LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Security Week: October 27th, 2014
Linux Advisory Watch: October 24th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
Red Hat: krb5 security issues Print E-mail
User Rating:      How can I rate this item?
Posted by LinuxSecurity.com Team   
RedHat Linux Updated krb5 packages that improve client responsiveness and fix severalsecurity issues are now available for Red Hat Enterprise Linux 3.

---------------------------------------------------------------------
                   Red Hat Security Advisory

Synopsis:          Updated krb5 packages fix security issues
Advisory ID:       RHSA-2004:350-01
Issue date:        2004-08-31
Updated on:        2004-08-31
Product:           Red Hat Enterprise Linux
Keywords:          krb5 client timeout
Obsoletes:         RHSA-2004:236
CVE Names:         CAN-2004-0642 CAN-2004-0643 CAN-2004-0644
---------------------------------------------------------------------

1. Summary:

Updated krb5 packages that improve client responsiveness and fix several
security issues are now available for Red Hat Enterprise Linux 3.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, ppc64, s390, s390x, x86_64
Red Hat Desktop version 3 - i386, x86_64
Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64

3. Problem description:

Kerberos is a networked authentication system that uses a trusted third
party (a KDC) to authenticate clients and servers to each other.

Several double-free bugs were found in the Kerberos 5 KDC and libraries.  A
remote attacker could potentially exploit these flaws to execuate arbitrary
code.  The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the names CAN-2004-0642 and CAN-2004-0643 to these issues.

A double-free bug was also found in the krb524 server (CAN-2004-0772),
however this issue does not affect Red Hat Enterprise Linux 3 Kerberos
packages.

An infinite loop bug was found in the Kerberos 5 ASN.1 decoder library.  A
remote attacker may be able to trigger this flaw and cause a denial of
service. The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CAN-2004-0644 to this issue.

When attempting to contact a KDC, the Kerberos libraries will iterate
through the list of configured servers, attempting to contact each in turn.
If one of the servers becomes unresponsive, the client will time out and
contact the next configured server.  When the library attempts to contact
the next KDC, the entire process is repeated.  For applications which must
contact a KDC several times, the accumulated time spent waiting can become
significant.

This update modifies the libraries, notes which server for a given realm
last responded to a request, and attempts to contact that server first
before contacting any of the other configured servers.

All users of krb5 should upgrade to these updated packages, which contain
backported security patches to resolve these issues.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade.  Only those
RPMs which are currently installed will be updated.  Those RPMs which are
not installed but included in the list will not be updated.  Note that you
can also use wildcards (*.rpm) if your current directory *only* contains the
desired RPMs.

Please note that this update is also available via Red Hat Network.  Many
people find this an easier way to apply updates.  To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

If up2date fails to connect to Red Hat Network due to SSL
Certificate Errors, you need to install a version of the
up2date client with an updated certificate.  The latest version of
up2date is available from the Red Hat FTP site and may also be
downloaded directly from the RHN website:

https://rhn.redhat.com/help/latest-up2date.pxt

5. RPMs required:

Red Hat Enterprise Linux AS version 3:

SRPMS: 
ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/krb5-1.2.7-28.src.rpm
3c91ce8bc77bd9bc5bf2f00c09d23cff  krb5-1.2.7-28.src.rpm

i386:
758976fe956ac98a73809b4cc716d4c5  krb5-devel-1.2.7-28.i386.rpm
6a5c52f4ec0a575ca3f22696c592ecc6  krb5-libs-1.2.7-28.i386.rpm
d805a5ef4dc5c16f1a6957cd60769076  krb5-server-1.2.7-28.i386.rpm
2fee85ec1cc48fe67b90cd9954149321  krb5-workstation-1.2.7-28.i386.rpm

ia64:
2d5b6ce0d861cb35c66e9ce11321ca09  krb5-devel-1.2.7-28.ia64.rpm
dd27b1cfed80262c724f20400d174ae6  krb5-libs-1.2.7-28.ia64.rpm
0c0b19114325ab9b9798398009abc745  krb5-server-1.2.7-28.ia64.rpm
b6d331840e0a625073c03f3629b71b6f  krb5-workstation-1.2.7-28.ia64.rpm

ppc:
548446398708f1ee3a1820be932c427c  krb5-devel-1.2.7-28.ppc.rpm
32f8d495713aad38cf0961e7eab8146f  krb5-libs-1.2.7-28.ppc.rpm
2805823ff0ceeb7fd084f4cd1322f180  krb5-server-1.2.7-28.ppc.rpm
c896eb2e27858495ca85a7f4f60b7d9d  krb5-workstation-1.2.7-28.ppc.rpm

ppc64:
9571b0242acad9ec5601b941aa5cf93e  krb5-devel-1.2.7-28.ppc64.rpm
8bba9563078f648f8399be16a4a52d2a  krb5-libs-1.2.7-28.ppc64.rpm
48df8c1d94161a229cf5d52e0f2224ed  krb5-server-1.2.7-28.ppc64.rpm
683c8c478512a0d2ef8d4b631e038501  krb5-workstation-1.2.7-28.ppc64.rpm

s390:
e1ab9eb4bef50ef7830e9504c988e4b8  krb5-devel-1.2.7-28.s390.rpm
4786e0ba3adbccca954fb2dee1034dd7  krb5-libs-1.2.7-28.s390.rpm
3b17e6311a345c13efa0322a6f47e08f  krb5-server-1.2.7-28.s390.rpm
ce72c91a8d4dd92969bc099866a693cd  krb5-workstation-1.2.7-28.s390.rpm

s390x:
9c3c9f758c4a619e852f5289f31614fd  krb5-devel-1.2.7-28.s390x.rpm
94d14bb7d2e34140941c51839b4cf4f6  krb5-libs-1.2.7-28.s390x.rpm
9e11ac40de7e36037cc4da2346c5f64f  krb5-server-1.2.7-28.s390x.rpm
c2f65cd14134efa5794c732ed7e210df  krb5-workstation-1.2.7-28.s390x.rpm

x86_64:
4b5d4f9ec25bf69bf3d1632b8f9dfece  krb5-devel-1.2.7-28.x86_64.rpm
3ba1a8cda52f4c5c4f235390b5ab231c  krb5-libs-1.2.7-28.x86_64.rpm
4dae049940b908786c4c18ec2c4633e0  krb5-server-1.2.7-28.x86_64.rpm
c68b7f6f4571165da841e89fb2de809d  krb5-workstation-1.2.7-28.x86_64.rpm

Red Hat Desktop version 3:

SRPMS: 
ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/krb5-1.2.7-28.src.rpm
3c91ce8bc77bd9bc5bf2f00c09d23cff  krb5-1.2.7-28.src.rpm

i386:
758976fe956ac98a73809b4cc716d4c5  krb5-devel-1.2.7-28.i386.rpm
6a5c52f4ec0a575ca3f22696c592ecc6  krb5-libs-1.2.7-28.i386.rpm
d805a5ef4dc5c16f1a6957cd60769076  krb5-server-1.2.7-28.i386.rpm
2fee85ec1cc48fe67b90cd9954149321  krb5-workstation-1.2.7-28.i386.rpm

x86_64:
4b5d4f9ec25bf69bf3d1632b8f9dfece  krb5-devel-1.2.7-28.x86_64.rpm
3ba1a8cda52f4c5c4f235390b5ab231c  krb5-libs-1.2.7-28.x86_64.rpm
4dae049940b908786c4c18ec2c4633e0  krb5-server-1.2.7-28.x86_64.rpm
c68b7f6f4571165da841e89fb2de809d  krb5-workstation-1.2.7-28.x86_64.rpm

Red Hat Enterprise Linux ES version 3:

SRPMS: 
ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/krb5-1.2.7-28.src.rpm
3c91ce8bc77bd9bc5bf2f00c09d23cff  krb5-1.2.7-28.src.rpm

i386:
758976fe956ac98a73809b4cc716d4c5  krb5-devel-1.2.7-28.i386.rpm
6a5c52f4ec0a575ca3f22696c592ecc6  krb5-libs-1.2.7-28.i386.rpm
d805a5ef4dc5c16f1a6957cd60769076  krb5-server-1.2.7-28.i386.rpm
2fee85ec1cc48fe67b90cd9954149321  krb5-workstation-1.2.7-28.i386.rpm

ia64:
2d5b6ce0d861cb35c66e9ce11321ca09  krb5-devel-1.2.7-28.ia64.rpm
dd27b1cfed80262c724f20400d174ae6  krb5-libs-1.2.7-28.ia64.rpm
0c0b19114325ab9b9798398009abc745  krb5-server-1.2.7-28.ia64.rpm
b6d331840e0a625073c03f3629b71b6f  krb5-workstation-1.2.7-28.ia64.rpm

x86_64:
4b5d4f9ec25bf69bf3d1632b8f9dfece  krb5-devel-1.2.7-28.x86_64.rpm
3ba1a8cda52f4c5c4f235390b5ab231c  krb5-libs-1.2.7-28.x86_64.rpm
4dae049940b908786c4c18ec2c4633e0  krb5-server-1.2.7-28.x86_64.rpm
c68b7f6f4571165da841e89fb2de809d  krb5-workstation-1.2.7-28.x86_64.rpm

Red Hat Enterprise Linux WS version 3:

SRPMS: 
ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/krb5-1.2.7-28.src.rpm
3c91ce8bc77bd9bc5bf2f00c09d23cff  krb5-1.2.7-28.src.rpm

i386:
758976fe956ac98a73809b4cc716d4c5  krb5-devel-1.2.7-28.i386.rpm
6a5c52f4ec0a575ca3f22696c592ecc6  krb5-libs-1.2.7-28.i386.rpm
d805a5ef4dc5c16f1a6957cd60769076  krb5-server-1.2.7-28.i386.rpm
2fee85ec1cc48fe67b90cd9954149321  krb5-workstation-1.2.7-28.i386.rpm

ia64:
2d5b6ce0d861cb35c66e9ce11321ca09  krb5-devel-1.2.7-28.ia64.rpm
dd27b1cfed80262c724f20400d174ae6  krb5-libs-1.2.7-28.ia64.rpm
0c0b19114325ab9b9798398009abc745  krb5-server-1.2.7-28.ia64.rpm
b6d331840e0a625073c03f3629b71b6f  krb5-workstation-1.2.7-28.ia64.rpm

x86_64:
4b5d4f9ec25bf69bf3d1632b8f9dfece  krb5-devel-1.2.7-28.x86_64.rpm
3ba1a8cda52f4c5c4f235390b5ab231c  krb5-libs-1.2.7-28.x86_64.rpm
4dae049940b908786c4c18ec2c4633e0  krb5-server-1.2.7-28.x86_64.rpm
c68b7f6f4571165da841e89fb2de809d  krb5-workstation-1.2.7-28.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://www.redhat.com/security/team/key.html#package

6. References:
 
http://web.mit.edu/kerberos/advisories/ 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0642 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0643 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0644

7. Contact:

The Red Hat security contact is <secalert@redhat.com>.  More contact
details at https://www.redhat.com/security/team/contact.html

Copyright 2004 Red Hat, Inc.

 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Pirate Bay founder guilty in historic hacker case
Parallels CTO: Linux container security is not the problem
Advisory says to assume all Drupal 7 websites are compromised
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.