Need suggestion/help in back porting the fix for vulnerability CVE-2017-7562 (backporting from Kerberos 1.16.1 to Kerberos 1.9)

Greg Hudson ghudson at
Fri Sep 21 10:18:00 EDT 2018

On 09/21/2018 02:04 AM, Shivakumar Nadarajan -X (shinadar - HCL 
TECHNOLOGIES LIMITED at Cisco) wrote:> We are using Kerberos (version 
1.9) in one of our components. We came across the vulnerability 
CVE-2017-7562 being reported and fixed in Kerberos 1.16.1.

CVE-2017-7562 does not apply to version 1.9, so you should not need to 
address it.

This vulnerability actually never appeared in any released version of 
MIT krb5.  It was introduced on the master branch and then fixed before 
the release of 1.16.  The CVE was assigned because the Fedora package 
contained a backport of the feature before it was fixed.

More information about the krbdev mailing list