lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Thu, 06 Sep 2007 21:46:06 -0400
From: Foresight Linux Essential Announcement Service
	<foresight-security-noreply@...esightlinux.org>
To: foresight-security-announce@...ts.rpath.org
Cc: lwn@....net, security-alerts@...uxsecurity.com, bugtraq@...urityfocus.com,
	full-disclosure@...ts.grok.org.uk
Subject: FLEA-2007-0050-1 krb5 krb5-workstation

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Foresight Linux Essential Advisory: 2007-0050-1
Published: 2007-09-06

Rating: Critical

Updated Versions:
    krb5=/conary.rpath.com at rpl:devel//1/1.4.1-7.8-1
    krb5-workstation=/conary.rpath.com at rpl:devel//1/1.4.1-7.8-1
    group-dist=/foresight.rpath.org@fl:1-devel//1/1.3.2-0.17-2

References:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3999
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4743
    https://issues.rpath.com/browse/RPL-1696

Description:
    Previous versions of the krb5 package are vulnerable to an
    unauthenticated remote arbitrary code execution attack against
    the kadmind server.  Foresight Linux systems are not automatically
    configured with kadmind enabled.  Systems configured as kerberos
    administrative servers are vulnerable.

    6 September 2007 Update: CVE-2007-4743 was also assigned to this
    vulnerability due to a problem with the originally published patch
    (for CVE-2007-3999), which did not fully correct the vulnerability.
    The update provided for rPath Linux used the revised patch, which
    fully corrected the vulnerability.

    Note: Foresight Linux is not vulnerable to CVE-2007-4000 (which was
    announced coincident with CVE-2007-3999); it does not apply to the
    version of kerberos included in Foresight Linux.


Copyright 2007 rPath, Inc.
Copyright 2007 Foresight Linux Project
This file is distributed under the terms of the MIT License.
A copy is available at http://www.foresightlinux.org/permanent/mit-license.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFG4K06Wu/kq4lN9jkRAuKbAJ9qblGHisp1f4DiM/IKvUQybqgsIACcChnD
Y7j17yIX+GQpE7EqnTDGPmU=
=MAO3
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ