#1120702 python-kdcproxy: CVE-2025-59088 CVE-2025-59089

Package:
src:python-kdcproxy
Source:
src:python-kdcproxy
Submitter:
Salvatore Bonaccorso
Date:
2025-11-20 17:39:10 UTC
Severity:
normal
Tags:
#1120702#5
Date:
2025-11-14 21:53:52 UTC
From:
To:
Hi,

The following vulnerabilities were published for python-kdcproxy.

CVE-2025-59088[0]:
| If kdcproxy receives a request for a realm which does not have
| server addresses defined in its configuration, by default, it will
| query SRV records in the DNS zone matching the requested realm name.
| This creates a server-side request forgery vulnerability, since an
| attacker could send a request for a realm matching a DNS zone where
| they created SRV records pointing to arbitrary ports and hostnames
| (which may resolve to loopback or internal IP addresses). This
| vulnerability can be exploited to probe internal network topology
| and firewall rules, perform port scanning, and exfiltrate data.
| Deployments where the "use_dns" setting is explicitly set to false
| are not affected.


CVE-2025-59089[1]:
| If an attacker causes kdcproxy to connect to an attacker-controlled
| KDC server (e.g. through server-side request forgery), they can
| exploit the fact that kdcproxy does not enforce bounds on TCP
| response length to conduct a denial-of-service attack. While
| receiving the KDC's response, kdcproxy copies the entire buffered
| stream into a new buffer on each recv() call, even when the transfer
| is incomplete, causing excessive memory allocation and CPU usage.
| Additionally, kdcproxy accepts incoming response chunks as long as
| the received data length is not exactly equal to the length
| indicated in the response header, even when individual chunks or the
| total buffer exceed the maximum length of a Kerberos message. This
| allows an attacker to send unbounded data until the connection
| timeout is reached (approximately 12 seconds), exhausting server
| memory or CPU resources. Multiple concurrent requests can cause
| accept queue overflow, denying service to legitimate clients.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-59088
https://www.cve.org/CVERecord?id=CVE-2025-59088
[1] https://security-tracker.debian.org/tracker/CVE-2025-59089
https://www.cve.org/CVERecord?id=CVE-2025-59089
[2] https://github.com/latchset/kdcproxy/pull/68

Regards,
Salvatore