: local bookworm: resolved (fixed in 0.7.2-1) bullseye: resolved (fixed in 0.7.2-1) forky: resolved (fixed in 0.7.2-1) sid: resolved (fixed in 0.7.2-

CVE-2005-2040 [HIGH] CVE-2005-2040: heimdal - Multiple buffer overflows in the getterminaltype function in telnetd for Heimdal... Multiple buffer overflows in the getterminaltype function in telnetd for Heimdal before 0.6.5 may allow remote attackers to execute arbitrary code, a different vulnerability than CVE-2005-0468 and CVE-2005-0469. Scope: local bookworm: resolved (fixed in 0.6.3-11) bullseye: resolved (fixed in 0.6.3-11) forky: resolved (fixed in 0.6.3-11) sid: resolved (fixed in 0.6.3-1