[gentoo-announce] [ GLSA 200404-09 ] Cross-realm trust vulnerability in Heimdal - gentoo-announce

From:	Kurt Lieber <klieber@g.o>
To:	gentoo-announce@l.g.o
Cc:	bugtraq@×××××××××××××.com, full-disclosure@××××××××××××.com, security-alerts@×××××××××××××.com
Subject:	[gentoo-announce] [ GLSA 200404-09 ] Cross-realm trust vulnerability in Heimdal
Date:	Fri, 09 Apr 2004 10:51:31
Message-Id:	`20040409105130.GX16487@mail.lieber.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 200404-09

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                             http://security.gentoo.org

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

  Severity: Normal

8

     Title: Cross-realm trust vulnerability in Heimdal

9

10

      Date: April 09, 2004

11

      Bugs: #46590

12

        ID: 200404-09

13

14

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

15

16

Synopsis

17

========

18

19

Heimdal contains cross-realm vulnerability allowing someone with

20

control over a realm to impersonate anyone in the cross-realm trust

21

path.

22

23

Background

24

==========

25

26

Heimdal is a free implementation of Kerberos 5.

27

28

Affected packages

29

=================

30

31

    -------------------------------------------------------------------

32

     Package            /   Vulnerable   /                  Unaffected

33

    -------------------------------------------------------------------

34

     app-crypt/heimdal       <= 0.6.0                         >= 0.6.1

35

36

Description

37

===========

38

39

Heimdal does not properly perform certain consistency checks for

40

cross-realm requests, which allows remote attackers with control of a

41

realm to impersonate others in the cross-realm trust path.

42

43

Impact

44

======

45

46

Remote attackers with control of a realm may be able to impersonate

47

other users in the cross-realm trust path.

48

49

Workaround

50

==========

51

52

A workaround is not currently known for this issue. All users are

53

advised to upgrade to the latest version of the affected package.

54

55

Resolution

56

==========

57

58

Heimdal users should upgrade to version 0.6.1 or later:

59

60

    # emerge sync

61

62

    # emerge -pv ">=app-crypt/heimdal-0.6.1"

63

    # emerge ">=app-crypt/heimdal-0.6.1"

64

65

References

66

==========

67

68

  [ 1 ] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0371

69

70

Concerns?

71

=========

72

73

Security is a primary focus of Gentoo Linux and ensuring the

74

confidentiality and security of our users machines is of utmost

75

importance to us. Any security concerns should be addressed to

76

security@g.o or alternatively, you may file a bug at

77

http://bugs.gentoo.org.

78

79

Availability

80

============

81

82

This GLSA and any updates to it are available for viewing at

83

the Gentoo Security Website:

84

85

     http://security.gentoo.org/glsa/glsa-200404-09.xml

86

87

Copyright/License

88

==================

89

Copyright 2004 Gentoo Technologies, Inc. 

90

91

The contents of this document are licensed under the

92

Creative Commons - Attribution / Share Alike license.

93

94

http://creativecommons.org/licenses/by-sa/1.0

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 200404-09
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	http://security.gentoo.org
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: Normal
8	Title: Cross-realm trust vulnerability in Heimdal
9
10	Date: April 09, 2004
11	Bugs: #46590
12	ID: 200404-09
13
14	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
15
16	Synopsis
17	========
18
19	Heimdal contains cross-realm vulnerability allowing someone with
20	control over a realm to impersonate anyone in the cross-realm trust
21	path.
22
23	Background
24	==========
25
26	Heimdal is a free implementation of Kerberos 5.
27
28	Affected packages
29	=================
30
31	-------------------------------------------------------------------
32	Package / Vulnerable / Unaffected
33	-------------------------------------------------------------------
34	app-crypt/heimdal <= 0.6.0 >= 0.6.1
35
36	Description
37	===========
38
39	Heimdal does not properly perform certain consistency checks for
40	cross-realm requests, which allows remote attackers with control of a
41	realm to impersonate others in the cross-realm trust path.
42
43	Impact
44	======
45
46	Remote attackers with control of a realm may be able to impersonate
47	other users in the cross-realm trust path.
48
49	Workaround
50	==========
51
52	A workaround is not currently known for this issue. All users are
53	advised to upgrade to the latest version of the affected package.
54
55	Resolution
56	==========
57
58	Heimdal users should upgrade to version 0.6.1 or later:
59
60	# emerge sync
61
62	# emerge -pv ">=app-crypt/heimdal-0.6.1"
63	# emerge ">=app-crypt/heimdal-0.6.1"
64
65	References
66	==========
67
68	[ 1 ] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0371
69
70	Concerns?
71	=========
72
73	Security is a primary focus of Gentoo Linux and ensuring the
74	confidentiality and security of our users machines is of utmost
75	importance to us. Any security concerns should be addressed to
76	security@g.o or alternatively, you may file a bug at
77	http://bugs.gentoo.org.
78
79	Availability
80	============
81
82	This GLSA and any updates to it are available for viewing at
83	the Gentoo Security Website:
84
85	http://security.gentoo.org/glsa/glsa-200404-09.xml
86
87	Copyright/License
88	==================
89	Copyright 2004 Gentoo Technologies, Inc.
90
91	The contents of this document are licensed under the
92	Creative Commons - Attribution / Share Alike license.
93
94	http://creativecommons.org/licenses/by-sa/1.0

Gentoo Archives: gentoo-announce