Home > Security > Advisories

Advisories

Mandriva Advisories

Package name krb5
Date April 10th, 2007
Advisory ID MDKSA-2007:077-1
Affected versions 2007.1
Synopsis Updated krb5 packages fix vulnerabilities

Problem Description

A vulnerability was found in the username handling of the MIT krb5
telnet daemon. A remote attacker that could access the telnet port
of a target machine could login as root without requiring a password
(CVE-2007-0956).

Buffer overflows in the kadmin server daemon were discovered that could
be exploited by a remote attacker able to access the KDC. Successful
exploitation could allow for the execution of arbitrary code with
the privileges of the KDC or kadmin server processes (CVE-2007-0957).

Finally, a double-free flaw was discovered in the GSSAPI library used
by the kadmin server daemon, which could lead to a denial of service
condition or the execution of arbitrary code with the privileges of
the KDC or kadmin server processes (CVE-2007-1216).

Updated packages have been patched to address this issue.

Update:

Packages for Mandriva Linux 2007.1 are now available.

Updated Packages

Mandriva Linux 2007.1

 5eae0ebe3be9e580c1c19ee041c9d72f  2007.1/i586/ftp-client-krb5-1.5.2-6.1mdv2007.1.i586.rpm
 83dd6a9c403f9ea3bc32a40a64c98fbf  2007.1/i586/ftp-server-krb5-1.5.2-6.1mdv2007.1.i586.rpm
 7fc832a70c77923aeec52cd309ee9c6f  2007.1/i586/krb5-server-1.5.2-6.1mdv2007.1.i586.rpm
 e54a01775aa24a1d9a08090b62b59a6c  2007.1/i586/krb5-workstation-1.5.2-6.1mdv2007.1.i586.rpm
 cfeabf699713ff757eb646ab681a6acc  2007.1/i586/libkrb53-1.5.2-6.1mdv2007.1.i586.rpm
 c3bf54b449ec81b27a7ca5a41dff9a7a  2007.1/i586/libkrb53-devel-1.5.2-6.1mdv2007.1.i586.rpm
 801cd83b96ebcd8f3ca425543f1f63a5  2007.1/i586/telnet-client-krb5-1.5.2-6.1mdv2007.1.i586.rpm
 0568ed507d58f76302071b197d9523cc  2007.1/i586/telnet-server-krb5-1.5.2-6.1mdv2007.1.i586.rpm 
 5e774ba6ce43122995ac39c43164d092  2007.1/SRPMS/krb5-1.5.2-6.1mdv2007.1.src.rpm

Mandriva Linux 2007.1/X86_64

 392287e6ad669fd9321a9de1c85796d8  2007.1/x86_64/ftp-client-krb5-1.5.2-6.1mdv2007.1.x86_64.rpm
 68349333c7611dee78c814ea4fc2d9f2  2007.1/x86_64/ftp-server-krb5-1.5.2-6.1mdv2007.1.x86_64.rpm
 a651024d2b42bc67033287e6795db6b5  2007.1/x86_64/krb5-server-1.5.2-6.1mdv2007.1.x86_64.rpm
 28cd0236420330bb839b8e39ef2949c2  2007.1/x86_64/krb5-workstation-1.5.2-6.1mdv2007.1.x86_64.rpm
 690eb27a9d90ab5319f70ea8f7326be4  2007.1/x86_64/lib64krb53-1.5.2-6.1mdv2007.1.x86_64.rpm
 058d267b757c9ba63200e26f258100c3  2007.1/x86_64/lib64krb53-devel-1.5.2-6.1mdv2007.1.x86_64.rpm
 d1bed5a3c84f0cc3e96d4760faa33477  2007.1/x86_64/telnet-client-krb5-1.5.2-6.1mdv2007.1.x86_64.rpm
 ee1b6269c10f066d8fbd6ee2d0c2c818  2007.1/x86_64/telnet-server-krb5-1.5.2-6.1mdv2007.1.x86_64.rpm 
 5e774ba6ce43122995ac39c43164d092  2007.1/SRPMS/krb5-1.5.2-6.1mdv2007.1.src.rpm

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0956
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0957
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1216
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-001-telnetd.txt
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-002-syslog.txt
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-003.txt

Upgrade

To upgrade automatically, use MandrivaUpdate.


Verification

Please verify the update prior to upgrading to ensure the integrity of the downloaded package. You can do this with the command :

                rpm --checksig package.rpm

You can get the GPG public key of the Mandriva Security Team to verify the GPG signature of each RPM.

If you use MandrivaUpdate, the verification of md5 checksum and GPG signature is performed automatically for you.