Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
Fix kpasswd UDP ping-pong [CVE-2002-2443]
The kpasswd service provided by kadmind was vulnerable to a UDP "ping-pong" attack [CVE-2002-2443]. Don't respond to packets unless they pass some basic validation, and don't respond to our own error packets. Some authors use CVE-1999-0103 to refer to the kpasswd UDP ping-pong attack or UDP ping-pong attacks in general, but there is discussion leading toward narrowing the definition of CVE-1999-0103 to the echo, chargen, or other similar built-in inetd services. Thanks to Vincent Danen for alerting us to this issue. CVSSv2: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:P/RL:O/RC:C ticket: 7637 (new) target_version: 1.11.3 tags: pullup
- Loading branch information