[krbdev.mit.edu #6978] SVN Commit
Greg Hudson via RT
rt-comment at krbdev.mit.edu
Sat Oct 15 12:56:27 EDT 2011
Allow krb5_rd_priv and krb5_rd_safe to work when there is no remote
address set in the auth context, unless the KRB5_AUTH_CONTEXT_DO_TIMES
flag is set (in which case we need the remote address for the replay
cache name). Note that failing to set the remote address can create a
vulnerability to reflection attacks in some protocols, although it is
fairly easy to defend against--either use sequence numbers, or make
sure that requests don't look like replies, or both.
http://src.mit.edu/fisheye/changelog/krb5/?cs=25355
Commit By: ghudson
Revision: 25355
Changed Files:
U trunk/src/lib/krb5/krb/privsafe.c
U trunk/src/lib/krb5/krb/rd_priv.c
U trunk/src/lib/krb5/krb/rd_safe.c
More information about the krb5-bugs
mailing list