Alexander Bokovoy <abokovoy(a)redhat.com> writes:
Details for CVE-2020-17049 are still not public so we can only guess
what is the problem. It also means MIT Kerberos cannot be fixed unless
we'll get to know what is the real problem.
Robbie, was this raised with the upstream beyond our recent discussion
on #kerberos?
To my knowledge Microsoft has not been in contact with us about this
vulnerability. Reporting so far suggests that it's a Microsoft-specific
issue - i.e., MIT and other Kerberos implementations are not affected.
Affected by the vulnerability, that is. There is of course this known
issue with Linux clients; my reading of
https://docs.microsoft.com/en-us/windows/release-information/status-windo...
is that they plan to fix this on their side somehow.
Thanks,
--Robbie