Content-Disposition: inline ==========================================================================Ubuntu Security Notice USN-1520-1 July 31, 2012 krb5 vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 12.04 LTS - Ubuntu 11.10 - Ubuntu 11.04 - Ubuntu 10.04 LTS Summary: Several security issues were fixed in Kerberos. Software Description: - krb5: MIT Kerberos Network Authentication Protocol Details: Emmanuel Bouillon discovered that the MIT krb5 Key Distribution Center (KDC) daemon could free an uninitialized pointer when handling a malformed AS-REQ message. A remote unauthenticated attacker could use this to cause a denial of service or possibly execute arbitrary code. (CVE-2012-1015) Emmanuel Bouillon discovered that the MIT krb5 Key Distribution Center (KDC) daemon could dereference an uninitialized pointer while handling a malformed AS-REQ message. A remote unauthenticated attacker could use this to cause a denial of service or possibly execute arbitrary code. This issue only affected Ubuntu 12.04 LTS. (CVE-2012-1014) Simo Sorce discovered that the MIT krb5 Key Distribution Center (KDC) daemon could dereference a NULL pointer when handling a malformed TGS-REQ message. A remote authenticated attacker could use this to cause a denial of service. (CVE-2012-1013) It was discovered that the kadmin protocol implementation in MIT krb5 did not properly restrict access to the SET_STRING and GET_STRINGS operations. A remote authenticated attacker could use this to expose or modify sensitive information. This issue only affected Ubuntu 12.04 LTS. (CVE-2012-1012) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 12.04 LTS: krb5-admin-server 1.10+dfsg~beta1-2ubuntu0.3 krb5-kdc 1.10+dfsg~beta1-2ubuntu0.3 krb5-kdc-ldap 1.10+dfsg~beta1-2ubuntu0.3 Ubuntu 11.10: krb5-admin-server 1.9.1+dfsg-1ubuntu2.3 krb5-kdc 1.9.1+dfsg-1ubuntu2.3 krb5-kdc-ldap 1.9.1+dfsg-1ubuntu2.3 Ubuntu 11.04: krb5-admin-server 1.8.3+dfsg-5ubuntu2.3 krb5-kdc 1.8.3+dfsg-5ubuntu2.3 krb5-kdc-ldap 1.8.3+dfsg-5ubuntu2.3 Ubuntu 10.04 LTS: krb5-admin-server 1.8.1+dfsg-2ubuntu0.11 krb5-kdc 1.8.1+dfsg-2ubuntu0.11 krb5-kdc-ldap 1.8.1+dfsg-2ubuntu0.11 In general, a standard system update will make all the necessary changes. References: http://www.ubuntu.com/usn/usn-1520-1 CVE-2012-1012, CVE-2012-1013, CVE-2012-1014, CVE-2012-1015 Package Information: https://launchpad.net/ubuntu/+source/krb5/1.10+dfsg~beta1-2ubuntu0.3 https://launchpad.net/ubuntu/+source/krb5/1.9.1+dfsg-1ubuntu2.3 https://launchpad.net/ubuntu/+source/krb5/1.8.3+dfsg-5ubuntu2.3 https://launchpad.net/ubuntu/+source/krb5/1.8.1+dfsg-2ubuntu0.11