Bug 491033 (CVE-2009-0844)
Summary: | CVE-2009-0844 krb5: buffer over-read in SPNEGO GSS-API mechanism (MITKRB5-SA-2009-001) | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Vincent Danen <vdanen> | ||||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||||
Status: | CLOSED ERRATA | QA Contact: | |||||||
Severity: | high | Docs Contact: | |||||||
Priority: | high | ||||||||
Version: | unspecified | CC: | mjc, nalin, skakar | ||||||
Target Milestone: | --- | Keywords: | Security | ||||||
Target Release: | --- | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
URL: | http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0844 | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2009-04-09 09:35:10 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Bug Depends On: | 490635, 490636 | ||||||||
Bug Blocks: | |||||||||
Attachments: |
|
Description
Vincent Danen
2009-03-19 02:02:52 UTC
The affected code is not in versions older than krb5 1.5, so only RHEL5 is affected (krb5 1.3.4 is in RHEL4). Created attachment 335792 [details] patch to fix MITKRB5-SA-2009-001 issues (CVE-2009-{0844,0845,0847} This patch corrects CVE-2009-0844, CVE-2009-0845, and CVE-2009-0846. Provided by upstream. CVE-2009-0845 was previously disclosed, see bug #490634. Created attachment 337997 [details] Updated upstream patch Upstream has updated patch for CVE-2009-0844 and CVE-2009-0845, fixing limited buffer over-read possible with previous patch. Few extra checks were added, and patch for CVE-2009-0845 was changed to provide an error token. Public now via: http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2009-001.txt This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2009:0408 https://rhn.redhat.com/errata/RHSA-2009-0408.html krb5-1.6.3-16.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report. krb5-1.6.3-18.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report. This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2009-0408.html Fedora: https://admin.fedoraproject.org/updates/F10/FEDORA-2009-2852 https://admin.fedoraproject.org/updates/F9/FEDORA-2009-2834 |