-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2010:202-1 http://www.mandriva.com/security/ _______________________________________________________________________ Package : krb5 Date : November 2, 2010 Affected: Enterprise Server 5.0 _______________________________________________________________________ Problem Description: A vulnerability was discovered and corrected in krb5: The merge_authdata function in kdc_authdata.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.8.x before 1.8.4 does not properly manage an index into an authorization-data list, which allows remote attackers to cause a denial of service (daemon crash), or possibly obtain sensitive information, spoof authorization, or execute arbitrary code, via a TGS request, as demonstrated by a request from a Windows Active Directory client (CVE-2010-1322). The updated packages have been patched to correct this issue. Update: Update packages for MES5 were missing with the MDVSA-2010:202 advisory. This advisory provides the update packages. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1322 http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-006.txt _______________________________________________________________________ Updated Packages: Mandriva Enterprise Server 5: 9861393bd5a3d68522009a7aa7f1c464 mes5/i586/krb5-1.8.1-0.2mdvmes5.1.i586.rpm 322533f773fc193c80a9ada2832a8509 mes5/i586/krb5-pkinit-openssl-1.8.1-0.2mdvmes5.1.i586.rpm c136e6a7af35261c85680d711a250d4e mes5/i586/krb5-server-1.8.1-0.2mdvmes5.1.i586.rpm 11f482c3e89a3bd604cce91a2a9350d4 mes5/i586/krb5-server-ldap-1.8.1-0.2mdvmes5.1.i586.rpm 996820e1994bdb9ffc5d2992426e6a28 mes5/i586/krb5-workstation-1.8.1-0.2mdvmes5.1.i586.rpm ffd0a9897c5fe0dbf28f026d019566cc mes5/i586/libkrb53-1.8.1-0.2mdvmes5.1.i586.rpm fe92a3a286a954a0b59874384da33159 mes5/i586/libkrb53-devel-1.8.1-0.2mdvmes5.1.i586.rpm c789015f879f629e501fea39dbfe7165 mes5/SRPMS/krb5-1.8.1-0.2mdvmes5.1.src.rpm Mandriva Enterprise Server 5/X86_64: e2ac6d2ae7b216bb1085eedb7a3656b5 mes5/x86_64/krb5-1.8.1-0.2mdvmes5.1.x86_64.rpm c6905743e2859e27588c9be83f240ce2 mes5/x86_64/krb5-pkinit-openssl-1.8.1-0.2mdvmes5.1.x86_64.rpm 5f2ac7007222213cec343f0edfeaef4a mes5/x86_64/krb5-server-1.8.1-0.2mdvmes5.1.x86_64.rpm cdbf46e0ebf1a757d866680ca14300ed mes5/x86_64/krb5-server-ldap-1.8.1-0.2mdvmes5.1.x86_64.rpm d975cc9e3bfc877b89e8a070fb9c9c89 mes5/x86_64/krb5-workstation-1.8.1-0.2mdvmes5.1.x86_64.rpm 3d501997aa0f61c7c4ecf68a68b37a5a mes5/x86_64/lib64krb53-1.8.1-0.2mdvmes5.1.x86_64.rpm 5fb83ceb94d50beb80d41658b2495e34 mes5/x86_64/lib64krb53-devel-1.8.1-0.2mdvmes5.1.x86_64.rpm c789015f879f629e501fea39dbfe7165 mes5/SRPMS/krb5-1.8.1-0.2mdvmes5.1.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFMz/XDmqjQ0CJFipgRAhQFAJ9OPZ2qrLbzgleKAP3rRAIXRVA/dgCfTvVg Ywk5M3FfLpbMCv4jkCow72I= =bRsh -----END PGP SIGNATURE-----