Commit Graph

1 Commits

Author SHA1 Message Date
Petr Menšík
69113104a6 [9.16] [CVE-2026-3039] sec: usr: Fix GSS-API resource leak
Fixed a memory leak where each GSS-API TKEY negotiation leaked a security context inside the GSS library. An unauthenticated attacker could exhaust server memory by sending repeated TKEY queries to a server with tkey-gssapi-keytab configured. The leaked memory was allocated by the GSS library, bypassing BIND's memory accounting.

Multi-round GSS-API negotiation (GSS_S_CONTINUE_NEEDED) is now rejected, as BIND never supported it correctly and Kerberos/SPNEGO completes in a single round.

Also implemented missing RFC 3645 requirement: the client now verifies that mutual authentication and integrity flags are granted by the GSS-API mechanism (Section 3.1.1).

Resolves-Vulnerability: CVE-2026-3039
Resolves: RHEL-177771
2026-06-24 14:56:42 +02:00