lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1PNbNV-0000Dp-Cm@titan.mandriva.com>
Date: Wed, 01 Dec 2010 02:21:01 +0100
From: security@...driva.com
To: full-disclosure@...ts.grok.org.uk
Subject: [ MDVSA-2010:245 ] krb5

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2010:245
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : krb5
 Date    : November 30, 2010
 Affected: 2009.0, 2010.0, Corporate 4.0
 _______________________________________________________________________

 Problem Description:

 A vulnerability was discovered and corrected in krb5:
 
 An unauthenticated remote attacker could alter a SAM-2 challenge,
 affecting the prompt text seen by the user or the kind of response
 sent to the KDC. Under some circumstances, this can negate the
 incremental security benefit of using a single-use authentication
 mechanism token. An unauthenticated remote attacker has a 1/256
 chance of forging KRB-SAFE messages in an application protocol if the
 targeted pre-existing session uses an RC4 session key.  Few application
 protocols use KRB-SAFE messages (CVE-2010-1323).
 
 Packages for 2009.0 are provided as of the Extended Maintenance
 Program. Please visit this link to learn more:
 http://store.mandriva.com/product_info.php?cPath=149&products_id=490
 
 The updated packages have been patched to correct this issue.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1323
 http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-007.txt
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2009.0:
 ed005ce6d0a31c2c028b38290d2d23f7  2009.0/i586/ftp-client-krb5-1.6.3-6.6mdv2009.0.i586.rpm
 b0d610dd1dd4be2658b3c3a08dcc31aa  2009.0/i586/ftp-server-krb5-1.6.3-6.6mdv2009.0.i586.rpm
 791006917acdcb397c9e7689770d7c36  2009.0/i586/krb5-1.6.3-6.6mdv2009.0.i586.rpm
 cb7d7518d360b46eb083039f1feee340  2009.0/i586/krb5-server-1.6.3-6.6mdv2009.0.i586.rpm
 b1749fbde829029d688fde290ee1954a  2009.0/i586/krb5-workstation-1.6.3-6.6mdv2009.0.i586.rpm
 99bccc78bdb574f3189d3f9880638105  2009.0/i586/libkrb53-1.6.3-6.6mdv2009.0.i586.rpm
 1b21f740d4502b04ba092b450876469d  2009.0/i586/libkrb53-devel-1.6.3-6.6mdv2009.0.i586.rpm
 f87d10751e70f02b709c82d755db019e  2009.0/i586/telnet-client-krb5-1.6.3-6.6mdv2009.0.i586.rpm
 248584468c20980a30cbaa1f2172d93d  2009.0/i586/telnet-server-krb5-1.6.3-6.6mdv2009.0.i586.rpm 
 279bbdbf0c611000e9295897aac21c62  2009.0/SRPMS/krb5-1.6.3-6.6mdv2009.0.src.rpm

 Mandriva Linux 2009.0/X86_64:
 89ad30c1c76ab4992c891ce6eb34716f  2009.0/x86_64/ftp-client-krb5-1.6.3-6.6mdv2009.0.x86_64.rpm
 cdba6d2b6cd019ecc6881be5275091af  2009.0/x86_64/ftp-server-krb5-1.6.3-6.6mdv2009.0.x86_64.rpm
 4be4ed11da0e9593861116f7f2cbb49f  2009.0/x86_64/krb5-1.6.3-6.6mdv2009.0.x86_64.rpm
 e351b352e276d4ea44cca84e1e7e6c74  2009.0/x86_64/krb5-server-1.6.3-6.6mdv2009.0.x86_64.rpm
 d6781f21f0a0c954510a3855f7075d74  2009.0/x86_64/krb5-workstation-1.6.3-6.6mdv2009.0.x86_64.rpm
 151dec2c24b9ff1e608f2cd1daa1042e  2009.0/x86_64/lib64krb53-1.6.3-6.6mdv2009.0.x86_64.rpm
 c9c041aa74f5114ccbb1ad728abd98d9  2009.0/x86_64/lib64krb53-devel-1.6.3-6.6mdv2009.0.x86_64.rpm
 6018f8c6a827bd917700bfd9fb16aa63  2009.0/x86_64/telnet-client-krb5-1.6.3-6.6mdv2009.0.x86_64.rpm
 f09f8fabb70fd09f4b6be10cfc97f647  2009.0/x86_64/telnet-server-krb5-1.6.3-6.6mdv2009.0.x86_64.rpm 
 279bbdbf0c611000e9295897aac21c62  2009.0/SRPMS/krb5-1.6.3-6.6mdv2009.0.src.rpm

 Mandriva Linux 2010.0:
 87781c261341cfa333bfbaa67886d3f5  2010.0/i586/ftp-client-krb5-1.6.3-10.4mdv2010.0.i586.rpm
 e2e72dcbc91a2eb01bcf9ef618861672  2010.0/i586/ftp-server-krb5-1.6.3-10.4mdv2010.0.i586.rpm
 6f8be2e3c308af75a82cf37be72a0ac5  2010.0/i586/krb5-1.6.3-10.4mdv2010.0.i586.rpm
 fdb3c95ad58aff10a70009368c4ce683  2010.0/i586/krb5-server-1.6.3-10.4mdv2010.0.i586.rpm
 5f346e92394af1d6f801d53024247575  2010.0/i586/krb5-workstation-1.6.3-10.4mdv2010.0.i586.rpm
 f02253d397b5ea221af118e576af6114  2010.0/i586/libkrb53-1.6.3-10.4mdv2010.0.i586.rpm
 4f837b840be0655ab513fcf8054aee3d  2010.0/i586/libkrb53-devel-1.6.3-10.4mdv2010.0.i586.rpm
 dd4b4c5c204a6f53e2a074b83d95f6fe  2010.0/i586/telnet-client-krb5-1.6.3-10.4mdv2010.0.i586.rpm
 d9f470d10eb7f7dc5838d2b42e09e2bf  2010.0/i586/telnet-server-krb5-1.6.3-10.4mdv2010.0.i586.rpm 
 155600292f04d42d823e543c67c6820e  2010.0/SRPMS/krb5-1.6.3-10.4mdv2010.0.src.rpm

 Mandriva Linux 2010.0/X86_64:
 a98a5d9be4ec2f8ce8cbc1e529f01a18  2010.0/x86_64/ftp-client-krb5-1.6.3-10.4mdv2010.0.x86_64.rpm
 1c37919f956303ccdb0367b5099dce95  2010.0/x86_64/ftp-server-krb5-1.6.3-10.4mdv2010.0.x86_64.rpm
 e1fa476906a1c39fea82af54e5ef46ea  2010.0/x86_64/krb5-1.6.3-10.4mdv2010.0.x86_64.rpm
 5fae3c064f42ac15c3d76b62ed1d31a8  2010.0/x86_64/krb5-server-1.6.3-10.4mdv2010.0.x86_64.rpm
 16ec6abe879d88f2e64d602979d68251  2010.0/x86_64/krb5-workstation-1.6.3-10.4mdv2010.0.x86_64.rpm
 0fa9d14d9b6a0ca3bcba6ced67d80974  2010.0/x86_64/lib64krb53-1.6.3-10.4mdv2010.0.x86_64.rpm
 6ba4fda406959d55a34ba1e3f2663ae6  2010.0/x86_64/lib64krb53-devel-1.6.3-10.4mdv2010.0.x86_64.rpm
 c74854e156d72aaf6eb0cc4f6e9839dd  2010.0/x86_64/telnet-client-krb5-1.6.3-10.4mdv2010.0.x86_64.rpm
 ae0c89a59476046c9f59e2a6b18dcb57  2010.0/x86_64/telnet-server-krb5-1.6.3-10.4mdv2010.0.x86_64.rpm 
 155600292f04d42d823e543c67c6820e  2010.0/SRPMS/krb5-1.6.3-10.4mdv2010.0.src.rpm

 Corporate 4.0:
 dec2633783c4b665b92ad399b9a51660  corporate/4.0/i586/ftp-client-krb5-1.4.3-5.10.20060mlcs4.i586.rpm
 380be1fc294337f204641917774b70df  corporate/4.0/i586/ftp-server-krb5-1.4.3-5.10.20060mlcs4.i586.rpm
 114bc5ea49aef4326cd0794637a87c17  corporate/4.0/i586/krb5-server-1.4.3-5.10.20060mlcs4.i586.rpm
 33373aa43ace9fe599e1048878cca829  corporate/4.0/i586/krb5-workstation-1.4.3-5.10.20060mlcs4.i586.rpm
 7d4f74b48d73c0bca75a0f72bcc0921a  corporate/4.0/i586/libkrb53-1.4.3-5.10.20060mlcs4.i586.rpm
 289e9317d9a3d690bba2a6a0caf759f4  corporate/4.0/i586/libkrb53-devel-1.4.3-5.10.20060mlcs4.i586.rpm
 363af388e65141a65565fa486943546e  corporate/4.0/i586/telnet-client-krb5-1.4.3-5.10.20060mlcs4.i586.rpm
 b5cd78bb4a17d65c55c0f65080b2506a  corporate/4.0/i586/telnet-server-krb5-1.4.3-5.10.20060mlcs4.i586.rpm 
 391a77d92c277bbeb019c929d90a467c  corporate/4.0/SRPMS/krb5-1.4.3-5.10.20060mlcs4.src.rpm

 Corporate 4.0/X86_64:
 8167696ba48bb72abb4139a21ea28124  corporate/4.0/x86_64/ftp-client-krb5-1.4.3-5.10.20060mlcs4.x86_64.rpm
 fbe0e8826e8d9de4219c4fe6d8522869  corporate/4.0/x86_64/ftp-server-krb5-1.4.3-5.10.20060mlcs4.x86_64.rpm
 6a78b2837dceb16aa2b89c1b1e37a141  corporate/4.0/x86_64/krb5-server-1.4.3-5.10.20060mlcs4.x86_64.rpm
 a614abee8d842b32ae7e77f12a5cb5e8  corporate/4.0/x86_64/krb5-workstation-1.4.3-5.10.20060mlcs4.x86_64.rpm
 8454424927b830e424fc2005353d90ee  corporate/4.0/x86_64/lib64krb53-1.4.3-5.10.20060mlcs4.x86_64.rpm
 a145126429abd891937c02d515381cc1  corporate/4.0/x86_64/lib64krb53-devel-1.4.3-5.10.20060mlcs4.x86_64.rpm
 c637967bef7c5841aa9450ff6e94309e  corporate/4.0/x86_64/telnet-client-krb5-1.4.3-5.10.20060mlcs4.x86_64.rpm
 5cf49d35408a884e297dca2f823ca3ec  corporate/4.0/x86_64/telnet-server-krb5-1.4.3-5.10.20060mlcs4.x86_64.rpm 
 391a77d92c277bbeb019c929d90a467c  corporate/4.0/SRPMS/krb5-1.4.3-5.10.20060mlcs4.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFM9XQTmqjQ0CJFipgRAnOaAJwIYhVA9gWRrDzj2mE5gDDWtjtYiwCg6XtA
oYFGcxfeSST1fNaz2CepxeY=
=FXu1
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ