[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug#62760] [PATCH 1/3] gnu: heimdal: Update to 7.8.0.
From: |
Leo Famulari |
Subject: |
[bug#62760] [PATCH 1/3] gnu: heimdal: Update to 7.8.0. |
Date: |
Mon, 10 Apr 2023 19:05:35 -0400 |
On Mon, Apr 10, 2023 at 12:52:24PM -0700, Felix Lechner via Guix-patches via
wrote:
> Fixes CVE-2022-44640 [1] "Heimdal KDC: invalid free in ASN.1 codec." The
> upstream release announcement calls it "a severe vulnerability, possibly a
> 10.0 on the Common Vulnerability Scoring System (CVSS) v3."
>
> The upstream developers further "believe it should be possible to get an RCE
> [remote code execution] on a KDC, which means that credentials can be
> compromised that can be used to impersonate anyone in a realm or forest of
> realms." "While no zero-day exploit is known, such an exploit will likely be
> available soon after public disclosure." [2]
>
> [1] https://nvd.nist.gov/vuln/detail/CVE-2022-44640
> [2] https://github.com/heimdal/heimdal/releases/tag/heimdal-7.8.0
>
> * gnu/packages/kerberos.scm (heimdal): Update to 7.8.0.
Thanks for this!
> @@ -249,7 +250,8 @@ (define-public heimdal
> (native-inputs (list e2fsprogs ;for 'compile_et'
> texinfo
> unzip ;for tests
> - perl))
> + perl
> + python))
Is this part intentional? It wasn't mentioned in the commit message.