rPath alert rPSA-2007-0063-1 (krb5)

From:
    	     
 
rPath Update Announcements <announce-noreply@rpath.com>
To:
    	     
 
security-announce@lists.rpath.com, update-announce@lists.rpath.com
Subject:
    	     
 
rPSA-2007-0063-1 krb5 krb5-server krb5-services krb5-test
 krb5-workstation
Date:
    	     
 
Wed, 04 Apr 2007 04:23:59 -0400
Cc:
    	     
 
full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com, lwn@lwn.net
rPath Security Advisory: 2007-0063-1
Published: 2007-04-04
Products: rPath Linux 1
Rating: Critical
Exposure Level Classification:
    Remote Root Deterministic Unauthorized Access
Updated Versions:
    krb5=/conary.rpath.com@rpl:devel//1/1.4.1-7.6-1
    krb5-server=/conary.rpath.com@rpl:devel//1/1.4.1-7.6-1
    krb5-services=/conary.rpath.com@rpl:devel//1/1.4.1-7.6-1
    krb5-test=/conary.rpath.com@rpl:devel//1/1.4.1-7.6-1
    krb5-workstation=/conary.rpath.com@rpl:devel//1/1.4.1-7.6-1

References:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0956
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0957
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1216
    https://issues.rpath.com/browse/RPL-1212

Description:
    Previous versions of the krb5 package are vulnerable to three attacks
    that can be triggered remotely, one of which is known to provide
    unauthenticated unrestricted shell access to any system running
    the krb5 telnet daemon.  rPath Linux systems are not automatically
    configured with vulnerable daemons enabled.  Systems configured as
    kerberos administrative servers are vulnerable.