Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.427 (Entity 5.427) From: ghudson@mit.edu Subject: git commit X-RT-Original-Encoding: iso-8859-1 Content-Length: 738 Fix gssrpc data leakage [CVE-2014-9423] [MITKRB5-SA-2015-001] In svcauth_gss_accept_sec_context(), do not copy bytes from the union context into the handle field we send to the client. We do not use this handle field, so just supply a fixed string of "xxxx". In gss_union_ctx_id_struct, remove the unused "interposer" field which was causing part of the union context to remain uninitialized. https://github.com/krb5/krb5/commit/5bb8a6b9c9eb8dd22bc9526751610aaa255ead9c Author: Greg Hudson Commit: 5bb8a6b9c9eb8dd22bc9526751610aaa255ead9c Branch: master src/lib/gssapi/mechglue/mglueP.h | 1 - src/lib/rpc/svc_auth_gss.c | 25 ++----------------------- 2 files changed, 2 insertions(+), 24 deletions(-)