Gentoo Archives: gentoo-announce

From: Daniel Ahlberg <aliz@g.o>
To: gentoo-announce@g.o
Subject: [gentoo-announce] GLSA: krb5
Date: Mon, 28 Oct 2002 08:34:30
Message-Id: 20021028143430.DCFD23368D@mail1.tamperd.net
1 -----BEGIN PGP SIGNED MESSAGE-----
2 Hash: SHA1
3
4 - - --------------------------------------------------------------------
5 GENTOO LINUX SECURITY ANNOUNCEMENT 200210-011
6 - - --------------------------------------------------------------------
7
8 PACKAGE : krb5
9 SUMMARY : buffer overflow
10 DATE    : 2002-10-28 14:10 UTC
11 EXPLOIT : remote
12
13 - - --------------------------------------------------------------------
14
15 A stack buffer overflow in the implementation of the Kerberos v4
16 compatibility administration daemon (kadmind4) in the MIT krb5
17 distribution can be exploited to gain unauthorized root access to a
18 KDC host. The attacker does not need to authenticate to the daemon to
19 successfully perform this attack. At least one exploit is known to
20 exist in the wild, and at least one attacker is reasonably competent
21 at cleaning up traces of intrusion.
22
23 Read the full advisory at
24 http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2002-002-kadm4.txt
25
26 SOLUTION
27
28 It is recommended that all Gentoo Linux users who are running
29 app-crypt/krb5 and earlier update their systems as follows:
30
31 emerge rsync
32 emerge krb5
33 emerge clean
34
35 - - --------------------------------------------------------------------
36 aliz@g.o - GnuPG key is available at www.gentoo.org/~aliz
37 - - --------------------------------------------------------------------
38 -----BEGIN PGP SIGNATURE-----
39 Version: GnuPG v1.0.7 (GNU/Linux)
40
41 iD8DBQE9vUr1fT7nyhUpoZMRAhvRAJ9zxSpTuroJ57RA9lVFegHfCODgkgCbBGRb
42 4qBVkt0y6Ndn9pVFt0zrplo=
43 =SacS
44 -----END PGP SIGNATURE-----