oss-sec mailing list archives
CVE assignment notification (pam_krb5 CVE-2009-1384)
From: Jan Lieskovsky <jlieskov () redhat com>
Date: Wed, 27 May 2009 11:55:13 +0200
Hello Steve, a security flaw similar to recent pam_ssh's CVE-2009-1273 one: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1273 was found in the pam_krb5 module. From particular Red Hat bugzilla entry: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-1384 <cite> A security flaw was found in PAM pam_krb5 module, providing user authentication based on Kerberos principals. A remote attacker could use this flaw to recognize, if some username/login belongs to set of user accounts, existing on the system, and subsequently perform dictionary based password guess attack. </cite> VERSIONS INFORMATION (Red Hat pam_krb5 version numbering is used): ===================== a, Not vulnerable - the vulnerability is not present in versions of pam_krb5 prior and including pam_krb5-2.1.17 b, Vulnerable - presence of the flaw is confirmed in versions of pam_krb5 starting from pam_krb5-2.2.14 and newer CVE: CVE identifier of CVE-2009-1384 has been already assigned to ==== this flaw. Thanks && regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
Current thread:
- CVE assignment notification (pam_krb5 CVE-2009-1384) Jan Lieskovsky (May 27)