[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1PDHv2-0003Xa-Ty@titan.mandriva.com>
Date: Tue, 02 Nov 2010 15:33:00 +0100
From: security@...driva.com
To: bugtraq@...urityfocus.com
Subject: [ MDVSA-2010:202-1 ] krb5
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2010:202-1
http://www.mandriva.com/security/
_______________________________________________________________________
Package : krb5
Date : November 2, 2010
Affected: Enterprise Server 5.0
_______________________________________________________________________
Problem Description:
A vulnerability was discovered and corrected in krb5:
The merge_authdata function in kdc_authdata.c in the Key Distribution
Center (KDC) in MIT Kerberos 5 (aka krb5) 1.8.x before 1.8.4 does
not properly manage an index into an authorization-data list, which
allows remote attackers to cause a denial of service (daemon crash),
or possibly obtain sensitive information, spoof authorization,
or execute arbitrary code, via a TGS request, as demonstrated by a
request from a Windows Active Directory client (CVE-2010-1322).
The updated packages have been patched to correct this issue.
Update:
Update packages for MES5 were missing with the MDVSA-2010:202
advisory. This advisory provides the update packages.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1322
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-006.txt
_______________________________________________________________________
Updated Packages:
Mandriva Enterprise Server 5:
9861393bd5a3d68522009a7aa7f1c464 mes5/i586/krb5-1.8.1-0.2mdvmes5.1.i586.rpm
322533f773fc193c80a9ada2832a8509 mes5/i586/krb5-pkinit-openssl-1.8.1-0.2mdvmes5.1.i586.rpm
c136e6a7af35261c85680d711a250d4e mes5/i586/krb5-server-1.8.1-0.2mdvmes5.1.i586.rpm
11f482c3e89a3bd604cce91a2a9350d4 mes5/i586/krb5-server-ldap-1.8.1-0.2mdvmes5.1.i586.rpm
996820e1994bdb9ffc5d2992426e6a28 mes5/i586/krb5-workstation-1.8.1-0.2mdvmes5.1.i586.rpm
ffd0a9897c5fe0dbf28f026d019566cc mes5/i586/libkrb53-1.8.1-0.2mdvmes5.1.i586.rpm
fe92a3a286a954a0b59874384da33159 mes5/i586/libkrb53-devel-1.8.1-0.2mdvmes5.1.i586.rpm
c789015f879f629e501fea39dbfe7165 mes5/SRPMS/krb5-1.8.1-0.2mdvmes5.1.src.rpm
Mandriva Enterprise Server 5/X86_64:
e2ac6d2ae7b216bb1085eedb7a3656b5 mes5/x86_64/krb5-1.8.1-0.2mdvmes5.1.x86_64.rpm
c6905743e2859e27588c9be83f240ce2 mes5/x86_64/krb5-pkinit-openssl-1.8.1-0.2mdvmes5.1.x86_64.rpm
5f2ac7007222213cec343f0edfeaef4a mes5/x86_64/krb5-server-1.8.1-0.2mdvmes5.1.x86_64.rpm
cdbf46e0ebf1a757d866680ca14300ed mes5/x86_64/krb5-server-ldap-1.8.1-0.2mdvmes5.1.x86_64.rpm
d975cc9e3bfc877b89e8a070fb9c9c89 mes5/x86_64/krb5-workstation-1.8.1-0.2mdvmes5.1.x86_64.rpm
3d501997aa0f61c7c4ecf68a68b37a5a mes5/x86_64/lib64krb53-1.8.1-0.2mdvmes5.1.x86_64.rpm
5fb83ceb94d50beb80d41658b2495e34 mes5/x86_64/lib64krb53-devel-1.8.1-0.2mdvmes5.1.x86_64.rpm
c789015f879f629e501fea39dbfe7165 mes5/SRPMS/krb5-1.8.1-0.2mdvmes5.1.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFMz/XDmqjQ0CJFipgRAhQFAJ9OPZ2qrLbzgleKAP3rRAIXRVA/dgCfTvVg
Ywk5M3FfLpbMCv4jkCow72I=
=bRsh
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists