Red Hat Bugzilla – Bug 82961
krb5 < 1.2.5 vulnerable to multiple attacks
Last modified: 2007-03-27 00:00:24 EDT
Description of problem: According to the included URL krb5's kdc <1.2.5 is
vulnerable to multiple attacks.
Are there patches and/or errata in the queue for release?
would a rebuild of srpms from 8.0 work on 7.3?
Only the following two of the four listed vulnerabilities apply to Red Hat Linux
An integer signedness error in the ASN.1 decoder before version 1.2.5
allows remote attackers to cause a denial of service via a large unsigned
data element length, which is later used as a negative value. The Common
Vulnerabilities and Exposures project has assigned the name CAN-2002-0036
to this issue. Red Hat Linux 8.0 and later is not affected by this issue.
The Key Distribution Center (KDC) before version 1.2.5 allows remote,
authenticated, attackers to cause a denial of service (crash) on KDCs
within the same realm via a certain protocol request that causes a null
dereference. The Common Vulnerabilities and Exposures project has assigned
the name CAN-2003-0058 to this issue. Red Hat Linux 8.0 and later is not
affected by this issue.
An advisory containing backported patches for these issues is being worked on
These and other issues were fixed by errata
out on Mar26