http_negotiate: do not delegate GSSAPI credentials
authorKamil Dudka <kdudka@redhat.com>
Tue, 9 Oct 2012 11:01:56 +0000 (9 13:01 +0200)
committerKalle Olavi Niemitalo <Kalle@Niukka.kon.iki.fi>
Sun, 28 Oct 2012 12:50:58 +0000 (28 14:50 +0200)
CVE-2012-4545.  Reported by Marko Myllynen.

src/protocol/http/http_negotiate.c

index 470b071..271b443 100644 (file)
@@ -188,7 +188,7 @@ http_negotiate_create_context(struct negotiate *neg)
                                            &neg->context,
                                            neg->server_name,
                                            GSS_C_NO_OID,
-                                           GSS_C_DELEG_FLAG,
+                                           0,
                                            0,
                                            GSS_C_NO_CHANNEL_BINDINGS,
                                            &neg->input_token,