|
|
|
View Notes By
|
|
|
|
Other Documents
|
|
|
|
|
MIT Kerberos Development Team Information for VU#738331
| Date Notified | 08/23/2002 |
| Date Modified | 04/15/2003 03:39:28 PM |
| Status Summary | Vulnerable |
Vendor StatementWe don't ship a resolver implementation as part of MIT krb5. Our code does call res_search() in a potentially unsafe manner, but seems to only result in a read overrun. Also, it is primarily client-side code that calls res_search(), so denial of service attacks against servers are unlikely.
This will be fixed in an upcoming release of MIT krb5. The MIT Kerberos Team is not issuing a patch at this time, as we believe that the vulnerability is limited to a client-side denial of service.
US-CERT AddendumThe CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us
email.
|
 |