lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-id: <E1Jc6Nx-0000Nc-CC@artemis.annvix.ca>
Date: Wed, 19 Mar 2008 16:03:49 -0600
From: security@...driva.com
To: full-disclosure@...ts.grok.org.uk
Subject: [ MDVSA-2008:070 ] - Updated Kerberos packages
 fix multiple vulnerabilities


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________
 
 Mandriva Linux Security Advisory                         MDVSA-2008:070
 http://www.mandriva.com/security/
 _______________________________________________________________________
 
 Package : krb5
 Date    : March 19, 2008
 Affected: 2007.0, Corporate 4.0
 _______________________________________________________________________
 
 Problem Description:
 
 A memory management flaw was found in the GSSAPI library used by
 Kerberos that could result in an attempt to free already freed memory,
 possibly leading to a crash or allowing the execution of arbitrary code
 (CVE-2007-5971).
 
 A flaw was discovered in how the Kerberos krb5kdc handled Kerberos v4
 protocol packets.  An unauthenticated remote attacker could use this
 flaw to crash the krb5kdc daemon, disclose portions of its memory,
 or possibly %execute arbitrary code using malformed or truncated
 Kerberos v4 protocol requests (CVE-2008-0062, CVE-2008-0063).
 
 This issue only affects krb5kdc when it has Kerberos v4 protocol
 compatibility enabled, which is a compiled-in default in all
 Kerberos versions that Mandriva Linux ships prior to Mandriva
 Linux 2008.0.  Kerberos v4 protocol support can be disabled by
 adding v4_mode=none (without quotes) to the [kdcdefaults] section
 of /etc/kerberos/krb5kdc/kdc.conf.
 
 A flaw in the RPC library as used in Kerberos' kadmind was discovered
 by Jeff Altman of Secure Endpoints.  An unauthenticated remote attacker
 could use this vulnerability to crash kadmind or possibly execute
 arbitrary code in systems with certain resource limits configured;
 this does not affect the default resource limits used by Mandriva Linux
 (CVE-2008-0947).
 
 The updated packages have been patched to correct these issues.
 _______________________________________________________________________

 References:
 
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5971
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0062
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0063
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0947
 http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2008-001.txt
 http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2008-002.txt
 _______________________________________________________________________
 
 Updated Packages:
 
 Mandriva Linux 2007.0:
 ef17fea5e296992fb34b0d00540b4190  2007.0/i586/ftp-client-krb5-1.4.3-7.4mdv2007.0.i586.rpm
 dbc47795968f03dff7eb50ff34a63b8d  2007.0/i586/ftp-server-krb5-1.4.3-7.4mdv2007.0.i586.rpm
 36f5b4160b9dc7d4393b8bc5f4f0b6fb  2007.0/i586/krb5-server-1.4.3-7.4mdv2007.0.i586.rpm
 f76121f223836939aef1f77164a7224d  2007.0/i586/krb5-workstation-1.4.3-7.4mdv2007.0.i586.rpm
 65c052a4916406626b3289abdb43e0a6  2007.0/i586/libkrb53-1.4.3-7.4mdv2007.0.i586.rpm
 e50117c585a8560813bc93704562e726  2007.0/i586/libkrb53-devel-1.4.3-7.4mdv2007.0.i586.rpm
 1f99498d879f9343510479f2791245ac  2007.0/i586/telnet-client-krb5-1.4.3-7.4mdv2007.0.i586.rpm
 9ed009750d2bcf738ceefce2e4c69512  2007.0/i586/telnet-server-krb5-1.4.3-7.4mdv2007.0.i586.rpm 
 9e63ac2d698d562ead71d5dd8c7ae315  2007.0/SRPMS/krb5-1.4.3-7.4mdv2007.0.src.rpm

 Mandriva Linux 2007.0/X86_64:
 029aad278f01c2baef9f93b86b0bc20d  2007.0/x86_64/ftp-client-krb5-1.4.3-7.4mdv2007.0.x86_64.rpm
 dae016ff39d8e4d9f517b3197eefd926  2007.0/x86_64/ftp-server-krb5-1.4.3-7.4mdv2007.0.x86_64.rpm
 8b3fac7b20798715efdad0d0db6b4472  2007.0/x86_64/krb5-server-1.4.3-7.4mdv2007.0.x86_64.rpm
 81f6c05a73c175b581790532aa8572f1  2007.0/x86_64/krb5-workstation-1.4.3-7.4mdv2007.0.x86_64.rpm
 41e10d5f06e05ea4cf455a0c3420d09f  2007.0/x86_64/lib64krb53-1.4.3-7.4mdv2007.0.x86_64.rpm
 eeebf59564375187f01f628be3ac5132  2007.0/x86_64/lib64krb53-devel-1.4.3-7.4mdv2007.0.x86_64.rpm
 cff3b7303e5d157e4ef246867ba396e8  2007.0/x86_64/telnet-client-krb5-1.4.3-7.4mdv2007.0.x86_64.rpm
 ee55c784f89a1190efb9ce619ba34227  2007.0/x86_64/telnet-server-krb5-1.4.3-7.4mdv2007.0.x86_64.rpm 
 9e63ac2d698d562ead71d5dd8c7ae315  2007.0/SRPMS/krb5-1.4.3-7.4mdv2007.0.src.rpm

 Corporate 4.0:
 d4dcc40949ba7e72823de561b2b5b050  corporate/4.0/i586/ftp-client-krb5-1.4.3-5.6.20060mlcs4.i586.rpm
 5e8b8cf4c051f235f2b4a3cc2a8c967c  corporate/4.0/i586/ftp-server-krb5-1.4.3-5.6.20060mlcs4.i586.rpm
 3c5812da62cc9a0cea89306877386ef7  corporate/4.0/i586/krb5-server-1.4.3-5.6.20060mlcs4.i586.rpm
 40b114f22d7109a125cdf5243160c5f1  corporate/4.0/i586/krb5-workstation-1.4.3-5.6.20060mlcs4.i586.rpm
 db7506751e5178556652b74d81b06c6d  corporate/4.0/i586/libkrb53-1.4.3-5.6.20060mlcs4.i586.rpm
 59ec6c3b207538656f2645eb3c0adf6a  corporate/4.0/i586/libkrb53-devel-1.4.3-5.6.20060mlcs4.i586.rpm
 fe234b5f259def09b88fba24869eba83  corporate/4.0/i586/telnet-client-krb5-1.4.3-5.6.20060mlcs4.i586.rpm
 e2b51de61c9a91686e98a05ea98ec05f  corporate/4.0/i586/telnet-server-krb5-1.4.3-5.6.20060mlcs4.i586.rpm 
 6a739594760cabeb536550168eefb333  corporate/4.0/SRPMS/krb5-1.4.3-5.6.20060mlcs4.src.rpm

 Corporate 4.0/X86_64:
 0b23f077db4f274b061f34eb50f47634  corporate/4.0/x86_64/ftp-client-krb5-1.4.3-5.6.20060mlcs4.x86_64.rpm
 c70ca9de25fa8c9f7504f344b5be613a  corporate/4.0/x86_64/ftp-server-krb5-1.4.3-5.6.20060mlcs4.x86_64.rpm
 ca075a30dfeb617f808d616bbf420c63  corporate/4.0/x86_64/krb5-server-1.4.3-5.6.20060mlcs4.x86_64.rpm
 76ec4cd64c814c9cdf44e7c734f66cd9  corporate/4.0/x86_64/krb5-workstation-1.4.3-5.6.20060mlcs4.x86_64.rpm
 8eb62cc682d40a65a4b94aedb326cfc0  corporate/4.0/x86_64/lib64krb53-1.4.3-5.6.20060mlcs4.x86_64.rpm
 538eb51b88db5d5a368bdbdf74607501  corporate/4.0/x86_64/lib64krb53-devel-1.4.3-5.6.20060mlcs4.x86_64.rpm
 c22a1ac95f1a15fb65ee0eec60472936  corporate/4.0/x86_64/telnet-client-krb5-1.4.3-5.6.20060mlcs4.x86_64.rpm
 b64f38875ba0dbf2441b1fd78dbf585d  corporate/4.0/x86_64/telnet-server-krb5-1.4.3-5.6.20060mlcs4.x86_64.rpm 
 6a739594760cabeb536550168eefb333  corporate/4.0/SRPMS/krb5-1.4.3-5.6.20060mlcs4.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)

iD8DBQFH4WLsmqjQ0CJFipgRAqPPAKDOpukZQTnwRrBaWSnGspor0gG/LwCg6fPB
/jGRkhAI24wO20EBKKpdYF0=
=Z6Kl
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ