Re: [Sysadmins] [SECURITY] [DSA 1524-1] New krb5 packages fix multiple vulnerabilities
Does this problem affect the version in testing/unstable
(1.6.dfsg.3~beta1-3)? The original advisory from MIT mentions version
1.6.3 and earlier are vulnerable, so I assume that the versions in
lenny/sid are?
Thanks, Joshua Hutchins
Noah Meyerhans wrote:
> ------------------------------------------------------------------------
> Debian Security Advisory DSA-1524-1 security@debian.org
> http://www.debian.org/security/ Noah Meyerhans
> March 18, 2008 http://www.debian.org/security/faq
> ------------------------------------------------------------------------
>
> Package : krb5
> Vulnerability : several
> Problem type : remote
> Debian-specific: no
> CVE Id(s) : CVE-2008-0062 CVE-2008-0063 CVE-2008-0947
>
> Several remote vulnerabilities have been discovered in the kdc component
> of the krb5, a system for authenticating users and services on a
> network.
>
> CVE-2008-0062
>
> An unauthenticated remote attacker may cause a krb4-enabled KDC to
> crash, expose information, or execute arbitrary code. Successful
> exploitation of this vulnerability could compromise the Kerberos key
> database and host security on the KDC host.
>
> CVE-2008-0063
>
> An unauthenticated remote attacker may cause a krb4-enabled KDC to
> expose information. It is theoretically possible for the exposed
> information to include secret key data on some platforms.
>
> CVE-2008-0947
>
> An unauthenticated remote attacker can cause memory corruption in the
> kadmind process, which is likely to cause kadmind to crash, resulting in
> a denial of service. It is at least theoretically possible for such
> corruption to result in database corruption or arbitrary code execution,
> though we have no such exploit and are not aware of any such exploits in
> use in the wild. In versions of MIT Kerberos shipped by Debian, this
> bug can only be triggered in configurations that allow large numbers of
> open file descriptors in a process.
>
> For the stable distribution (etch), these problems have been fixed in
> version 1.4.4-7etch5.
>
> For the old stable distribution (sarge), these problems have been fixed
> in version krb5 1.3.6-2sarge6.
>
> We recommend that you upgrade your krb5 packages.
>
> Upgrade instructions
> --------------------
>
> wget url
> will fetch the file for you
> dpkg -i file.deb
> will install the referenced file.
>
> If you are using the apt-get package manager, use the line for
> sources.list as given below:
>
> apt-get update
> will update the internal database
> apt-get upgrade
> will install corrected packages
>
> You may use an automated update by adding the resources from the
> footer to the proper configuration.
>
> Debian 3.1 (oldstable)
> ----------------------
>
> Oldstable updates are available for alpha, amd64, arm, hppa, i386,
> ia64, m68k, mips, mipsel, powerpc, s390 and sparc.
>
> Source archives:
>
> These files will probably be moved into the stable distribution on
> its next update.
>
> ---------------------------------------------------------------------------------
> For apt-get: deb http://security.debian.org/ stable/updates main
> For dpkg-ftp: ftp://security.debian.org/debian-security
> dists/stable/updates/main
> Mailing list: debian-security-announce@lists.debian.org
> Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
Reply to: