[Calendarserver-maintainers] Bug#796195: CVE-2015-3206
Guido Günther
agx at sigxcpu.org
Sat Aug 22 12:07:33 UTC 2015
Hi,
On Thu, Aug 20, 2015 at 11:15:01AM +0200, Moritz Muehlenhoff wrote:
> Source: pykerberos
> Severity: important
> Tags: security
>
> CVE-2015-3206 was assigned to the fact that pykerberos doesn't
> validate the authenticity of the KDC in checkPassword(). Fix
> is here:
> https://github.com/02strich/pykerberos/commit/02d13860b25fab58e739f0e000bed0067b7c6f9c.patch
>
> For unstable we should probably enable it by default and keep
> the status quo for earlier releases.
Agreed. Should this go via a security update or would you prefer a point
release. I've just fixed sid and the package version in jessie is
identical.
Cheers,
-- Guido
More information about the Calendarserver-maintainers
mailing list