Gentoo Archives: gentoo-announce

From: Sean Amoss <ackle@g.o>
To: gentoo-announce@l.g.o
Cc: bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject: [gentoo-announce] [ GLSA 201201-13 ] MIT Kerberos 5: Multiple vulnerabilities
Date: Mon, 23 Jan 2012 20:38:25
Message-Id: 4F1DC396.9060202@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 201201-13
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: High
8 Title: MIT Kerberos 5: Multiple vulnerabilities
9 Date: January 23, 2012
10 Bugs: #303723, #308021, #321935, #323525, #339866, #347369,
11 #352859, #359129, #363507, #387585, #393429
12 ID: 201201-13
13
14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
15
16 Synopsis
17 ========
18
19 Multiple vulnerabilities have been found in MIT Kerberos 5, the most
20 severe of which may allow remote execution of arbitrary code.
21
22 Background
23 ==========
24
25 MIT Kerberos 5 is a suite of applications that implement the Kerberos
26 network protocol.
27
28 Affected packages
29 =================
30
31 -------------------------------------------------------------------
32 Package / Vulnerable / Unaffected
33 -------------------------------------------------------------------
34 1 app-crypt/mit-krb5 < 1.9.2-r1 >= 1.9.2-r1
35
36 Description
37 ===========
38
39 Multiple vulnerabilities have been discovered in MIT Kerberos 5. Please
40 review the CVE identifiers referenced below for details.
41
42 Impact
43 ======
44
45 A remote attacker may be able to execute arbitrary code with the
46 privileges of the administration daemon or the Key Distribution Center
47 (KDC) daemon, cause a Denial of Service condition, or possibly obtain
48 sensitive information. Furthermore, a remote attacker may be able to
49 spoof Kerberos authorization, modify KDC responses, forge user data
50 messages, forge tokens, forge signatures, impersonate a client, modify
51 user-visible prompt text, or have other unspecified impact.
52
53 Workaround
54 ==========
55
56 There is no known workaround at this time.
57
58 Resolution
59 ==========
60
61 All MIT Kerberos 5 users should upgrade to the latest version:
62
63 # emerge --sync
64 # emerge --ask --oneshot --verbose ">=app-crypt/mit-krb5-1.9.2-r1"
65
66 References
67 ==========
68
69 [ 1 ] CVE-2009-3295
70 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3295
71 [ 2 ] CVE-2009-4212
72 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4212
73 [ 3 ] CVE-2010-0283
74 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0283
75 [ 4 ] CVE-2010-0629
76 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0629
77 [ 5 ] CVE-2010-1320
78 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1320
79 [ 6 ] CVE-2010-1321
80 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1321
81 [ 7 ] CVE-2010-1322
82 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1322
83 [ 8 ] CVE-2010-1323
84 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1323
85 [ 9 ] CVE-2010-1324
86 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1324
87 [ 10 ] CVE-2010-4020
88 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4020
89 [ 11 ] CVE-2010-4021
90 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4021
91 [ 12 ] CVE-2010-4022
92 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4022
93 [ 13 ] CVE-2011-0281
94 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0281
95 [ 14 ] CVE-2011-0282
96 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0282
97 [ 15 ] CVE-2011-0283
98 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0283
99 [ 16 ] CVE-2011-0284
100 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0284
101 [ 17 ] CVE-2011-0285
102 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0285
103 [ 18 ] CVE-2011-1527
104 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1527
105 [ 19 ] CVE-2011-1528
106 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1528
107 [ 20 ] CVE-2011-1529
108 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1529
109 [ 21 ] CVE-2011-1530
110 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1530
111 [ 22 ] CVE-2011-4151
112 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4151
113
114 Availability
115 ============
116
117 This GLSA and any updates to it are available for viewing at
118 the Gentoo Security Website:
119
120 http://security.gentoo.org/glsa/glsa-201201-13.xml
121
122 Concerns?
123 =========
124
125 Security is a primary focus of Gentoo Linux and ensuring the
126 confidentiality and security of our users' machines is of utmost
127 importance to us. Any security concerns should be addressed to
128 security@g.o or alternatively, you may file a bug at
129 https://bugs.gentoo.org.
130
131 License
132 =======
133
134 Copyright 2012 Gentoo Foundation, Inc; referenced text
135 belongs to its owner(s).
136
137 The contents of this document are licensed under the
138 Creative Commons - Attribution / Share Alike license.
139
140 http://creativecommons.org/licenses/by-sa/2.5

Attachments

File name MIME type
signature.asc application/pgp-signature