Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[ GLSA 200409-09 ] MIT krb5: Multiple vulnerabilities
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index News & Announcements
View previous topic :: View next topic  
Author Message
GLSA
Moderator
Moderator


Joined: 13 Jun 2003
Posts: 4078
Location: Barcelona, Spain

PostPosted: Mon Sep 06, 2004 12:42 pm    Post subject: [ GLSA 200409-09 ] MIT krb5: Multiple vulnerabilities Reply with quote

Gentoo Linux Security Advisory

Title: MIT krb5: Multiple vulnerabilities (GLSA 200409-09)
Severity: high
Exploitable: remote
Date: September 06, 2004
Bug(s): #62417
ID: 200409-09

Synopsis

MIT krb5 contains several double-free vulnerabilities, potentially allowing the execution of arbitrary code, as well as a denial of service vulnerability.

Background

MIT krb5 is the free implementation of the Kerberos network authentication protocol by the Massachusetts Institute of Technology.

Affected Packages

Package: app-crypt/mit-krb5
Vulnerable: < 1.3.4
Unaffected: >= 1.3.4
Architectures: All supported architectures


Description

The implementation of the Key Distribution Center (KDC) and the MIT krb5 library contain double-free vulnerabilities, making client programs as well as application servers vulnerable. The ASN.1 decoder library is vulnerable to a denial of service attack, including the KDC.

Impact

The double-free vulnerabilities could allow an attacker to execute arbitrary code on a KDC host and hosts running krb524d or vulnerable services. In the case of a KDC host, this can lead to a compromise of the entire Kerberos realm. Furthermore, an attacker impersonating a legitimate KDC or application server can potentially execute arbitrary code on authenticating clients. An attacker can cause a denial of service for a KDC or application server and clients, the latter if impersonating a legitimate KDC or application server.

Workaround

There is no known workaround at this time.

Resolution

All mit-krb5 users should upgrade to the latest stable version:
Code:
# emerge sync
# emerge -pv ">=app-crypt/mit-krb5-1.3.4"
# emerge ">=app-crypt/mit-krb5-1.3.4"


References

MIT krb5 Security Advisory 2004-002
MIT krb5 Security Advisory 2004-003
CAN-2004-0642
CAN-2004-0643
CAN-2004-0644
CAN-2004-0772


Last edited by GLSA on Sun May 07, 2006 4:52 pm; edited 1 time in total
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index News & Announcements All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum