35 lines
1.1 KiB
Diff
35 lines
1.1 KiB
Diff
From 757be0ca60a35e174b7ffb89afb907e4857f734f Mon Sep 17 00:00:00 2001
|
|
From: Stefan Metzmacher <metze@samba.org>
|
|
Date: Sun, 4 Dec 2022 21:05:39 +0100
|
|
Subject: [PATCH 24/54] CVE-2022-37966 s4:kdc: also limit the krbtgt history to
|
|
their strongest keys
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
|
|
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
|
|
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
(cherry picked from commit 6b46b764fc5760d3bf83bb1ea5fa398d993cf68d)
|
|
|
|
Conflict: NA
|
|
Reference: https://attachments.samba.org/attachment.cgi?id=17695
|
|
---
|
|
source4/kdc/db-glue.c | 2 ++
|
|
1 file changed, 2 insertions(+)
|
|
|
|
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
|
|
index d1ba6b77840c..c706898e29b9 100644
|
|
--- a/source4/kdc/db-glue.c
|
|
+++ b/source4/kdc/db-glue.c
|
|
@@ -1518,6 +1518,8 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
|
|
if (entry->etypes != NULL) {
|
|
entry->etypes->len = 1;
|
|
}
|
|
+ entry->old_keys.len = MIN(entry->old_keys.len, 1);
|
|
+ entry->older_keys.len = MIN(entry->older_keys.len, 1);
|
|
}
|
|
#endif
|
|
} else if (kdc_db_ctx->rodc) {
|
|
--
|
|
2.34.1
|