[Pkg-freeipa-devel] Bug#1120702: python-kdcproxy: CVE-2025-59088 CVE-2025-59089
Salvatore Bonaccorso
carnil at debian.org
Fri Nov 14 21:53:52 GMT 2025
Source: python-kdcproxy
Version: 1.0.0-2
Severity: important
Tags: security upstream
Forwarded: https://github.com/latchset/kdcproxy/pull/68
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Control: found -1 1.0.0-1
Hi,
The following vulnerabilities were published for python-kdcproxy.
CVE-2025-59088[0]:
| If kdcproxy receives a request for a realm which does not have
| server addresses defined in its configuration, by default, it will
| query SRV records in the DNS zone matching the requested realm name.
| This creates a server-side request forgery vulnerability, since an
| attacker could send a request for a realm matching a DNS zone where
| they created SRV records pointing to arbitrary ports and hostnames
| (which may resolve to loopback or internal IP addresses). This
| vulnerability can be exploited to probe internal network topology
| and firewall rules, perform port scanning, and exfiltrate data.
| Deployments where the "use_dns" setting is explicitly set to false
| are not affected.
CVE-2025-59089[1]:
| If an attacker causes kdcproxy to connect to an attacker-controlled
| KDC server (e.g. through server-side request forgery), they can
| exploit the fact that kdcproxy does not enforce bounds on TCP
| response length to conduct a denial-of-service attack. While
| receiving the KDC's response, kdcproxy copies the entire buffered
| stream into a new buffer on each recv() call, even when the transfer
| is incomplete, causing excessive memory allocation and CPU usage.
| Additionally, kdcproxy accepts incoming response chunks as long as
| the received data length is not exactly equal to the length
| indicated in the response header, even when individual chunks or the
| total buffer exceed the maximum length of a Kerberos message. This
| allows an attacker to send unbounded data until the connection
| timeout is reached (approximately 12 seconds), exhausting server
| memory or CPU resources. Multiple concurrent requests can cause
| accept queue overflow, denying service to legitimate clients.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-59088
https://www.cve.org/CVERecord?id=CVE-2025-59088
[1] https://security-tracker.debian.org/tracker/CVE-2025-59089
https://www.cve.org/CVERecord?id=CVE-2025-59089
[2] https://github.com/latchset/kdcproxy/pull/68
Regards,
Salvatore
More information about the Pkg-freeipa-devel
mailing list