what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Mandriva Linux Security Advisory 2008-070

Mandriva Linux Security Advisory 2008-070
Posted Mar 19, 2008
Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory - Multiple memory management flaws, a Kerberos v4 protocol packet handling issue, and various other vulnerabilities relating to krb5 are addressed in this advisory.

tags | advisory, vulnerability, protocol
systems | linux, mandriva
advisories | CVE-2007-5971, CVE-2008-0062, CVE-2008-0063, CVE-2008-0947
SHA-256 | fc277ea7c60148b444544fab9d8240618ecf77044de176d49396dda8e3ea9193

Mandriva Linux Security Advisory 2008-070

Change Mirror Download

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2008:070
http://www.mandriva.com/security/
_______________________________________________________________________

Package : krb5
Date : March 19, 2008
Affected: 2007.0, Corporate 4.0
_______________________________________________________________________

Problem Description:

A memory management flaw was found in the GSSAPI library used by
Kerberos that could result in an attempt to free already freed memory,
possibly leading to a crash or allowing the execution of arbitrary code
(CVE-2007-5971).

A flaw was discovered in how the Kerberos krb5kdc handled Kerberos v4
protocol packets. An unauthenticated remote attacker could use this
flaw to crash the krb5kdc daemon, disclose portions of its memory,
or possibly %execute arbitrary code using malformed or truncated
Kerberos v4 protocol requests (CVE-2008-0062, CVE-2008-0063).

This issue only affects krb5kdc when it has Kerberos v4 protocol
compatibility enabled, which is a compiled-in default in all
Kerberos versions that Mandriva Linux ships prior to Mandriva
Linux 2008.0. Kerberos v4 protocol support can be disabled by
adding v4_mode=none (without quotes) to the [kdcdefaults] section
of /etc/kerberos/krb5kdc/kdc.conf.

A flaw in the RPC library as used in Kerberos' kadmind was discovered
by Jeff Altman of Secure Endpoints. An unauthenticated remote attacker
could use this vulnerability to crash kadmind or possibly execute
arbitrary code in systems with certain resource limits configured;
this does not affect the default resource limits used by Mandriva Linux
(CVE-2008-0947).

The updated packages have been patched to correct these issues.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5971
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0062
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0063
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0947
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2008-001.txt
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2008-002.txt
_______________________________________________________________________

Updated Packages:

Mandriva Linux 2007.0:
ef17fea5e296992fb34b0d00540b4190 2007.0/i586/ftp-client-krb5-1.4.3-7.4mdv2007.0.i586.rpm
dbc47795968f03dff7eb50ff34a63b8d 2007.0/i586/ftp-server-krb5-1.4.3-7.4mdv2007.0.i586.rpm
36f5b4160b9dc7d4393b8bc5f4f0b6fb 2007.0/i586/krb5-server-1.4.3-7.4mdv2007.0.i586.rpm
f76121f223836939aef1f77164a7224d 2007.0/i586/krb5-workstation-1.4.3-7.4mdv2007.0.i586.rpm
65c052a4916406626b3289abdb43e0a6 2007.0/i586/libkrb53-1.4.3-7.4mdv2007.0.i586.rpm
e50117c585a8560813bc93704562e726 2007.0/i586/libkrb53-devel-1.4.3-7.4mdv2007.0.i586.rpm
1f99498d879f9343510479f2791245ac 2007.0/i586/telnet-client-krb5-1.4.3-7.4mdv2007.0.i586.rpm
9ed009750d2bcf738ceefce2e4c69512 2007.0/i586/telnet-server-krb5-1.4.3-7.4mdv2007.0.i586.rpm
9e63ac2d698d562ead71d5dd8c7ae315 2007.0/SRPMS/krb5-1.4.3-7.4mdv2007.0.src.rpm

Mandriva Linux 2007.0/X86_64:
029aad278f01c2baef9f93b86b0bc20d 2007.0/x86_64/ftp-client-krb5-1.4.3-7.4mdv2007.0.x86_64.rpm
dae016ff39d8e4d9f517b3197eefd926 2007.0/x86_64/ftp-server-krb5-1.4.3-7.4mdv2007.0.x86_64.rpm
8b3fac7b20798715efdad0d0db6b4472 2007.0/x86_64/krb5-server-1.4.3-7.4mdv2007.0.x86_64.rpm
81f6c05a73c175b581790532aa8572f1 2007.0/x86_64/krb5-workstation-1.4.3-7.4mdv2007.0.x86_64.rpm
41e10d5f06e05ea4cf455a0c3420d09f 2007.0/x86_64/lib64krb53-1.4.3-7.4mdv2007.0.x86_64.rpm
eeebf59564375187f01f628be3ac5132 2007.0/x86_64/lib64krb53-devel-1.4.3-7.4mdv2007.0.x86_64.rpm
cff3b7303e5d157e4ef246867ba396e8 2007.0/x86_64/telnet-client-krb5-1.4.3-7.4mdv2007.0.x86_64.rpm
ee55c784f89a1190efb9ce619ba34227 2007.0/x86_64/telnet-server-krb5-1.4.3-7.4mdv2007.0.x86_64.rpm
9e63ac2d698d562ead71d5dd8c7ae315 2007.0/SRPMS/krb5-1.4.3-7.4mdv2007.0.src.rpm

Corporate 4.0:
d4dcc40949ba7e72823de561b2b5b050 corporate/4.0/i586/ftp-client-krb5-1.4.3-5.6.20060mlcs4.i586.rpm
5e8b8cf4c051f235f2b4a3cc2a8c967c corporate/4.0/i586/ftp-server-krb5-1.4.3-5.6.20060mlcs4.i586.rpm
3c5812da62cc9a0cea89306877386ef7 corporate/4.0/i586/krb5-server-1.4.3-5.6.20060mlcs4.i586.rpm
40b114f22d7109a125cdf5243160c5f1 corporate/4.0/i586/krb5-workstation-1.4.3-5.6.20060mlcs4.i586.rpm
db7506751e5178556652b74d81b06c6d corporate/4.0/i586/libkrb53-1.4.3-5.6.20060mlcs4.i586.rpm
59ec6c3b207538656f2645eb3c0adf6a corporate/4.0/i586/libkrb53-devel-1.4.3-5.6.20060mlcs4.i586.rpm
fe234b5f259def09b88fba24869eba83 corporate/4.0/i586/telnet-client-krb5-1.4.3-5.6.20060mlcs4.i586.rpm
e2b51de61c9a91686e98a05ea98ec05f corporate/4.0/i586/telnet-server-krb5-1.4.3-5.6.20060mlcs4.i586.rpm
6a739594760cabeb536550168eefb333 corporate/4.0/SRPMS/krb5-1.4.3-5.6.20060mlcs4.src.rpm

Corporate 4.0/X86_64:
0b23f077db4f274b061f34eb50f47634 corporate/4.0/x86_64/ftp-client-krb5-1.4.3-5.6.20060mlcs4.x86_64.rpm
c70ca9de25fa8c9f7504f344b5be613a corporate/4.0/x86_64/ftp-server-krb5-1.4.3-5.6.20060mlcs4.x86_64.rpm
ca075a30dfeb617f808d616bbf420c63 corporate/4.0/x86_64/krb5-server-1.4.3-5.6.20060mlcs4.x86_64.rpm
76ec4cd64c814c9cdf44e7c734f66cd9 corporate/4.0/x86_64/krb5-workstation-1.4.3-5.6.20060mlcs4.x86_64.rpm
8eb62cc682d40a65a4b94aedb326cfc0 corporate/4.0/x86_64/lib64krb53-1.4.3-5.6.20060mlcs4.x86_64.rpm
538eb51b88db5d5a368bdbdf74607501 corporate/4.0/x86_64/lib64krb53-devel-1.4.3-5.6.20060mlcs4.x86_64.rpm
c22a1ac95f1a15fb65ee0eec60472936 corporate/4.0/x86_64/telnet-client-krb5-1.4.3-5.6.20060mlcs4.x86_64.rpm
b64f38875ba0dbf2441b1fd78dbf585d corporate/4.0/x86_64/telnet-server-krb5-1.4.3-5.6.20060mlcs4.x86_64.rpm
6a739594760cabeb536550168eefb333 corporate/4.0/SRPMS/krb5-1.4.3-5.6.20060mlcs4.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)

iD8DBQFH4WLsmqjQ0CJFipgRAqPPAKDOpukZQTnwRrBaWSnGspor0gG/LwCg6fPB
/jGRkhAI24wO20EBKKpdYF0=
=Z6Kl
-----END PGP SIGNATURE-----

Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    25 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close