[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [Sysadmins] [SECURITY] [DSA 1524-1] New krb5 packages fix multiple vulnerabilities

Does this problem affect the version in testing/unstable
(1.6.dfsg.3~beta1-3)?  The original advisory from MIT mentions version
1.6.3 and earlier are vulnerable, so I assume that the versions in
lenny/sid are?


Thanks, Joshua Hutchins


Noah Meyerhans wrote:
> ------------------------------------------------------------------------
> Debian Security Advisory DSA-1524-1                security@debian.org
> http://www.debian.org/security/                         Noah Meyerhans
> March 18, 2008                      http://www.debian.org/security/faq
> ------------------------------------------------------------------------
>
> Package        : krb5
> Vulnerability  : several
> Problem type   : remote
> Debian-specific: no
> CVE Id(s)      : CVE-2008-0062 CVE-2008-0063 CVE-2008-0947
>
> Several remote vulnerabilities have been discovered in the kdc component
> of the krb5, a system for authenticating users and services on a
> network.
>
> CVE-2008-0062
>
> An unauthenticated remote attacker may cause a krb4-enabled KDC to
> crash, expose information, or execute arbitrary code.  Successful
> exploitation of this vulnerability could compromise the Kerberos key
> database and host security on the KDC host.
>
> CVE-2008-0063
>
> An unauthenticated remote attacker may cause a krb4-enabled KDC to
> expose information.  It is theoretically possible for the exposed
> information to include secret key data on some platforms.
>
> CVE-2008-0947
>
> An unauthenticated remote attacker can cause memory corruption in the
> kadmind process, which is likely to cause kadmind to crash, resulting in
> a denial of service. It is at least theoretically possible for such
> corruption to result in database corruption or arbitrary code execution,
> though we have no such exploit and are not aware of any such exploits in
> use in the wild.  In versions of MIT Kerberos shipped by Debian, this
> bug can only be triggered in configurations that allow large numbers of
> open file descriptors in a process.
>
> For the stable distribution (etch), these problems have been fixed in
> version 1.4.4-7etch5.
>
> For the old stable distribution (sarge), these problems have been fixed
> in version krb5 1.3.6-2sarge6.
>
> We recommend that you upgrade your krb5 packages.
>
> Upgrade instructions
> --------------------
>
> wget url
>         will fetch the file for you
> dpkg -i file.deb
>         will install the referenced file.
>
> If you are using the apt-get package manager, use the line for
> sources.list as given below:
>
> apt-get update
>         will update the internal database
> apt-get upgrade
>         will install corrected packages
>
> You may use an automated update by adding the resources from the
> footer to the proper configuration.
>
> Debian 3.1 (oldstable)
> ----------------------
>
> Oldstable updates are available for alpha, amd64, arm, hppa, i386,
> ia64, m68k, mips, mipsel, powerpc, s390 and sparc.
>
> Source archives:
>
>   These files will probably be moved into the stable distribution on
>   its next update.
>
> ---------------------------------------------------------------------------------
> For apt-get: deb http://security.debian.org/ stable/updates main
> For dpkg-ftp: ftp://security.debian.org/debian-security
> dists/stable/updates/main
> Mailing list: debian-security-announce@lists.debian.org
> Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
Reply to: