Commit Graph

1 Commits

Author SHA1 Message Date
Petr Menšík
6e9e27a88b [9.11] [CVE-2026-3039] sec: usr: Fix GSS-API resource leak
Fixed a memory leak where each GSS-API TKEY negotiation leaked a security context inside the GSS library. An unauthenticated attacker could exhaust server memory by sending repeated TKEY queries to a server with tkey-gssapi-keytab configured. The leaked memory was allocated by the GSS library, bypassing BIND's memory accounting.

Multi-round GSS-API negotiation (GSS_S_CONTINUE_NEEDED) is now rejected, as BIND never supported it correctly and Kerberos/SPNEGO completes in a single round.

Also implemented missing RFC 3645 requirement: the client now verifies that mutual authentication and integrity flags are granted by the GSS-API mechanism (Section 3.1.1).

Resolves-Vulnerability: CVE-2026-3039
Resolves: RHEL-177673
2026-05-27 14:26:23 +02:00