lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040901002628.19210.qmail@updates.mandrakesoft.com>
Date: 1 Sep 2004 00:26:28 -0000
From: Mandrake Linux Security Team <security@...ux-mandrake.com>
To: bugtraq@...urityfocus.com
Subject: MDKSA-2004:088 - Updated krb5 packages fix multiple vulnerabilities


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

                 Mandrakelinux Security Update Advisory
 _______________________________________________________________________

 Package name:           krb5
 Advisory ID:            MDKSA-2004:088
 Date:                   August 31st, 2004

 Affected versions:	 10.0, 9.1, 9.2, Corporate Server 2.1,
			 Multi Network Firewall 8.2
 ______________________________________________________________________

 Problem Description:

 A double-free vulnerability exists in the MIT Kerberos 5's KDC program
 that could potentially allow a remote attacker to execute arbitrary
 code on the KDC host.  As well, multiple double-free vulnerabilities
 exist in the krb5 library code, which makes client programs and
 application servers vulnerable.  The MIT Kerberos 5 development team
 believes that exploitation of these bugs would be difficult and no
 known vulnerabilities are believed to exist.  The vulnerability in
 krb524d was discovered by Marc Horowitz; the other double-free
 vulnerabilities were discovered by Will Fiveash and Nico Williams at
 Sun.
 
 Will Fiveash and Nico Williams also found another vulnerability in the
 ASN.1 decoder library.  This makes krb5 vulnerable to a DoS (Denial of
 Service) attack causing an infinite loop in the decoder.  The KDC is
 vulnerable to this attack.
 
 The MIT Kerberos 5 team has provided patches which have been applied
 to the updated software to fix these issues.  Mandrakesoft encourages
 all users to upgrade immediately.
 _______________________________________________________________________

 References:

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0642
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0643
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0644
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0772
  http://www.kb.cert.org/vuls/id/550464
  http://www.kb.cert.org/vuls/id/795632
  http://www.kb.cert.org/vuls/id/866472
  http://www.kb.cert.org/vuls/id/350792
  http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2004-002-dblfree.txt
  http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2004-003-asn1.txt
 ______________________________________________________________________

 Updated Packages:
  
 Mandrakelinux 10.0:
 73bb98eb62d434558f17831600fb1458  10.0/RPMS/ftp-client-krb5-1.3-6.3.100mdk.i586.rpm
 c478483ce848d59f3f3cf392fbc1eb4b  10.0/RPMS/ftp-server-krb5-1.3-6.3.100mdk.i586.rpm
 9e373a4d304f7c6158769f7703a76b01  10.0/RPMS/krb5-server-1.3-6.3.100mdk.i586.rpm
 c3ec5f6e266efe0df3dea9edcf801358  10.0/RPMS/krb5-workstation-1.3-6.3.100mdk.i586.rpm
 34951f4e03deff6e11025f1955035ae0  10.0/RPMS/libkrb51-1.3-6.3.100mdk.i586.rpm
 2e1e16e24bcbbed0c6b9b3cd46eca10c  10.0/RPMS/libkrb51-devel-1.3-6.3.100mdk.i586.rpm
 b8201603630be58a4fa7facb91c7f154  10.0/RPMS/telnet-client-krb5-1.3-6.3.100mdk.i586.rpm
 666908b4dea44b25838965b02f00c1dd  10.0/RPMS/telnet-server-krb5-1.3-6.3.100mdk.i586.rpm
 f3aaaf216f7a850eaf8cb598a20ffc10  10.0/SRPMS/krb5-1.3-6.3.100mdk.src.rpm

 Mandrakelinux 10.0/AMD64:
 2af868662b6264e92be5db61ab15d556  amd64/10.0/RPMS/ftp-client-krb5-1.3-6.3.100mdk.amd64.rpm
 31bf307767c05eae0ac91a417b8bc1f9  amd64/10.0/RPMS/ftp-server-krb5-1.3-6.3.100mdk.amd64.rpm
 319c35d89dddb94c6c5a70d407e466df  amd64/10.0/RPMS/krb5-server-1.3-6.3.100mdk.amd64.rpm
 080f4241e3b5029ca271491de7fb82c0  amd64/10.0/RPMS/krb5-workstation-1.3-6.3.100mdk.amd64.rpm
 dfdff0b6b8e67292226c72abdec54e02  amd64/10.0/RPMS/lib64krb51-1.3-6.3.100mdk.amd64.rpm
 155f76064f777a5f2d912ff18b1f0303  amd64/10.0/RPMS/lib64krb51-devel-1.3-6.3.100mdk.amd64.rpm
 d20e6f4e4eb501f05d9e6af488add5a9  amd64/10.0/RPMS/telnet-client-krb5-1.3-6.3.100mdk.amd64.rpm
 ed5c9891c82e49b28572e7df936f6493  amd64/10.0/RPMS/telnet-server-krb5-1.3-6.3.100mdk.amd64.rpm
 f3aaaf216f7a850eaf8cb598a20ffc10  amd64/10.0/SRPMS/krb5-1.3-6.3.100mdk.src.rpm

 Corporate Server 2.1:
 9d22863c6d09a174166e708b7c6ba939  corporate/2.1/RPMS/ftp-client-krb5-1.2.5-1.7.C21mdk.i586.rpm
 84cebdea8971d8248f93f3082fb0fe31  corporate/2.1/RPMS/ftp-server-krb5-1.2.5-1.7.C21mdk.i586.rpm
 41588cb74622aae52f110ac9d15041cb  corporate/2.1/RPMS/krb5-devel-1.2.5-1.7.C21mdk.i586.rpm
 a0c447a980bbe4690af8bf5cb1676a5c  corporate/2.1/RPMS/krb5-libs-1.2.5-1.7.C21mdk.i586.rpm
 36d8acaa6d56802ae6c85d62e29ed60f  corporate/2.1/RPMS/krb5-server-1.2.5-1.7.C21mdk.i586.rpm
 05c39800a5b323e82f670398c77fff08  corporate/2.1/RPMS/krb5-workstation-1.2.5-1.7.C21mdk.i586.rpm
 1cd56fccbfa1412f5fb90c0bbcc4647f  corporate/2.1/RPMS/telnet-client-krb5-1.2.5-1.7.C21mdk.i586.rpm
 d716bf6b8fd8836203dac119db0ee0b4  corporate/2.1/RPMS/telnet-server-krb5-1.2.5-1.7.C21mdk.i586.rpm
 9447bb1a7e7520fcde4ebfc33ab72d6e  corporate/2.1/SRPMS/krb5-1.2.5-1.7.C21mdk.src.rpm

 Corporate Server 2.1/x86_64:
 7cc0c84ac6d19ed0d5ce75409aaf5c32  x86_64/corporate/2.1/RPMS/ftp-client-krb5-1.2.5-1.7.C21mdk.x86_64.rpm
 2f78604bcb5826934d18761973861c43  x86_64/corporate/2.1/RPMS/ftp-server-krb5-1.2.5-1.7.C21mdk.x86_64.rpm
 92f08007a0f82334b7510aa51b2462a8  x86_64/corporate/2.1/RPMS/krb5-devel-1.2.5-1.7.C21mdk.x86_64.rpm
 812e14a4be8fc9da8c4b8d1796e91537  x86_64/corporate/2.1/RPMS/krb5-libs-1.2.5-1.7.C21mdk.x86_64.rpm
 ddbf43767fe84596fd841208e4f52411  x86_64/corporate/2.1/RPMS/krb5-server-1.2.5-1.7.C21mdk.x86_64.rpm
 8dd02b95a90960233afc8dcd40d1d057  x86_64/corporate/2.1/RPMS/krb5-workstation-1.2.5-1.7.C21mdk.x86_64.rpm
 70dd009c061b6124d49d91464c10d7ea  x86_64/corporate/2.1/RPMS/telnet-client-krb5-1.2.5-1.7.C21mdk.x86_64.rpm
 7d5721b36c4d5df068c60eee73742c8a  x86_64/corporate/2.1/RPMS/telnet-server-krb5-1.2.5-1.7.C21mdk.x86_64.rpm
 9447bb1a7e7520fcde4ebfc33ab72d6e  x86_64/corporate/2.1/SRPMS/krb5-1.2.5-1.7.C21mdk.src.rpm

 Mandrakelinux 9.1:
 097a2e12350a3ade31fae4c932d19e07  9.1/RPMS/ftp-client-krb5-1.2.7-1.4.91mdk.i586.rpm
 2c633d7c508d76965cd3810dc031a4db  9.1/RPMS/ftp-server-krb5-1.2.7-1.4.91mdk.i586.rpm
 76f2c05668511a7f4ba91bdc386ef4fe  9.1/RPMS/krb5-devel-1.2.7-1.4.91mdk.i586.rpm
 9d40edf481b4f422428f85ff74dbc74c  9.1/RPMS/krb5-libs-1.2.7-1.4.91mdk.i586.rpm
 ca64ff3f58567d44e15289ef74616f53  9.1/RPMS/krb5-server-1.2.7-1.4.91mdk.i586.rpm
 98b098ebc6458fbee8a4f8f8931cbb03  9.1/RPMS/krb5-workstation-1.2.7-1.4.91mdk.i586.rpm
 5166992c03e97b9fa55609271747b2ae  9.1/RPMS/telnet-client-krb5-1.2.7-1.4.91mdk.i586.rpm
 59a9763e113ad2f319c826b8e13762d0  9.1/RPMS/telnet-server-krb5-1.2.7-1.4.91mdk.i586.rpm
 6c62e73e872133b51287c902d15511b1  9.1/SRPMS/krb5-1.2.7-1.4.91mdk.src.rpm

 Mandrakelinux 9.1/PPC:
 7105c4249b38453bc5fabf2ebe19b870  ppc/9.1/RPMS/ftp-client-krb5-1.2.7-1.4.91mdk.ppc.rpm
 5b8bdffbdd3cc36b7763a9fb380e366f  ppc/9.1/RPMS/ftp-server-krb5-1.2.7-1.4.91mdk.ppc.rpm
 d516817207e2773b33cb823d913e04c3  ppc/9.1/RPMS/krb5-devel-1.2.7-1.4.91mdk.ppc.rpm
 32fa10923b950f4a125e2228ad7cabca  ppc/9.1/RPMS/krb5-libs-1.2.7-1.4.91mdk.ppc.rpm
 6da80b652767d48a9305448470151229  ppc/9.1/RPMS/krb5-server-1.2.7-1.4.91mdk.ppc.rpm
 1f7e604cf9a7e305facd53542c3e15df  ppc/9.1/RPMS/krb5-workstation-1.2.7-1.4.91mdk.ppc.rpm
 b9dee2c91cd387e0d6e062a1ccc00662  ppc/9.1/RPMS/telnet-client-krb5-1.2.7-1.4.91mdk.ppc.rpm
 fb648e078c85433de7f9ac7ef90709dc  ppc/9.1/RPMS/telnet-server-krb5-1.2.7-1.4.91mdk.ppc.rpm
 6c62e73e872133b51287c902d15511b1  ppc/9.1/SRPMS/krb5-1.2.7-1.4.91mdk.src.rpm

 Mandrakelinux 9.2:
 90415502d5a62a79594f5fef4244e7c8  9.2/RPMS/ftp-client-krb5-1.3-3.3.92mdk.i586.rpm
 7d82c32903319720fba066204ab175e1  9.2/RPMS/ftp-server-krb5-1.3-3.3.92mdk.i586.rpm
 b1ddf3c172f89fb13fa0f786969ccc31  9.2/RPMS/krb5-server-1.3-3.3.92mdk.i586.rpm
 40acba56c3e11c475e31de3a1bae0cb5  9.2/RPMS/krb5-workstation-1.3-3.3.92mdk.i586.rpm
 cfd5554e669ef905f74594bcba6ccf4c  9.2/RPMS/libkrb51-1.3-3.3.92mdk.i586.rpm
 5ea52458e2d00aa6a300aaa5a50ca389  9.2/RPMS/libkrb51-devel-1.3-3.3.92mdk.i586.rpm
 6c081822fb10635aa6794e9930b3a2ea  9.2/RPMS/telnet-client-krb5-1.3-3.3.92mdk.i586.rpm
 2a41c73fa2475981a944062984a2dd2d  9.2/RPMS/telnet-server-krb5-1.3-3.3.92mdk.i586.rpm
 8799df57f8078659c7942a18da4f180b  9.2/SRPMS/krb5-1.3-3.3.92mdk.src.rpm

 Mandrakelinux 9.2/AMD64:
 cb418490002d5bfc9a063a35e04e4b06  amd64/9.2/RPMS/ftp-client-krb5-1.3-3.3.92mdk.amd64.rpm
 6eb46b17f7d259196837767edaf0362e  amd64/9.2/RPMS/ftp-server-krb5-1.3-3.3.92mdk.amd64.rpm
 bfec6312e1bfe7df0af348238ffb3e54  amd64/9.2/RPMS/krb5-server-1.3-3.3.92mdk.amd64.rpm
 8db31b019fed08e22731bcc42528b883  amd64/9.2/RPMS/krb5-workstation-1.3-3.3.92mdk.amd64.rpm
 7d167edd4f1586679651851964ce90ea  amd64/9.2/RPMS/lib64krb51-1.3-3.3.92mdk.amd64.rpm
 e16b452c492c3b38b47e5f7ac29ccb51  amd64/9.2/RPMS/lib64krb51-devel-1.3-3.3.92mdk.amd64.rpm
 46e3c90ed9654d144f4c1970857abc44  amd64/9.2/RPMS/telnet-client-krb5-1.3-3.3.92mdk.amd64.rpm
 e6ba681247da6ff006841be52ec974d1  amd64/9.2/RPMS/telnet-server-krb5-1.3-3.3.92mdk.amd64.rpm
 8799df57f8078659c7942a18da4f180b  amd64/9.2/SRPMS/krb5-1.3-3.3.92mdk.src.rpm

 Multi Network Firewall 8.2:
 e8fb8405db0a463f4f83bad54064770f  mnf8.2/RPMS/krb5-libs-1.2.2-17.8.M82mdk.i586.rpm
 da83d39d128b15e4ed7c5311c3753ce4  mnf8.2/SRPMS/krb5-1.2.2-17.8.M82mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrakeUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandrakesoft for security.  You can obtain
 the GPG public key of the Mandrakelinux Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandrakelinux at:

  http://www.mandrakesoft.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_linux-mandrake.com

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Linux Mandrake Security Team
  <security linux-mandrake.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFBNRc0mqjQ0CJFipgRAv+DAKCYaTBXyq5hI+7/A0Tw/2L5Ox+Z2ACeN5Bk
Im34K0OyWO3svhYoEtegTMc=
=SNj3
-----END PGP SIGNATURE-----


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ