lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-id: <E1Jc6Hs-0000Gk-7w@artemis.annvix.ca>
Date: Wed, 19 Mar 2008 15:57:32 -0600
From: security@...driva.com
To: bugtraq@...urityfocus.com
Subject: [ MDVSA-2008:069 ] - Updated Kerberos packages fix multiple
 vulnerabilities


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________
 
 Mandriva Linux Security Advisory                         MDVSA-2008:069
 http://www.mandriva.com/security/
 _______________________________________________________________________
 
 Package : krb5
 Date    : March 19, 2008
 Affected: 2007.1, 2008.0
 _______________________________________________________________________
 
 Problem Description:
 
 Multiple memory management flaws were found in the GSSAPI library
 used by Kerberos that could result in the use of already freed memory
 or an attempt to free already freed memory, possibly leading to a
 crash or allowing the execution of arbitrary code (CVE-2007-5901,
 CVE-2007-5971).
 
 A flaw was discovered in how the Kerberos krb5kdc handled Kerberos v4
 protocol packets.  An unauthenticated remote attacker could use this
 flaw to crash the krb5kdc daemon, disclose portions of its memory,
 or possibly %execute arbitrary code using malformed or truncated
 Kerberos v4 protocol requests (CVE-2008-0062, CVE-2008-0063).
 
 This issue only affects krb5kdc when it has Kerberos v4 protocol
 compatibility enabled, which is a compiled-in default in all
 Kerberos versions that Mandriva Linux ships prior to Mandriva
 Linux 2008.0.  Kerberos v4 protocol support can be disabled by
 adding v4_mode=none (without quotes) to the [kdcdefaults] section
 of /etc/kerberos/krb5kdc/kdc.conf.
 
 A flaw in the RPC library as used in Kerberos' kadmind was discovered
 by Jeff Altman of Secure Endpoints.  An unauthenticated remote attacker
 could use this vulnerability to crash kadmind or possibly execute
 arbitrary code in systems with certain resource limits configured;
 this does not affect the default resource limits used by Mandriva Linux
 (CVE-2008-0947).
 
 The updated packages have been patched to correct these issues.
 _______________________________________________________________________

 References:
 
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5901
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5971
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0062
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0063
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0947
 http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2008-001.txt
 http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2008-002.txt
 _______________________________________________________________________
 
 Updated Packages:
 
 Mandriva Linux 2007.1:
 64c3f5c31177dcacc99b021ec6ed1271  2007.1/i586/ftp-client-krb5-1.5.2-6.6mdv2007.1.i586.rpm
 11b4194bc9edba8c0951e44660ba9955  2007.1/i586/ftp-server-krb5-1.5.2-6.6mdv2007.1.i586.rpm
 23794e6e0cb1d46a329c42a04f672c5f  2007.1/i586/krb5-server-1.5.2-6.6mdv2007.1.i586.rpm
 0fbb29bd81c8452d937d30fbbda62242  2007.1/i586/krb5-workstation-1.5.2-6.6mdv2007.1.i586.rpm
 8f4eea60bf4ea3bfc776f1c117ceb26d  2007.1/i586/libkrb53-1.5.2-6.6mdv2007.1.i586.rpm
 fd5b1da0a056d995011d2b1a692e4292  2007.1/i586/libkrb53-devel-1.5.2-6.6mdv2007.1.i586.rpm
 ca79ccbe3f286b9069f0ae028d9816f7  2007.1/i586/telnet-client-krb5-1.5.2-6.6mdv2007.1.i586.rpm
 8a7c84f1fe1bbb5338723f28d12a9f21  2007.1/i586/telnet-server-krb5-1.5.2-6.6mdv2007.1.i586.rpm 
 22830790ad7715479b7d4fbecc6c1e7f  2007.1/SRPMS/krb5-1.5.2-6.6mdv2007.1.src.rpm

 Mandriva Linux 2007.1/X86_64:
 fc02060b7c1da08c33952e6c14fb5627  2007.1/x86_64/ftp-client-krb5-1.5.2-6.6mdv2007.1.x86_64.rpm
 513fca34bdd1f2a5643a8e6adeb62e0e  2007.1/x86_64/ftp-server-krb5-1.5.2-6.6mdv2007.1.x86_64.rpm
 4f42d639753a885212e6d62bfe84a121  2007.1/x86_64/krb5-server-1.5.2-6.6mdv2007.1.x86_64.rpm
 6b2ca028321fb08199be20a4aedef4a0  2007.1/x86_64/krb5-workstation-1.5.2-6.6mdv2007.1.x86_64.rpm
 4d453dc2a579e74e29dfc052197fedc1  2007.1/x86_64/lib64krb53-1.5.2-6.6mdv2007.1.x86_64.rpm
 b22d9f1b515df1a5270d2d4c373b7dd3  2007.1/x86_64/lib64krb53-devel-1.5.2-6.6mdv2007.1.x86_64.rpm
 21b245649de9e38e43782bd1a18922a7  2007.1/x86_64/telnet-client-krb5-1.5.2-6.6mdv2007.1.x86_64.rpm
 1322374ab1c15b5c1392ee4ae5f915e7  2007.1/x86_64/telnet-server-krb5-1.5.2-6.6mdv2007.1.x86_64.rpm 
 22830790ad7715479b7d4fbecc6c1e7f  2007.1/SRPMS/krb5-1.5.2-6.6mdv2007.1.src.rpm

 Mandriva Linux 2008.0:
 3ee5a309927b830bf8559a872161384b  2008.0/i586/ftp-client-krb5-1.6.2-7.1mdv2008.0.i586.rpm
 1835baa43ab27aac2493dc7821bafa8a  2008.0/i586/ftp-server-krb5-1.6.2-7.1mdv2008.0.i586.rpm
 5e8369c201ac4678a7bc46590107e45f  2008.0/i586/krb5-1.6.2-7.1mdv2008.0.i586.rpm
 94277e76faf2b75553c2e6250e428a43  2008.0/i586/krb5-server-1.6.2-7.1mdv2008.0.i586.rpm
 695d5b85347b906401433fa55177be1a  2008.0/i586/krb5-workstation-1.6.2-7.1mdv2008.0.i586.rpm
 4696cbae0ce644c265b74ff4ce59a865  2008.0/i586/libkrb53-1.6.2-7.1mdv2008.0.i586.rpm
 cc8122a1c6a3449fc41d3022bbdffeb2  2008.0/i586/libkrb53-devel-1.6.2-7.1mdv2008.0.i586.rpm
 d5e75835b35e81a3f7d038e501dabd1c  2008.0/i586/telnet-client-krb5-1.6.2-7.1mdv2008.0.i586.rpm
 072b5ba782fbd1659ed8bde15bd11b5a  2008.0/i586/telnet-server-krb5-1.6.2-7.1mdv2008.0.i586.rpm 
 cfd133fde8cc72b038ea61dc94405701  2008.0/SRPMS/krb5-1.6.2-7.1mdv2008.0.src.rpm

 Mandriva Linux 2008.0/X86_64:
 7a8c1c390b1d1a0b2a8fe28e8fb6a458  2008.0/x86_64/ftp-client-krb5-1.6.2-7.1mdv2008.0.x86_64.rpm
 9b312bd49bd858d00d00ec299866a275  2008.0/x86_64/ftp-server-krb5-1.6.2-7.1mdv2008.0.x86_64.rpm
 19f7d0590227c4cc636ee5528db8027a  2008.0/x86_64/krb5-1.6.2-7.1mdv2008.0.x86_64.rpm
 6a84bc19cb8e32f7331ce4c1ed36dc9d  2008.0/x86_64/krb5-server-1.6.2-7.1mdv2008.0.x86_64.rpm
 dabaf97b9b36316dc2b69e9edc953793  2008.0/x86_64/krb5-workstation-1.6.2-7.1mdv2008.0.x86_64.rpm
 2810bbed78b7480ff48b021a798cb5a1  2008.0/x86_64/lib64krb53-1.6.2-7.1mdv2008.0.x86_64.rpm
 734b018e6b05204767d07a7d53ef2c3c  2008.0/x86_64/lib64krb53-devel-1.6.2-7.1mdv2008.0.x86_64.rpm
 787fb5ea70eff84b91eea5d68c1e956d  2008.0/x86_64/telnet-client-krb5-1.6.2-7.1mdv2008.0.x86_64.rpm
 d6224c005bc7c818c117e3fc61643840  2008.0/x86_64/telnet-server-krb5-1.6.2-7.1mdv2008.0.x86_64.rpm 
 cfd133fde8cc72b038ea61dc94405701  2008.0/SRPMS/krb5-1.6.2-7.1mdv2008.0.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)

iD8DBQFH4WG/mqjQ0CJFipgRAom/AKDt3NL//QdT6Aw4zm4Ok/TlQjpNLQCeJ2qJ
Hsy0RD3h2ilxoUTodKz7J5k=
=y37y
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ