Re: Vulnerabilities in KTH Kerberos IV

[Robert Watson <rwatson () FREEBSD ORG>]

On Fri, 8 Dec 2000, Jouko Pynnonen wrote:

> There are at least two common free Kerberos implementations:
> MIT and KTH (Royal Institute of Techology, Sweden). The latter is
> included in OpenBSD and FreeBSD.
...
> OS vendors were notified 11/28 via a mailing list, and KTH Kerberos
> team 12/01.

Despite being explicitly mentioned in the advisory as an affected
operating system and the statement of notification above, the FreeBSD
Project was not notified in advance of the release of this advisory.  We
are currently evaluating the affect of the vulnerability on our code base,
and will no doubt be releasing a security advisory shortly.

In the future, we would appreciate it if those aware of vulnerabilities in
our code base made some minimal effort to contact us before releasing an
advisory; we have widely published the availability of our
security-officer () FreeBSD org address and service, as well as PGP keys to
protect communications as necessary.  In addition, both CERT and
SecurityFocus can provide assistance in identifying vulnerable software,
and in contacting vendors affected.  I'm sure other vendors have also been
caught off-guard by this vulnerability, and would similarly appreciate
advance notice.

Thanks,

Robert N M Watson                     FreeBSD Core Team, TrustedBSD
Project robert () fledge watson org      NAI Labs, Safeport Network Services