--------------------------------------------------------------------- Fedora Legacy Test Update Notification FEDORALEGACY-2005-2040 Bugzilla https://bugzilla.fedora.us/show_bug.cgi?id=2040 2005-03-06 ---------------------------------------------------------------------
Name : krb5 Versions : rh7.3: krb5-1.2.4-16.legacy Versions : rh9: krb5-1.2.7-38.2.legacy Versions : fc1: krb5-1.3.4-5.2.legacy Summary : Kerberos 5 programs for use on workstations. Description : Kerberos is a network authentication system. The krb5-workstation package contains the basic Kerberos programs (kinit, klist, kdestroy, kpasswd) as well as kerberized versions of Telnet and FTP. If your network uses Kerberos, this package should be installed on every workstation.
--------------------------------------------------------------------- Update Information:
Updated Kerberos (krb5) packages that correct multiple security issues are now available.
Kerberos is a networked authentication system that uses a trusted third party (a KDC) to authenticate clients and servers to each other.
Note that some of these issues have already been fixed in Fedora Core 1. Please refer to previous advisories for details.
Several buffer overflows were possible for all Kerberos versions up to and including 1.3.3 in the krb5_aname_to_localname library function. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0523 to this issue.
Several double-free bugs were found in the Kerberos 5 KDC and libraries. A remote attacker could potentially exploit these flaws to execuate arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2004-0642 and CAN-2004-0643 to these issues.
A double-free bug was also found in the krb524 server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0772 to this issue.
An infinite loop bug was found in the Kerberos 5 ASN.1 decoder library. A remote attacker may be able to trigger this flaw and cause a denial of service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0644 to this issue.
A heap based buffer overflow bug was found in the administration library of Kerberos 1.3.5 and earlier. This bug could allow an authenticated remote attacker to execute arbitrary commands on a realm's master Kerberos KDC. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1189 to this issue.
Additionally a temporary file bug was found in the Kerberos krb5-send-pr program. It is possible that an attacker could create a temporary file that would allow an arbitrary file to be overwritten which the victim has write access to. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0971 to this issue.
All users of krb5 should upgrade to these updated packages, which contain backported security patches to resolve these issues.
--------------------------------------------------------------------- Changelogs
rh73:
* Sun Mar 06 2005 Marc Deslauriers <marcdeslauriers@xxxxxxxxxxxx> 1.2.4-16.legacy
- Added missing libtool BuildPrereq
* Sat Feb 26 2005 Pekka Savola <pekkas@xxxxxxxxxx> 1.2.4-15.legacy - apply ~all patches from RHEL21 between 1.2.2-24 to -32 (#2040) - don't apply DNS usage patch, as it would be a new feature
rh9:
* Sun Mar 06 2005 Marc Deslauriers <marcdeslauriers@xxxxxxxxxxxx> 1.2.7-38.2.legacy
- Added missing libtool and autoconf213 to BuildPrereq
* Sat Feb 26 2005 Pekka Savola <pekkas@xxxxxxxxxx> 1.2.7-38.1.legacy - Rebuild for Fedora Legacy, to fix a number of bugs (#2040)
* Wed Dec 22 2004 Nalin Dahyabhai <nalin@xxxxxxxxxx> 1.2.7-38 - add additional hunk to fix for #123031 for xdr encoding/decoding of gssapi buffers (part of #143127)
fc1:
* Sun Mar 06 2005 Marc Deslauriers <marcdeslauriers@xxxxxxxxxxxx> 1.3.4-5.2.legacy
- Added missing autoconf BuildPrereq
* Wed Mar 02 2005 Marc Deslauriers <marcdeslauriers@xxxxxxxxxxxx> 1.3.4-5.1.legacy
- Added security patches for CAN-2004-0971 and CAN-2004-1189
--------------------------------------------------------------------- This update can be downloaded from: http://download.fedoralegacy.org/ (sha1sums)
rh7.3:
50bbcee234a516ecdb33ddcc7fc5c8b1a5f3b5cd redhat/7.3/updates-testing/i386/krb5-devel-1.2.4-16.legacy.i386.rpm
5b8e4296a97f8ac0b5fb38fb634226216fc7a7bc redhat/7.3/updates-testing/i386/krb5-libs-1.2.4-16.legacy.i386.rpm
ea278b24980c972694b0f2f6715656eacad4165f redhat/7.3/updates-testing/i386/krb5-server-1.2.4-16.legacy.i386.rpm
fa8d49d3d9a3827b2862585a028ffdd42334e9d4 redhat/7.3/updates-testing/i386/krb5-workstation-1.2.4-16.legacy.i386.rpm
160e8be6a52f236e9a15ac7e5f6bbcdbd34201f8 redhat/7.3/updates-testing/SRPMS/krb5-1.2.4-16.legacy.src.rpm
rh9:
9bbac59bcc35c8a4cf2a3f201c42b66b9a1ac71d redhat/9/updates-testing/i386/krb5-devel-1.2.7-38.2.legacy.i386.rpm
126972c72a03391b34af7f20fafc282859d4c11a redhat/9/updates-testing/i386/krb5-libs-1.2.7-38.2.legacy.i386.rpm
89829ef757ddd4fe0605d607c662e85ee7297012 redhat/9/updates-testing/i386/krb5-server-1.2.7-38.2.legacy.i386.rpm
ce1aaade9eefba47ff00f9832866ac14d44d4f46 redhat/9/updates-testing/i386/krb5-workstation-1.2.7-38.2.legacy.i386.rpm
32033e8aa82973774b2e5e77a3d34b6b40fbf56c redhat/9/updates-testing/SRPMS/krb5-1.2.7-38.2.legacy.src.rpm
fc1:
0a9368bd99b7256632708849eaeb9fdc3e7bdd17 fedora/1/updates-testing/i386/krb5-devel-1.3.4-5.2.legacy.i386.rpm
08c1b15601aa138b7fb3652cd5a20bb2325d27bc fedora/1/updates-testing/i386/krb5-libs-1.3.4-5.2.legacy.i386.rpm
d90437351de986298fd619325a5794626905959e fedora/1/updates-testing/i386/krb5-server-1.3.4-5.2.legacy.i386.rpm
f654069f92aabd66bb836210d4918039b7a161ac fedora/1/updates-testing/i386/krb5-workstation-1.3.4-5.2.legacy.i386.rpm
ecfd7f697814343945becd0fdd717b11c239152e fedora/1/updates-testing/SRPMS/krb5-1.3.4-5.2.legacy.src.rpm
---------------------------------------------------------------------
Please test and comment in bugzilla.
Attachment:
signature.asc
Description: OpenPGP digital signature
-- fedora-legacy-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-legacy-list
