==========================================================================

Ubuntu Security Notice USN-6947-1
August 08, 2024

krb5 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 24.04 LTS
• Ubuntu 22.04 LTS
• Ubuntu 20.04 LTS
• Ubuntu 18.04 LTS
• Ubuntu 16.04 LTS
• Ubuntu 14.04 LTS

Summary:

Kerberos could be made to crash if it received specially crafted
input.

Software Description:

• krb5: MIT Kerberos Network Authentication Protocol

Details:

It was discovered that Kerberos incorrectly handled GSS message tokens
where an unwrapped token could appear to be truncated. An attacker
could possibly use this issue to cause a denial of service.
(CVE-2024-37370)

It was discovered that Kerberos incorrectly handled GSS message tokens
when sent a token with invalid length fields. An attacker could possibly
use this issue to cause a denial of service. (CVE-2024-37371)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.04 LTS
krb5-admin-server 1.20.1-6ubuntu2.1
krb5-kdc 1.20.1-6ubuntu2.1
krb5-kdc-ldap 1.20.1-6ubuntu2.1
krb5-otp 1.20.1-6ubuntu2.1
krb5-pkinit 1.20.1-6ubuntu2.1
krb5-user 1.20.1-6ubuntu2.1
libgssapi-krb5-2 1.20.1-6ubuntu2.1
libgssrpc4t64 1.20.1-6ubuntu2.1
libk5crypto3 1.20.1-6ubuntu2.1
libkadm5clnt-mit12 1.20.1-6ubuntu2.1
libkadm5srv-mit12 1.20.1-6ubuntu2.1
libkdb5-10t64 1.20.1-6ubuntu2.1
libkrad0 1.20.1-6ubuntu2.1
libkrb5-3 1.20.1-6ubuntu2.1
libkrb5support0 1.20.1-6ubuntu2.1

Ubuntu 22.04 LTS
krb5-admin-server 1.19.2-2ubuntu0.4
krb5-kdc 1.19.2-2ubuntu0.4
krb5-kdc-ldap 1.19.2-2ubuntu0.4
krb5-otp 1.19.2-2ubuntu0.4
krb5-pkinit 1.19.2-2ubuntu0.4
krb5-user 1.19.2-2ubuntu0.4
libgssapi-krb5-2 1.19.2-2ubuntu0.4
libgssrpc4 1.19.2-2ubuntu0.4
libk5crypto3 1.19.2-2ubuntu0.4
libkadm5clnt-mit12 1.19.2-2ubuntu0.4
libkadm5srv-mit12 1.19.2-2ubuntu0.4
libkdb5-10 1.19.2-2ubuntu0.4
libkrad0 1.19.2-2ubuntu0.4
libkrb5-3 1.19.2-2ubuntu0.4
libkrb5support0 1.19.2-2ubuntu0.4

Ubuntu 20.04 LTS
krb5-admin-server 1.17-6ubuntu4.6
krb5-kdc 1.17-6ubuntu4.6
krb5-kdc-ldap 1.17-6ubuntu4.6
krb5-otp 1.17-6ubuntu4.6
krb5-pkinit 1.17-6ubuntu4.6
krb5-user 1.17-6ubuntu4.6
libgssapi-krb5-2 1.17-6ubuntu4.6
libgssrpc4 1.17-6ubuntu4.6
libk5crypto3 1.17-6ubuntu4.6
libkadm5clnt-mit11 1.17-6ubuntu4.6
libkadm5srv-mit11 1.17-6ubuntu4.6
libkdb5-9 1.17-6ubuntu4.6
libkrad0 1.17-6ubuntu4.6
libkrb5-3 1.17-6ubuntu4.6
libkrb5support0 1.17-6ubuntu4.6

Ubuntu 18.04 LTS
krb5-admin-server 1.16-2ubuntu0.4+esm2
Available with Ubuntu Pro
krb5-kdc 1.16-2ubuntu0.4+esm2
Available with Ubuntu Pro
krb5-kdc-ldap 1.16-2ubuntu0.4+esm2
Available with Ubuntu Pro
krb5-otp 1.16-2ubuntu0.4+esm2
Available with Ubuntu Pro
krb5-pkinit 1.16-2ubuntu0.4+esm2
Available with Ubuntu Pro
krb5-user 1.16-2ubuntu0.4+esm2
Available with Ubuntu Pro
libgssapi-krb5-2 1.16-2ubuntu0.4+esm2
Available with Ubuntu Pro
libgssrpc4 1.16-2ubuntu0.4+esm2
Available with Ubuntu Pro
libk5crypto3 1.16-2ubuntu0.4+esm2
Available with Ubuntu Pro
libkadm5clnt-mit11 1.16-2ubuntu0.4+esm2
Available with Ubuntu Pro
libkadm5srv-mit11 1.16-2ubuntu0.4+esm2
Available with Ubuntu Pro
libkdb5-9 1.16-2ubuntu0.4+esm2
Available with Ubuntu Pro
libkrad0 1.16-2ubuntu0.4+esm2
Available with Ubuntu Pro
libkrb5-3 1.16-2ubuntu0.4+esm2
Available with Ubuntu Pro
libkrb5support0 1.16-2ubuntu0.4+esm2
Available with Ubuntu Pro

Ubuntu 16.04 LTS
krb5-admin-server 1.13.2+dfsg-5ubuntu2.2+esm5
Available with Ubuntu Pro
krb5-kdc 1.13.2+dfsg-5ubuntu2.2+esm5
Available with Ubuntu Pro
krb5-kdc-ldap 1.13.2+dfsg-5ubuntu2.2+esm5
Available with Ubuntu Pro
krb5-otp 1.13.2+dfsg-5ubuntu2.2+esm5
Available with Ubuntu Pro
krb5-pkinit 1.13.2+dfsg-5ubuntu2.2+esm5
Available with Ubuntu Pro
krb5-user 1.13.2+dfsg-5ubuntu2.2+esm5
Available with Ubuntu Pro
libgssapi-krb5-2 1.13.2+dfsg-5ubuntu2.2+esm5
Available with Ubuntu Pro
libgssrpc4 1.13.2+dfsg-5ubuntu2.2+esm5
Available with Ubuntu Pro
libk5crypto3 1.13.2+dfsg-5ubuntu2.2+esm5
Available with Ubuntu Pro
libkadm5clnt-mit9 1.13.2+dfsg-5ubuntu2.2+esm5
Available with Ubuntu Pro
libkadm5srv-mit9 1.13.2+dfsg-5ubuntu2.2+esm5
Available with Ubuntu Pro
libkdb5-8 1.13.2+dfsg-5ubuntu2.2+esm5
Available with Ubuntu Pro
libkrad0 1.13.2+dfsg-5ubuntu2.2+esm5
Available with Ubuntu Pro
libkrb5-3 1.13.2+dfsg-5ubuntu2.2+esm5
Available with Ubuntu Pro
libkrb5support0 1.13.2+dfsg-5ubuntu2.2+esm5
Available with Ubuntu Pro

Ubuntu 14.04 LTS
krb5-admin-server 1.12+dfsg-2ubuntu5.4+esm5
Available with Ubuntu Pro
krb5-kdc 1.12+dfsg-2ubuntu5.4+esm5
Available with Ubuntu Pro
krb5-kdc-ldap 1.12+dfsg-2ubuntu5.4+esm5
Available with Ubuntu Pro
krb5-otp 1.12+dfsg-2ubuntu5.4+esm5
Available with Ubuntu Pro
krb5-pkinit 1.12+dfsg-2ubuntu5.4+esm5
Available with Ubuntu Pro
krb5-user 1.12+dfsg-2ubuntu5.4+esm5
Available with Ubuntu Pro
libgssapi-krb5-2 1.12+dfsg-2ubuntu5.4+esm5
Available with Ubuntu Pro
libgssrpc4 1.12+dfsg-2ubuntu5.4+esm5
Available with Ubuntu Pro
libk5crypto3 1.12+dfsg-2ubuntu5.4+esm5
Available with Ubuntu Pro
libkadm5clnt-mit9 1.12+dfsg-2ubuntu5.4+esm5
Available with Ubuntu Pro
libkadm5srv-mit8 1.12+dfsg-2ubuntu5.4+esm5
Available with Ubuntu Pro
libkadm5srv-mit9 1.12+dfsg-2ubuntu5.4+esm5
Available with Ubuntu Pro
libkdb5-7 1.12+dfsg-2ubuntu5.4+esm5
Available with Ubuntu Pro
libkrad0 1.12+dfsg-2ubuntu5.4+esm5
Available with Ubuntu Pro
libkrb5-3 1.12+dfsg-2ubuntu5.4+esm5
Available with Ubuntu Pro
libkrb5support0 1.12+dfsg-2ubuntu5.4+esm5
Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6947-1
https://ubuntu.com/security/notices/USN-6947-1
CVE-2024-37370, CVE-2024-37371

Package Information:
https://launchpad.net/ubuntu/+source/krb5/1.20.1-6ubuntu2.1
https://launchpad.net/ubuntu/+source/krb5/1.20.1-6ubuntu2.1
https://launchpad.net/ubuntu/+source/krb5/1.19.2-2ubuntu0.4
https://launchpad.net/ubuntu/+source/krb5/1.19.2-2ubuntu0.4
https://launchpad.net/ubuntu/+source/krb5/1.17-6ubuntu4.6
https://launchpad.net/ubuntu/+source/krb5/1.17-6ubuntu4.6