Bugtraq mailing list archives
Re: Vulnerabilities in KTH Kerberos IV
From: Robert Watson <rwatson () FREEBSD ORG>
Date: Sun, 10 Dec 2000 15:52:39 -0500
On Fri, 8 Dec 2000, Jouko Pynnonen wrote:
There are at least two common free Kerberos implementations: MIT and KTH (Royal Institute of Techology, Sweden). The latter is included in OpenBSD and FreeBSD.
...
OS vendors were notified 11/28 via a mailing list, and KTH Kerberos team 12/01.
Despite being explicitly mentioned in the advisory as an affected operating system and the statement of notification above, the FreeBSD Project was not notified in advance of the release of this advisory. We are currently evaluating the affect of the vulnerability on our code base, and will no doubt be releasing a security advisory shortly. In the future, we would appreciate it if those aware of vulnerabilities in our code base made some minimal effort to contact us before releasing an advisory; we have widely published the availability of our security-officer () FreeBSD org address and service, as well as PGP keys to protect communications as necessary. In addition, both CERT and SecurityFocus can provide assistance in identifying vulnerable software, and in contacting vendors affected. I'm sure other vendors have also been caught off-guard by this vulnerability, and would similarly appreciate advance notice. Thanks, Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert () fledge watson org NAI Labs, Safeport Network Services
Current thread:
- Vulnerabilities in KTH Kerberos IV Jouko Pynnonen (Dec 10)
- Re: Vulnerabilities in KTH Kerberos IV Robert Watson (Dec 11)
- Re: Vulnerabilities in KTH Kerberos IV Jouko Pynnonen (Dec 12)
- Re: Vulnerabilities in KTH Kerberos IV kris (Dec 13)
- Re: Vulnerabilities in KTH Kerberos IV Jouko Pynnonen (Dec 12)
- Re: Vulnerabilities in KTH Kerberos IV Robert Watson (Dec 11)