Key Management Errors The advisory has been revoked - it doesn't affect any version of package heimdal Open this link in a new tab

The Ubuntu security team deemed this advisory irrelevant for Ubuntu:18.10.

Note: Versions mentioned in the description apply only to the upstream heimdal package and not the heimdal package as distributed by Ubuntu.

In the client side of Heimdal before 7.6.0, failure to verify anonymous PKINIT PA-PKINIT-KX key exchange permits a man-in-the-middle attack. This issue is in krb5_init_creds_step in lib/krb5/init_creds_pw.c.

• http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-12098
• https://seclists.org/bugtraq/2019/Jun/1
• http://www.h5l.org/pipermail/heimdal-announce/2019-May/000009.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12098
• https://www.debian.org/security/2019/dsa-4455
• https://security-tracker.debian.org/tracker/CVE-2019-12098
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GIXEDVVMPD6ZAJSMI2EZ7FNEIVNWE5PD/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SLXXIF4LOQEAEDAF4UGP2AO6WDNTDFUB/
• https://github.com/heimdal/heimdal/commit/2f7f3d9960aa6ea21358bdf3687cee5149aa35cf
• https://github.com/heimdal/heimdal/compare/3e58559...bbafe72
• https://github.com/heimdal/heimdal/releases/tag/heimdal-7.6.0
• http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00002.html
• http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00003.html
• http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00026.html
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GIXEDVVMPD6ZAJSMI2EZ7FNEIVNWE5PD/
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SLXXIF4LOQEAEDAF4UGP2AO6WDNTDFUB/