Bugtraq mailing list archives
[ GLSA 201201-13 ] MIT Kerberos 5: Multiple vulnerabilities
From: Sean Amoss <ackle () gentoo org>
Date: Mon, 23 Jan 2012 15:31:18 -0500
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201201-13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: MIT Kerberos 5: Multiple vulnerabilities Date: January 23, 2012 Bugs: #303723, #308021, #321935, #323525, #339866, #347369, #352859, #359129, #363507, #387585, #393429 ID: 201201-13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been found in MIT Kerberos 5, the most severe of which may allow remote execution of arbitrary code. Background ========== MIT Kerberos 5 is a suite of applications that implement the Kerberos network protocol. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 app-crypt/mit-krb5 < 1.9.2-r1 >= 1.9.2-r1 Description =========== Multiple vulnerabilities have been discovered in MIT Kerberos 5. Please review the CVE identifiers referenced below for details. Impact ====== A remote attacker may be able to execute arbitrary code with the privileges of the administration daemon or the Key Distribution Center (KDC) daemon, cause a Denial of Service condition, or possibly obtain sensitive information. Furthermore, a remote attacker may be able to spoof Kerberos authorization, modify KDC responses, forge user data messages, forge tokens, forge signatures, impersonate a client, modify user-visible prompt text, or have other unspecified impact. Workaround ========== There is no known workaround at this time. Resolution ========== All MIT Kerberos 5 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=app-crypt/mit-krb5-1.9.2-r1" References ========== [ 1 ] CVE-2009-3295 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3295 [ 2 ] CVE-2009-4212 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4212 [ 3 ] CVE-2010-0283 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0283 [ 4 ] CVE-2010-0629 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0629 [ 5 ] CVE-2010-1320 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1320 [ 6 ] CVE-2010-1321 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1321 [ 7 ] CVE-2010-1322 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1322 [ 8 ] CVE-2010-1323 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1323 [ 9 ] CVE-2010-1324 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1324 [ 10 ] CVE-2010-4020 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4020 [ 11 ] CVE-2010-4021 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4021 [ 12 ] CVE-2010-4022 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4022 [ 13 ] CVE-2011-0281 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0281 [ 14 ] CVE-2011-0282 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0282 [ 15 ] CVE-2011-0283 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0283 [ 16 ] CVE-2011-0284 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0284 [ 17 ] CVE-2011-0285 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0285 [ 18 ] CVE-2011-1527 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1527 [ 19 ] CVE-2011-1528 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1528 [ 20 ] CVE-2011-1529 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1529 [ 21 ] CVE-2011-1530 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1530 [ 22 ] CVE-2011-4151 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4151 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201201-13.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security () gentoo org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2012 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- [ GLSA 201201-13 ] MIT Kerberos 5: Multiple vulnerabilities Sean Amoss (Jan 23)