Need suggestion/help in back porting the fix for vulnerability CVE-2017-7562 (backporting from Kerberos 1.16.1 to Kerberos 1.9)

Greg Hudson ghudson at
Fri Sep 21 11:12:29 EDT 2018

On 09/21/2018 10:37 AM, Shivakumar Nadarajan -X (shinadar - HCL 
> 	Thanks for your interest in this issue. But I am still not clear that how this vulnerability is not applicable to kerberos 1.9 .
> Because as per the git link it seems that this functionality is present in kerberos 1.9 also.

The certauth pluggable interface was introduced in commit
b619ce84470519bea65470be3263cd85fba94f57 (February 2017).  It replaced 
some of the existing logic for validating client certificates with two 
built-in modules.  The first, "pkinit_san", checks the Subject 
Alternative Name values in the client certificate against the requested 
principal; the second, "pkinit_eku", checks the Extended Key Usage 
values in the client certificate to see if it was issued for use with 

The vulnerability was that these two new modules were not always 
returning the correct results to the pluggable interface accumulator. 
The hardcoded logic used prior to commit 
b619ce84470519bea65470be3263cd85fba94f57 did not have the same problem.

More information about the krbdev mailing list