Bug 82961 - krb5 < 1.2.5 vulnerable to multiple attacks
krb5 < 1.2.5 vulnerable to multiple attacks
Status: CLOSED ERRATA
Product: Red Hat Linux
Classification: Retired
Component: krb5 (Show other bugs)
7.3
All Linux
high Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
Brian Brock
http://online.securityfocus.com/archi...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2003-01-28 18:57 EST by Seth Vidal
Modified: 2007-03-27 00:00 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2003-04-23 06:36:01 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Seth Vidal 2003-01-28 18:57:13 EST
Description of problem: According to the included URL krb5's kdc <1.2.5 is
vulnerable to multiple attacks.

Are there patches and/or errata in the queue for release?

would a rebuild of srpms from 8.0 work on 7.3?



thanks
-sv
Comment 1 Mark J. Cox (Product Security) 2003-02-06 06:23:32 EST
Only the following two of the four listed vulnerabilities apply to Red Hat Linux
7.3:

An integer signedness error in the ASN.1 decoder before version 1.2.5
allows remote attackers to cause a denial of service via a large unsigned
data element length, which is later used as a negative value. The Common
Vulnerabilities and Exposures project has assigned the name CAN-2002-0036
to this issue. Red Hat Linux 8.0 and later is not affected by this issue.

The Key Distribution Center (KDC) before version 1.2.5 allows remote,
authenticated, attackers to cause a denial of service (crash) on KDCs
within the same realm via a certain protocol request that causes a null
dereference. The Common Vulnerabilities and Exposures project has assigned
the name CAN-2003-0058 to this issue. Red Hat Linux 8.0 and later is not
affected by this issue.

An advisory containing backported patches for these issues is being worked on
Comment 2 Mark J. Cox (Product Security) 2003-04-23 06:36:01 EDT
These and other issues were fixed by errata
http://rhn.redhat.com/errata/RHSA-2003-051.html
out on Mar26

Note You need to log in before you can comment on or make changes to this bug.