[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

UNIRAS Brief - 533/05 - Fedora - Two Update Notifications



 
-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------------------
   UNIRAS (UK Govt CERT) Briefing Notice - 533/05 dated 13.07.05  Time: 10:55  
  UNIRAS is part of NISCC (National Infrastructure Security Co-ordination Centre)
- ---------------------------------------------------------------------------------- 
  UNIRAS material is also available from its website at www.uniras.gov.uk and
         Information about NISCC is available from www.niscc.gov.uk
- ----------------------------------------------------------------------------------

Title
=====
Fedora - Two Update Notifications:
     1.  Fedora Core 3 Update: krb5-1.3.6-7 [FEDORA-2005-552]
     2.  Fedora Core 4 Update: krb5-1.4.1-5 [FEDORA-2005-553]

Detail
====== 

Update notification summaries:

     1.  Multiple vulnerabilities exist in Kerberos V5, a trusted-third-party network 
         authentication system, version 1.3.6, release 7.

     2.  Multiple vulnerabilities exist in Kerberos V5, a trusted-third-party network 
         authentication system, version 1.4.1, release 5.


Update notification content follows:


1.


- ---------------------------------------------------------------------
Fedora Update Notification
FEDORA-2005-552
2005-07-12
- ---------------------------------------------------------------------

Product     : Fedora Core 3
Name        : krb5
Version     : 1.3.6                      
Release     : 7                  
Summary     : The Kerberos network authentication system.
Description :
Kerberos V5 is a trusted-third-party network authentication system,
which can improve your network's security by eliminating the insecure
practice of cleartext passwords.

- ---------------------------------------------------------------------
Update Information:

A double-free flaw was found in the krb5_recvauth() routine which may be triggered 
by a remote unauthenticated attacker.  Fedora Core 3 contains checks within glibc 
that detect double-free flaws.  Therefore, on Fedora Core 3, successful exploitation 
of this issue can only lead to a denial of service (KDC crash).  The Common 
Vulnerabilities and Exposures project assigned the name CAN-2005-1689 to this issue.

Daniel Wachdorf discovered a single byte heap overflow in the krb5_unparse_name() 
function, part of krb5-libs.  Successful exploitation of this flaw would lead to a 
denial of service (crash).  To trigger this flaw remotely, an attacker would need to 
have control of a kerberos realm that shares a cross-realm key with the target, making 
exploitation of this flaw unlikely. (CAN-2005-1175).

Daniel Wachdorf also discovered that in error conditions that may occur in response to 
correctly-formatted client requests, the Kerberos 5 KDC may attempt to free 
uninitialized memory.  This could allow a remote attacker to cause a denial of service 
(KDC crash) (CAN-2005-1174).

GaA<l Delalleau discovered an information disclosure issue in the way some telnet clients 
handle messages from a server. An attacker could construct a malicious telnet server that
collects information from the environment of any victim who connects to it using the 
Kerberos-aware telnet client (CAN-2005-0488).

The rcp protocol allows a server to instruct a client to write to arbitrary files outside 
of the current directory. This could potentially cause a security issue if a user uses 
the Kerberos-aware rcp to copy files from a malicious server (CAN-2004-0175).
- ---------------------------------------------------------------------
* Wed Jun 29 2005 Nalin Dahyabhai <nalin@xxxxxxxxxx> 1.3.6-7

- - fix telnet client environment variable disclosure the same way NetKit's
  telnet client did (CAN-2005-0488) (#159305)
- - keep apps which call krb5_principal_compare() or krb5_realm_compare() with
  malformed or NULL principal structures from crashing outright (Thomas Biege)
  (#161475)

* Tue Jun 28 2005 Nalin Dahyabhai <nalin@xxxxxxxxxx>

- - apply fixes from draft of MIT-KRB5-SA-2005-002 (CAN-2005-1174,CAN-2005-1175)
  (#157104)
- - apply fixes from draft of MIT-KRB5-SA-2005-003 (CAN-2005-1689) (#159755)

* Fri Jun 24 2005 Nalin Dahyabhai <nalin@xxxxxxxxxx> 1.3.6-6

- - fix double-close in keytab handling
- - add port of fixes for CAN-2004-0175 to krb5-aware rcp (#151612)


- ---------------------------------------------------------------------
This update can be downloaded from:
  http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/

bbda806f94b4d1833d9fd884844f43da  SRPMS/krb5-1.3.6-7.src.rpm
1d9290dc2b92c62cebdd46ff27ed26f4  x86_64/krb5-devel-1.3.6-7.x86_64.rpm
1ee1d026aabc242677f91dccdf94558b  x86_64/krb5-libs-1.3.6-7.x86_64.rpm
a31aad264eeecd22a73e5dc1ddc9ed77  x86_64/krb5-server-1.3.6-7.x86_64.rpm
87f60cb9bf65e7aeaa766ae33ff6a83c  x86_64/krb5-workstation-1.3.6-7.x86_64.rpm
1a8bc195545e1bd5d9de79efae04fb38  x86_64/debug/krb5-debuginfo-1.3.6-7.x86_64.rpm
efa02df806c2730d4aadf47ea9502dfc  x86_64/krb5-libs-1.3.6-7.i386.rpm
6c8f97b7bd66f752f60ee3e974613424  i386/krb5-devel-1.3.6-7.i386.rpm
efa02df806c2730d4aadf47ea9502dfc  i386/krb5-libs-1.3.6-7.i386.rpm
681ebd995cce6cf33adcafc6c8d2f1f7  i386/krb5-server-1.3.6-7.i386.rpm
2f999eff92ca4885ba38dfc6b00286c9  i386/krb5-workstation-1.3.6-7.i386.rpm
a32f85ca5a135626840d0034f407b39d  i386/debug/krb5-debuginfo-1.3.6-7.i386.rpm

This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command.  
- ---------------------------------------------------------------------




2.




- ---------------------------------------------------------------------
Fedora Update Notification
FEDORA-2005-553
2005-07-12
- ---------------------------------------------------------------------

Product     : Fedora Core 4
Name        : krb5
Version     : 1.4.1                      
Release     : 5                  
Summary     : The Kerberos network authentication system.
Description :
Kerberos V5 is a trusted-third-party network authentication system,
which can improve your network's security by eliminating the insecure
practice of cleartext passwords.

- ---------------------------------------------------------------------
Update Information:

A double-free flaw was found in the krb5_recvauth() routine which may be triggered by a 
remote unauthenticated attacker.  Fedora Core 4 contains checks within glibc that detect 
double-free flaws.  Therefore, on Fedora Core 4, successful exploitation of this issue can 
only lead to a denial of service (KDC crash).  The Common Vulnerabilities and Exposures 
project assigned the name CAN-2005-1689 to this issue.

Daniel Wachdorf discovered a single byte heap overflow in the krb5_unparse_name() function, 
part of krb5-libs.  Successful exploitation of this flaw would lead to a denial of service 
(crash).  To trigger this flaw remotely, an attacker would need to have control of a kerberos 
realm that shares a cross-realm key with the target, making exploitation of this flaw unlikely. 
(CAN-2005-1175).

Daniel Wachdorf also discovered that in error conditions that may occur in response to 
correctly-formatted client requests, the Kerberos 5 KDC may attempt to free uninitialized memory.  
This could allow a remote attacker to cause a denial of service (KDC crash) (CAN-2005-1174).

GaA<l Delalleau discovered an information disclosure issue in the way some telnet clients handle
 messages from a server. An attacker could construct a malicious telnet server that collects 
information from the environment of any victim who connects to it using the Kerberos-aware 
telnet client (CAN-2005-0488).

The rcp protocol allows a server to instruct a client to write to arbitrary files outside of the 
current directory. This could potentially cause a security issue if a user uses the Kerberos-aware 
rcp to copy files from a malicious server (CAN-2004-0175).
- ---------------------------------------------------------------------
* Wed Jun 29 2005 Nalin Dahyabhai <nalin@xxxxxxxxxx> 1.4.1-5

- - fix telnet client environment variable disclosure the same way NetKit's
  telnet client did (CAN-2005-0488) (#159305)
- - keep apps which call krb5_principal_compare() or krb5_realm_compare() with
  malformed or NULL principal structures from crashing outright (Thomas Biege)
  (#161475)

* Tue Jun 28 2005 Nalin Dahyabhai <nalin@xxxxxxxxxx>

- - apply fixes from draft of MIT-KRB5-SA-2005-002 (CAN-2005-1174,CAN-2005-1175)
  (#157104)
- - apply fixes from draft of MIT-KRB5-SA-2005-003 (CAN-2005-1689) (#159755)

* Fri Jun 24 2005 Nalin Dahyabhai <nalin@xxxxxxxxxx> 1.4.1-4

- - fix double-close in keytab handling
- - add port of fixes for CAN-2004-0175 to krb5-aware rcp (#151612)

* Fri May 13 2005 Nalin Dahyabhai <nalin@xxxxxxxxxx> 1.4.1-3

- - prevent spurious EBADF in krshd when stdin is closed by the client while
  the command is running (#151111)

* Fri May 13 2005 Martin Stransky <stransky@xxxxxxxxxx> 1.4.1-2

- - add deadlock patch, removed old patch

* Fri May  6 2005 Nalin Dahyabhai <nalin@xxxxxxxxxx> 1.4.1-1

- - update to 1.4.1, incorporating fixes for CAN-2005-0468 and CAN-2005-0469
- - when starting the KDC or kadmind, if KRB5REALM is set via the /etc/sysconfig
  file for the service, pass it as an argument for the -r flag


- ---------------------------------------------------------------------
This update can be downloaded from:
  http://download.fedora.redhat.com/pub/fedora/linux/core/updates/4/

e04410b41cb3e1ca5c5de361932d4f43  SRPMS/krb5-1.4.1-5.src.rpm
84ec58abea3e00d6ce09d9fa17bdec44  ppc/krb5-devel-1.4.1-5.ppc.rpm
3b036b4aebe92579c7b0553c6a943c9c  ppc/krb5-libs-1.4.1-5.ppc.rpm
4ef4aae46285b2cc7ec2123175dc65d3  ppc/krb5-server-1.4.1-5.ppc.rpm
236c23aa99713ffbcd375be4418a629c  ppc/krb5-workstation-1.4.1-5.ppc.rpm
72a70fe522d9945d62acff3b6d62e9c4  ppc/debug/krb5-debuginfo-1.4.1-5.ppc.rpm
819d79e1b3fbd06de75cae397f00c80e  ppc/krb5-libs-1.4.1-5.ppc64.rpm
41a16309bae5f43caf50a9c34493c2a9  x86_64/krb5-devel-1.4.1-5.x86_64.rpm
5a733f5e5d35045e4efd44106d36fb5f  x86_64/krb5-libs-1.4.1-5.x86_64.rpm
5da17e3e77e3a73ddbb9d68516cf084e  x86_64/krb5-server-1.4.1-5.x86_64.rpm
53738638e418c3aba25c0a344e67d0d2  x86_64/krb5-workstation-1.4.1-5.x86_64.rpm
4f7310c5758bd32432db538f5008577d  x86_64/debug/krb5-debuginfo-1.4.1-5.x86_64.rpm
e35d87893a9b3b22eb15246a4cc88046  x86_64/krb5-libs-1.4.1-5.i386.rpm
2a5f503e74207349f137d1aaf039879c  i386/krb5-devel-1.4.1-5.i386.rpm
e35d87893a9b3b22eb15246a4cc88046  i386/krb5-libs-1.4.1-5.i386.rpm
c6578a1a24fbaf3da0b7724445fdb675  i386/krb5-server-1.4.1-5.i386.rpm
0317f834d5795dbaf9f531ef747d181b  i386/krb5-workstation-1.4.1-5.i386.rpm
ec1e81cad1d4365febcff9df32be2375  i386/debug/krb5-debuginfo-1.4.1-5.i386.rpm

This update can also be installed with the Update Agent; you can
launch the Update Agent with the 'up2date' command.  
- ---------------------------------------------------------------------


- ----------------------------------------------------------------------------------

For additional information or assistance, please contact the HELP Desk by 
telephone or Not Protectively Marked information may be sent via 
EMail to: uniras@xxxxxxxxxxxx

Office Hours:
Mon - Fri: 08:30 - 17:00 Hrs
Tel: +44 (0) 870 487 0748 Ext 4511
Fax: +44 (0) 870 487 0749

Outside of Office Hours:
On Call Duty Officer:
Tel: +44 (0) 870 487 0748 and follow the prompts

- ----------------------------------------------------------------------------------
UNIRAS wishes to acknowledge the contributions of Fedora for the information 
contained in this Briefing. 
- ----------------------------------------------------------------------------------
This Briefing contains the information released by the original author. Some 
of the information may have changed since it was released. If the vulnerability 
affects you, it may be prudent to retrieve the advisory from the canonical site 
to ensure that you receive the most current information concerning that problem.

Reference to any specific commercial product, process, or service by trade 
name, trademark manufacturer, or otherwise, does not constitute or imply 
its endorsement, recommendation, or favouring by UNIRAS or NISCC.  The views 
and opinions of authors expressed within this notice shall not be used for 
advertising or product endorsement purposes.

Neither UNIRAS or NISCC shall also accept responsibility for any errors 
or omissions contained within this briefing notice. In particular, they shall 
not be liable for any loss or damage whatsoever, arising from or in connection 
with the usage of information contained within this notice.

UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST) 
and has contacts with other international Incident Response Teams (IRTs) in 
order to foster cooperation and coordination in incident prevention, to prompt 
rapid reaction to incidents, and to promote information sharing amongst its 
members and the community at large. 
- ----------------------------------------------------------------------------------
<End of UNIRAS Briefing>

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQCVAwUBQtTl4opao72zK539AQGchAP/VzpGx+ndEY3L5HoIZ4JO3Htobw+GQJj7
RjUvALakJiq3Bg2Jz2nhDmBheUt7iYWksGE3i+p8dSWAU9U4b9FzBhv7C0AVyI73
xNPlqxWYKvUEqJxq8ONFXoF6Gt1OrlDhMY6LlD8vufz6PsvP+o/7uuA2B0+UE3TV
9DGZAP5Q/as=
=iFXm
-----END PGP SIGNATURE-----


______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________

______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________