Mandriva: Updated Kerberos packages fix multiple - The Community's Center for Security


The central voice for Linux and Open Source security news

Welcome!

Sign up!

EnGarde Community

Polls

How would you rate the importance of default settings in security?

	Critical
	Very Important
	Important
	Useful
	Not important

Advisories

Community

Linux Events

Linux User Groups

Link to Us

Security Center

Book Reviews

Security Dictionary

Security Tips

SELinux

White Papers

Featured Blogs

Emily Ratliff: OS Security

DanWalsh LiveJournal

Security Bloggers Network

Latest Newsletters

Linux Advisory Watch: May 16th, 2008

Linux Security Week: May 13th, 2008

LinuxSecurity Newsletters

RSS Feeds

Get the LinuxSecurity news you want faster with RSS

Mandriva: Updated Kerberos packages fix multiple

User Rating:

How can I rate this item?

Posted by Benjamin D. Thomas

A flaw was discovered in how the Kerberos krb5kdc handled Kerberos v4 protocol packets. An unauthenticated remote attacker could use this flaw to crash the krb5kdc daemon, disclose portions of its memory, or possibly %execute arbitrary code using malformed or truncated Kerberos v4 protocol requests (CVE-2008-0062, CVE-2008-0063).

 _______________________________________________________________________
 
 Mandriva Linux Security Advisory                         MDVSA-2008:071
 http://www.mandriva.com/security/
 _______________________________________________________________________
 
 Package : krb5
 Date    : March 19, 2008
 Affected: Corporate 3.0, Multi Network Firewall 2.0
 _______________________________________________________________________
 
 Problem Description:
 
 A flaw was discovered in how the Kerberos krb5kdc handled Kerberos v4
 protocol packets.  An unauthenticated remote attacker could use this
 flaw to crash the krb5kdc daemon, disclose portions of its memory,
 or possibly %execute arbitrary code using malformed or truncated
 Kerberos v4 protocol requests (CVE-2008-0062, CVE-2008-0063).
 
 This issue only affects krb5kdc when it has Kerberos v4 protocol
 compatibility enabled, which is a compiled-in default in all
 Kerberos versions that Mandriva Linux ships prior to Mandriva
 Linux 2008.0.  Kerberos v4 protocol support can be disabled by
 adding v4_mode=none (without quotes) to the [kdcdefaults] section
 of /etc/kerberos/krb5kdc/kdc.conf.
 
 The updated packages have been patched to correct these issues.
 _______________________________________________________________________

 References:
 
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0062
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0063
 http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2008-001.txt
 _______________________________________________________________________
 
 Updated Packages:
 
 Corporate 3.0:
 d671c7e0f68642556b1ba5a33d26eaf8  corporate/3.0/i586/ftp-client-krb5-1.3-6.10.C30mdk.i586.rpm
 9e5a2591cee10ed62948f6d30e836863  corporate/3.0/i586/ftp-server-krb5-1.3-6.10.C30mdk.i586.rpm
 7e8fc318772ff7dcd22f5b1c81bbfe6d  corporate/3.0/i586/krb5-server-1.3-6.10.C30mdk.i586.rpm
 45838af9454ffc5f6c06a505b4468c83  corporate/3.0/i586/krb5-workstation-1.3-6.10.C30mdk.i586.rpm
 fbdb6f71d9e2a939bbea33312b74c998  corporate/3.0/i586/libkrb51-1.3-6.10.C30mdk.i586.rpm
 50f964ee10fc744553a862c918913b03  corporate/3.0/i586/libkrb51-devel-1.3-6.10.C30mdk.i586.rpm
 667270f39306bd837b08b310a189f75d  corporate/3.0/i586/telnet-client-krb5-1.3-6.10.C30mdk.i586.rpm
 a5a4a1a64c14164e1755ad37e35cf99d  corporate/3.0/i586/telnet-server-krb5-1.3-6.10.C30mdk.i586.rpm 
 07535be43a1e339a0ba69cc167fbb530  corporate/3.0/SRPMS/krb5-1.3-6.10.C30mdk.src.rpm

 Corporate 3.0/X86_64:
 0f693533eea0d49c60b20c40e6b5a872  corporate/3.0/x86_64/ftp-client-krb5-1.3-6.10.C30mdk.x86_64.rpm
 061429249b1cc62647c3a95d6b2a3d8b  corporate/3.0/x86_64/ftp-server-krb5-1.3-6.10.C30mdk.x86_64.rpm
 bda82007dd59af28240d51ca020370d1  corporate/3.0/x86_64/krb5-server-1.3-6.10.C30mdk.x86_64.rpm
 9d7e810eacfc17774ee33a438cdc196d  corporate/3.0/x86_64/krb5-workstation-1.3-6.10.C30mdk.x86_64.rpm
 b4abcda997c06b142bbae27cf3e617ef  corporate/3.0/x86_64/lib64krb51-1.3-6.10.C30mdk.x86_64.rpm
 e3692fe347ec21c7fd25a581ef817d66  corporate/3.0/x86_64/lib64krb51-devel-1.3-6.10.C30mdk.x86_64.rpm
 c5da9da1f3aa15a0966f8d1644748340  corporate/3.0/x86_64/telnet-client-krb5-1.3-6.10.C30mdk.x86_64.rpm
 fd9ff563b0d3d58705eb3b2b4aeebc11  corporate/3.0/x86_64/telnet-server-krb5-1.3-6.10.C30mdk.x86_64.rpm 
 07535be43a1e339a0ba69cc167fbb530  corporate/3.0/SRPMS/krb5-1.3-6.10.C30mdk.src.rpm

 Multi Network Firewall 2.0:
 fa4c3506c056e55862b4db41e134db1c  mnf/2.0/i586/libkrb51-1.3-6.10.M20mdk.i586.rpm 
 5c5caff1487f3284ba0c9529a831405e  mnf/2.0/SRPMS/krb5-1.3-6.10.M20mdk.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team

< Prev		Next >

Partner:

Latest Features

Review: The Book of Wireless

April 2008 Open Source Tool of the Month: sudo

Open Source Tool of March: ZoneMinder

Meet the Anti-Nmap: PSAD

Open Source Tool of February: Nmap!

HowTo: Secure your Ubuntu Apache Web Server

SSH: Best Practices

Yesterday's Edition

Strong passwords no panacea as SSH Brute-Force Attacks Rise

Tools circulate that crack Debian, Ubuntu keys

QuickLinks: Comunity , HOWTOs , Blogs , Features , Book Reviews , Networking ,
Security Projects , Latest News , Newsletters , SELinux , Privacy , Home,
Hardening , About Us, Advertise, Legal Notice, RSS, Guardian Digital