CVE-2011-4151?
Tom Yu
tlyu at MIT.EDU
Sat Oct 22 12:36:00 EDT 2011
Eray Aslan <eray.aslan at caf.com.tr> writes:
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4151
>
> mentions a vulnerability in kdc but there is little info about it. What
> configuration is vulnerable for this CVE?
It looks like someone split CVE-2011-1528 without notifying us.
Basically, CVE-2011-1528 covers two different configurations in which
two different sets of releases are vulnerable depending on the KDC
back end configuration. It looks like whoever did the split meant to
separately identify the Berkeley DB back end vulnerability as
CVE-2011-4151, leaving the LDAP back end vulnerability as
CVE-2011-1528, but the CVE database does not reflect this split
completely, leaving CVE-2011-1528 describing both variants.
We made a close judgment call that the two variants did not merit
separate CVE IDs, but it looks like someone disagreed.
> Basically, I am looking to see if there is anything I need to do for our
> users.
If I am reading the limited information in the entry for CVE-2011-4151
correctly, it is already covered by the patch in MITKRB5-SA-2011-006.
Also note that krb5-1.9 and later are not vulnerable to CVE-2011-4151
(the Berkeley DB variation of the vulnerability).
I will ask the CVE maintainers for clarification about why the CVE ID
split occurred, and update the advisory as appropriate.
More information about the Kerberos
mailing list