Gentoo: 200305-09 Critical Heimdal Kerberos Protocol Bug Remote Exploit
gentoo
May 27, 2003
heimdal suffers from the same vulnerability as mit-krb5 does, hence the identical advisory.
Summary
GENTOO LINUX SECURITY ANNOUNCEMENT 200305-09
heimdal suffers from the same vulnerability as mit-krb5 does, hence the identical advisory.
- - From advisory: "A cryptographic weakness in version 4 of the Kerberos protocol allows an attacker to use a chosen-plaintext attack to impersonate any principal in a realm. Additional cryptographic weaknesses in the krb4 implementation included in the MIT krb5 distribution permit the use of cut-and-paste attacks to fabricate krb4 tickets for unauthorized client principals if triple-DES keys are used to key krb4 services. These attacks can subvert a site's entire Kerberos authentication infrastructure."
Read the full advisory at mit
SOLUTION
It is recommended that all Gentoo Linux users who are running app-crypt/heimdal upgrade to heimdal-0.6 as follows
emerge sync emerge heimdal emerge clean
aliz@gentoo.org - GnuPG key is available at
Resolution
References
Availability
style>.gentoo_availability{display:block;}
Concerns
PREVIOUS 
NEXT Severity
critical
Lowest
Low
Medium
High
Critical
PACKAGE : heimdal
SUMMARY : protocol bug in the kerberos v4 cross-realm operation
DATE : 2003-05-27 08:46 UTC
EXPLOIT : remote
VERSIONS AFFECTED : =heimdal-0.6
CVE : CAN-2003-0139 CAN-2003-0138
Background
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Affected Packages
Impact
Workaround
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!