[ GLSA 201201-13 ] MIT Kerberos 5: Multiple vulnerabilities

[GLSA]

Gentoo Linux Security Advisory

Title: MIT Kerberos 5: Multiple vulnerabilities (GLSA 201201-13)
Severity: high
Exploitable: remote
Date: January 23, 2012
Bug(s): #303723, #308021, #321935, #323525, #339866, #347369, #352859, #359129, #363507, #387585, #393429
ID: 201201-13

Synopsis

Multiple vulnerabilities have been found in MIT Kerberos 5, the
most severe of which may allow remote execution of arbitrary code.


Background

MIT Kerberos 5 is a suite of applications that implement the Kerberos
network protocol.


Affected Packages

Package: app-crypt/mit-krb5
Vulnerable: < 1.9.2-r1
Unaffected: >= 1.9.2-r1
Architectures: All supported architectures


Description

Multiple vulnerabilities have been discovered in MIT Kerberos 5. Please
review the CVE identifiers referenced below for details.


Impact

A remote attacker may be able to execute arbitrary code with the
privileges of the administration daemon or the Key Distribution Center
(KDC) daemon, cause a Denial of Service condition, or possibly obtain
sensitive information. Furthermore, a remote attacker may be able to
spoof Kerberos authorization, modify KDC responses, forge user data
messages, forge tokens, forge signatures, impersonate a client, modify
user-visible prompt text, or have other unspecified impact.


Workaround

There is no known workaround at this time.

Resolution

All MIT Kerberos 5 users should upgrade to the latest version: