Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
For bugs related to Red Hat Enterprise Linux 5 product line. The current stable release is 5.10. For Red Hat Enterprise Linux 6 and above, please visit Red Hat JIRA https://issues.redhat.com/secure/CreateIssue!default.jspa?pid=12332745 to report new issues.

Bug 505265

Summary: CVE-2009-1384 RHEL-5's pam_krb5: Password prompt varies for existent and non-existent users
Product: Red Hat Enterprise Linux 5 Reporter: Jan Lieskovsky <jlieskov>
Component: pam_krb5Assignee: Nalin Dahyabhai <nalin>
Status: CLOSED ERRATA QA Contact: BaseOS QE <qe-baseos-auto>
Severity: medium Docs Contact:
Priority: medium    
Version: 5.3CC: anton.fang, bmason, cward, dpal, rbiba, rlerch, security-response-team, syeghiay, tao
Target Milestone: rcKeywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: pam_krb5-2.2.14-15 Doc Type: Bug Fix
Doc Text:
When pam_krb5 is configured to be called first during authentication, the password prompt will no longer vary based on whether or not the user-supplied login name corresponds to an actual user on the system.
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-03-30 08:33:13 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 499522, 502602, 541103    

Description Jan Lieskovsky 2009-06-11 09:04:00 UTC
A security flaw was found in PAM pam_krb5 module, providing user authentication
based on Kerberos principals. A remote attacker could use this flaw to
recognize, if some username/login belongs to set of user accounts,
existing on the system, and subsequently perform dictionary based password
guess attack.

Comment 8 Nalin Dahyabhai 2010-02-04 23:32:26 UTC
Technical note added. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.

New Contents:
When pam_krb5 is configured to be called first during authentication, the password prompt will no longer vary based on whether or not the user-supplied login name corresponds to an actual user on the system.

Comment 9 Chris Ward 2010-02-11 10:19:50 UTC
~~ Attention Customers and Partners - RHEL 5.5 Beta is now available on RHN ~~

RHEL 5.5 Beta has been released! There should be a fix present in this 
release that addresses your request. Please test and report back results 
here, by March 3rd 2010 (2010-03-03) or sooner.

Upon successful verification of this request, post your results and update 
the Verified field in Bugzilla with the appropriate value.

If you encounter any issues while testing, please describe them and set 
this bug into NEED_INFO. If you encounter new defects or have additional 
patch(es) to request for inclusion, please clone this bug per each request
and escalate through your support representative.

Comment 12 errata-xmlrpc 2010-03-30 08:33:13 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2010-0258.html