--------------------------------------------------------------------- Fedora Legacy Test Update Notification FEDORALEGACY-2005-154276 Bugzilla https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=154276 2005-06-19 --------------------------------------------------------------------- Name : krb5 Versions : rh7.3: krb5-1.2.4-16.1.legacy Versions : rh9: krb5-1.2.7-38.3.legacy Versions : fc1: krb5-1.3.4-5.3.legacy Summary : Kerberos 5 programs for use on workstations. Description : Kerberos is a network authentication system. The krb5-workstation package contains the basic Kerberos programs (kinit, klist, kdestroy, kpasswd) as well as kerberized versions of Telnet and FTP. If your network uses Kerberos, this package should be installed on every workstation. --------------------------------------------------------------------- Update Information: Updated Kerberos (krb5) packages that correct multiple security issues are now available. Kerberos is a networked authentication system that uses a trusted third party (a KDC) to authenticate clients and servers to each other. Note that some of these issues have already been fixed in Fedora Core 1. Please refer to previous advisories for details. Several buffer overflows were possible for all Kerberos versions up to and including 1.3.3 in the krb5_aname_to_localname library function. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0523 to this issue. Several double-free bugs were found in the Kerberos 5 KDC and libraries. A remote attacker could potentially exploit these flaws to execuate arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2004-0642 and CAN-2004-0643 to these issues. A double-free bug was also found in the krb524 server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0772 to this issue. An infinite loop bug was found in the Kerberos 5 ASN.1 decoder library. A remote attacker may be able to trigger this flaw and cause a denial of service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0644 to this issue. A heap based buffer overflow bug was found in the administration library of Kerberos 1.3.5 and earlier. This bug could allow an authenticated remote attacker to execute arbitrary commands on a realm's master Kerberos KDC. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-1189 to this issue. Additionally a temporary file bug was found in the Kerberos krb5-send-pr program. It is possible that an attacker could create a temporary file that would allow an arbitrary file to be overwritten which the victim has write access to. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0971 to this issue. The krb5-workstation package includes a Kerberos-aware telnet client. Two buffer overflow flaws were discovered in the way the telnet client handles messages from a server. An attacker may be able to execute arbitrary code on a victim's machine if the victim can be tricked into connecting to a malicious telnet server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2005-0468 and CAN-2005-0469 to these issues. All users of krb5 should upgrade to these updated packages, which contain backported security patches to resolve these issues. --------------------------------------------------------------------- Changelogs rh73: * Tue Jun 07 2005 Pekka Savola <pekkas@xxxxxxxxxx> 1.2.4-16.1.legacy - Fix telnet client vulnerabilities from RHEL (#154276) * Sun Mar 06 2005 Marc Deslauriers <marcdeslauriers@xxxxxxxxxxxx> 1.2.4-16.legacy - Added missing libtool BuildPrereq * Sat Feb 26 2005 Pekka Savola <pekkas@xxxxxxxxxx> 1.2.4-15.legacy - apply ~all patches from RHEL21 between 1.2.2-24 to -32 (#2040) - don't apply DNS usage patch, as it would be a new feature rh9: * Tue Jun 07 2005 Pekka Savola <pekkas@xxxxxxxxxx> 1.2.7-38.3.legacy - Fix telnet client vulnerabilities from RHEL (#154276) * Sun Mar 06 2005 Marc Deslauriers <marcdeslauriers@xxxxxxxxxxxx> 1.2.7-38.2.legacy - Added missing libtool and autoconf213 to BuildPrereq * Sat Feb 26 2005 Pekka Savola <pekkas@xxxxxxxxxx> 1.2.7-38.1.legacy - Rebuild for Fedora Legacy, to fix a number of bugs (#2040) * Wed Dec 22 2004 Nalin Dahyabhai <nalin@xxxxxxxxxx> 1.2.7-38 - add additional hunk to fix for #123031 for xdr encoding/decoding of gssapi buffers (part of #143127) fc1: * Tue Jun 07 2005 Pekka Savola <pekkas@xxxxxxxxxx> 1.3.4-5.3.legacy - Fix telnet client vulnerabilities from Fedora FC2 CVS (#154276) * Sun Mar 06 2005 Marc Deslauriers <marcdeslauriers@xxxxxxxxxxxx> 1.3.4-5.2.legacy - Added missing autoconf BuildPrereq * Wed Mar 02 2005 Marc Deslauriers <marcdeslauriers@xxxxxxxxxxxx> 1.3.4-5.1.legacy - Added security patches for CAN-2004-0971 and CAN-2004-1189 --------------------------------------------------------------------- This update can be downloaded from: http://download.fedoralegacy.org/ (sha1sums) rh7.3: 4fcc561d7f179fb0672b0f273043c272b790f423 redhat/7.3/updates-testing/i386/krb5-devel-1.2.4-16.1.legacy.i386.rpm 07938a62bd7498733b3e535a381fe18223184eda redhat/7.3/updates-testing/i386/krb5-libs-1.2.4-16.1.legacy.i386.rpm c81a4385ede484d89187d5836d49cacbc5655ee1 redhat/7.3/updates-testing/i386/krb5-server-1.2.4-16.1.legacy.i386.rpm 568b4b641c2b9a54eafd14b4099bc72d49f02137 redhat/7.3/updates-testing/i386/krb5-workstation-1.2.4-16.1.legacy.i386.rpm 4ee83ff2a6f0bd9bdbf0726ba2fd4acf6c5f43cc redhat/7.3/updates-testing/SRPMS/krb5-1.2.4-16.1.legacy.src.rpm rh9: 0111aeb1c5946f18e8a48d1d27d8493c919ca936 redhat/9/updates-testing/i386/krb5-devel-1.2.7-38.3.legacy.i386.rpm 35141598dbb9c60e8cd0b3f06b23528ee526bb46 redhat/9/updates-testing/i386/krb5-libs-1.2.7-38.3.legacy.i386.rpm bcaf771e3de01b16e73327cc3643a2ebd4fda6dd redhat/9/updates-testing/i386/krb5-server-1.2.7-38.3.legacy.i386.rpm 4b4b056d4abc0d69c14e7df45fa3b02e76db48fb redhat/9/updates-testing/i386/krb5-workstation-1.2.7-38.3.legacy.i386.rpm ddc2bdafbecf5801a7238187936fee99966efc65 redhat/9/updates-testing/SRPMS/krb5-1.2.7-38.3.legacy.src.rpm fc1: 389b8b7b2b59b4363f941e22213be5794e3321a0 fedora/1/updates-testing/i386/krb5-devel-1.3.4-5.3.legacy.i386.rpm f0f7a0e7a002751d9ed19d2c573f9b332759ac00 fedora/1/updates-testing/i386/krb5-libs-1.3.4-5.3.legacy.i386.rpm 8d685627a81c1cc51545e8d43db8c3f2acc4a520 fedora/1/updates-testing/i386/krb5-server-1.3.4-5.3.legacy.i386.rpm 9aed15c515e7e319fe880b064ecc595565db6575 fedora/1/updates-testing/i386/krb5-workstation-1.3.4-5.3.legacy.i386.rpm d8f81d57720d1b4c4fc393778f82d7119aeb209c fedora/1/updates-testing/SRPMS/krb5-1.3.4-5.3.legacy.src.rpm --------------------------------------------------------------------- Please test and comment in bugzilla.
Attachment:
signature.asc
Description: OpenPGP digital signature
-- fedora-legacy-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-legacy-list
