[Pkg-freeipa-devel] Bug#1077682: freeipa: CVE-2024-2698
Moritz Mühlenhoff
jmm at inutil.org
Wed Jul 31 22:38:45 BST 2024
Source: freeipa
X-Debbugs-CC: team at security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for freeipa.
CVE-2024-2698[0]:
| A vulnerability was found in FreeIPA in how the initial
| implementation of MS-SFU by MIT Kerberos was missing a condition for
| granting the "forwardable" flag on S4U2Self tickets. Fixing this
| mistake required adding a special case for the
| check_allowed_to_delegate() function: If the target service argument
| is NULL, then it means the KDC is probing for general constrained
| delegation rules and not checking a specific S4U2Proxy request.
| In FreeIPA 4.11.0, the behavior of ipadb_match_acl() was modified to
| match the changes from upstream MIT Kerberos 1.20. However, a
| mistake resulting in this mechanism applies in cases where the
| target service argument is set AND where it is unset. This results
| in S4U2Proxy requests being accepted regardless of whether or not
| there is a matching service delegation rule.
https://bugzilla.redhat.com/show_bug.cgi?id=2270353
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-2698
https://www.cve.org/CVERecord?id=CVE-2024-2698
Please adjust the affected versions in the BTS as needed.
More information about the Pkg-freeipa-devel
mailing list