lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1Klu17-0006Yc-07@titan.mandriva.com>
Date: Fri, 03 Oct 2008 17:25:00 -0600
From: security@...driva.com
To: full-disclosure@...ts.grok.org.uk
Subject: [ MDVSA-2008:209 ] pam_krb5


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2008:209
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : pam_krb5
 Date    : October 3, 2008
 Affected: 2007.1, 2008.0, 2008.1
 _______________________________________________________________________

 Problem Description:

 Stéphane Bertin discovered a flaw in the pam_krb5 existing_ticket
 configuration option where, if enabled and using an existing credential
 cache, it was possible for a local user to gain elevated privileges
 by using a different, local user's credential cache (CVE-2008-3825).
 
 The updated packages have been patched to prevent this issue.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3825
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2007.1:
 92901a92d669d10831a2357da8ac3ff8  2007.1/i586/pam_krb5-2.2.11-2.1mdv2007.1.i586.rpm 
 e8ba90e174669b8b43bf0bbf9c61831f  2007.1/SRPMS/pam_krb5-2.2.11-2.1mdv2007.1.src.rpm

 Mandriva Linux 2007.1/X86_64:
 63e366f352ed36d5e6b7b87a84d25d33  2007.1/x86_64/pam_krb5-2.2.11-2.1mdv2007.1.x86_64.rpm 
 e8ba90e174669b8b43bf0bbf9c61831f  2007.1/SRPMS/pam_krb5-2.2.11-2.1mdv2007.1.src.rpm

 Mandriva Linux 2008.0:
 d5d6796b990f19316ee7a53d87745d63  2008.0/i586/pam_krb5-2.2.11-2.1mdv2008.0.i586.rpm 
 8b2d51b298306d43dfde2fe6f9cb0860  2008.0/SRPMS/pam_krb5-2.2.11-2.1mdv2008.0.src.rpm

 Mandriva Linux 2008.0/X86_64:
 5cb8c3f5768cdc475bfa81e14244856b  2008.0/x86_64/pam_krb5-2.2.11-2.1mdv2008.0.x86_64.rpm 
 8b2d51b298306d43dfde2fe6f9cb0860  2008.0/SRPMS/pam_krb5-2.2.11-2.1mdv2008.0.src.rpm

 Mandriva Linux 2008.1:
 2d30041830c5c3db19a23e096a968426  2008.1/i586/pam_krb5-2.2.11-2.1mdv2008.1.i586.rpm 
 2d1f96e821e05ddba6ffe3d1cee2247b  2008.1/SRPMS/pam_krb5-2.2.11-2.1mdv2008.1.src.rpm

 Mandriva Linux 2008.1/X86_64:
 d07f560edf337af6279a888fd695aa49  2008.1/x86_64/pam_krb5-2.2.11-2.1mdv2008.1.x86_64.rpm 
 2d1f96e821e05ddba6ffe3d1cee2247b  2008.1/SRPMS/pam_krb5-2.2.11-2.1mdv2008.1.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFI5nytmqjQ0CJFipgRAsqfAJ9gUQ/XJ8nhzX294hQulpz0ULJtuwCZAV0K
y4avzIV2yDHQt6qdOPEh7Pc=
=IVkL
-----END PGP SIGNATURE-----


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ