<<< Date Index >>>     <<< Thread Index >>>

[ MDVSA-2008:069 ] - Updated Kerberos packages fix multiple vulnerabilities



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________
 
 Mandriva Linux Security Advisory                         MDVSA-2008:069
 http://www.mandriva.com/security/
 _______________________________________________________________________
 
 Package : krb5
 Date    : March 19, 2008
 Affected: 2007.1, 2008.0
 _______________________________________________________________________
 
 Problem Description:
 
 Multiple memory management flaws were found in the GSSAPI library
 used by Kerberos that could result in the use of already freed memory
 or an attempt to free already freed memory, possibly leading to a
 crash or allowing the execution of arbitrary code (CVE-2007-5901,
 CVE-2007-5971).
 
 A flaw was discovered in how the Kerberos krb5kdc handled Kerberos v4
 protocol packets.  An unauthenticated remote attacker could use this
 flaw to crash the krb5kdc daemon, disclose portions of its memory,
 or possibly %execute arbitrary code using malformed or truncated
 Kerberos v4 protocol requests (CVE-2008-0062, CVE-2008-0063).
 
 This issue only affects krb5kdc when it has Kerberos v4 protocol
 compatibility enabled, which is a compiled-in default in all
 Kerberos versions that Mandriva Linux ships prior to Mandriva
 Linux 2008.0.  Kerberos v4 protocol support can be disabled by
 adding v4_mode=none (without quotes) to the [kdcdefaults] section
 of /etc/kerberos/krb5kdc/kdc.conf.
 
 A flaw in the RPC library as used in Kerberos' kadmind was discovered
 by Jeff Altman of Secure Endpoints.  An unauthenticated remote attacker
 could use this vulnerability to crash kadmind or possibly execute
 arbitrary code in systems with certain resource limits configured;
 this does not affect the default resource limits used by Mandriva Linux
 (CVE-2008-0947).
 
 The updated packages have been patched to correct these issues.
 _______________________________________________________________________

 References:
 
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5901
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5971
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0062
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0063
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0947
 http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2008-001.txt
 http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2008-002.txt
 _______________________________________________________________________
 
 Updated Packages:
 
 Mandriva Linux 2007.1:
 64c3f5c31177dcacc99b021ec6ed1271  
2007.1/i586/ftp-client-krb5-1.5.2-6.6mdv2007.1.i586.rpm
 11b4194bc9edba8c0951e44660ba9955  
2007.1/i586/ftp-server-krb5-1.5.2-6.6mdv2007.1.i586.rpm
 23794e6e0cb1d46a329c42a04f672c5f  
2007.1/i586/krb5-server-1.5.2-6.6mdv2007.1.i586.rpm
 0fbb29bd81c8452d937d30fbbda62242  
2007.1/i586/krb5-workstation-1.5.2-6.6mdv2007.1.i586.rpm
 8f4eea60bf4ea3bfc776f1c117ceb26d  
2007.1/i586/libkrb53-1.5.2-6.6mdv2007.1.i586.rpm
 fd5b1da0a056d995011d2b1a692e4292  
2007.1/i586/libkrb53-devel-1.5.2-6.6mdv2007.1.i586.rpm
 ca79ccbe3f286b9069f0ae028d9816f7  
2007.1/i586/telnet-client-krb5-1.5.2-6.6mdv2007.1.i586.rpm
 8a7c84f1fe1bbb5338723f28d12a9f21  
2007.1/i586/telnet-server-krb5-1.5.2-6.6mdv2007.1.i586.rpm 
 22830790ad7715479b7d4fbecc6c1e7f  2007.1/SRPMS/krb5-1.5.2-6.6mdv2007.1.src.rpm

 Mandriva Linux 2007.1/X86_64:
 fc02060b7c1da08c33952e6c14fb5627  
2007.1/x86_64/ftp-client-krb5-1.5.2-6.6mdv2007.1.x86_64.rpm
 513fca34bdd1f2a5643a8e6adeb62e0e  
2007.1/x86_64/ftp-server-krb5-1.5.2-6.6mdv2007.1.x86_64.rpm
 4f42d639753a885212e6d62bfe84a121  
2007.1/x86_64/krb5-server-1.5.2-6.6mdv2007.1.x86_64.rpm
 6b2ca028321fb08199be20a4aedef4a0  
2007.1/x86_64/krb5-workstation-1.5.2-6.6mdv2007.1.x86_64.rpm
 4d453dc2a579e74e29dfc052197fedc1  
2007.1/x86_64/lib64krb53-1.5.2-6.6mdv2007.1.x86_64.rpm
 b22d9f1b515df1a5270d2d4c373b7dd3  
2007.1/x86_64/lib64krb53-devel-1.5.2-6.6mdv2007.1.x86_64.rpm
 21b245649de9e38e43782bd1a18922a7  
2007.1/x86_64/telnet-client-krb5-1.5.2-6.6mdv2007.1.x86_64.rpm
 1322374ab1c15b5c1392ee4ae5f915e7  
2007.1/x86_64/telnet-server-krb5-1.5.2-6.6mdv2007.1.x86_64.rpm 
 22830790ad7715479b7d4fbecc6c1e7f  2007.1/SRPMS/krb5-1.5.2-6.6mdv2007.1.src.rpm

 Mandriva Linux 2008.0:
 3ee5a309927b830bf8559a872161384b  
2008.0/i586/ftp-client-krb5-1.6.2-7.1mdv2008.0.i586.rpm
 1835baa43ab27aac2493dc7821bafa8a  
2008.0/i586/ftp-server-krb5-1.6.2-7.1mdv2008.0.i586.rpm
 5e8369c201ac4678a7bc46590107e45f  2008.0/i586/krb5-1.6.2-7.1mdv2008.0.i586.rpm
 94277e76faf2b75553c2e6250e428a43  
2008.0/i586/krb5-server-1.6.2-7.1mdv2008.0.i586.rpm
 695d5b85347b906401433fa55177be1a  
2008.0/i586/krb5-workstation-1.6.2-7.1mdv2008.0.i586.rpm
 4696cbae0ce644c265b74ff4ce59a865  
2008.0/i586/libkrb53-1.6.2-7.1mdv2008.0.i586.rpm
 cc8122a1c6a3449fc41d3022bbdffeb2  
2008.0/i586/libkrb53-devel-1.6.2-7.1mdv2008.0.i586.rpm
 d5e75835b35e81a3f7d038e501dabd1c  
2008.0/i586/telnet-client-krb5-1.6.2-7.1mdv2008.0.i586.rpm
 072b5ba782fbd1659ed8bde15bd11b5a  
2008.0/i586/telnet-server-krb5-1.6.2-7.1mdv2008.0.i586.rpm 
 cfd133fde8cc72b038ea61dc94405701  2008.0/SRPMS/krb5-1.6.2-7.1mdv2008.0.src.rpm

 Mandriva Linux 2008.0/X86_64:
 7a8c1c390b1d1a0b2a8fe28e8fb6a458  
2008.0/x86_64/ftp-client-krb5-1.6.2-7.1mdv2008.0.x86_64.rpm
 9b312bd49bd858d00d00ec299866a275  
2008.0/x86_64/ftp-server-krb5-1.6.2-7.1mdv2008.0.x86_64.rpm
 19f7d0590227c4cc636ee5528db8027a  
2008.0/x86_64/krb5-1.6.2-7.1mdv2008.0.x86_64.rpm
 6a84bc19cb8e32f7331ce4c1ed36dc9d  
2008.0/x86_64/krb5-server-1.6.2-7.1mdv2008.0.x86_64.rpm
 dabaf97b9b36316dc2b69e9edc953793  
2008.0/x86_64/krb5-workstation-1.6.2-7.1mdv2008.0.x86_64.rpm
 2810bbed78b7480ff48b021a798cb5a1  
2008.0/x86_64/lib64krb53-1.6.2-7.1mdv2008.0.x86_64.rpm
 734b018e6b05204767d07a7d53ef2c3c  
2008.0/x86_64/lib64krb53-devel-1.6.2-7.1mdv2008.0.x86_64.rpm
 787fb5ea70eff84b91eea5d68c1e956d  
2008.0/x86_64/telnet-client-krb5-1.6.2-7.1mdv2008.0.x86_64.rpm
 d6224c005bc7c818c117e3fc61643840  
2008.0/x86_64/telnet-server-krb5-1.6.2-7.1mdv2008.0.x86_64.rpm 
 cfd133fde8cc72b038ea61dc94405701  2008.0/SRPMS/krb5-1.6.2-7.1mdv2008.0.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)

iD8DBQFH4WG/mqjQ0CJFipgRAom/AKDt3NL//QdT6Aw4zm4Ok/TlQjpNLQCeJ2qJ
Hsy0RD3h2ilxoUTodKz7J5k=
=y37y
-----END PGP SIGNATURE-----