User: Password:
Subscribe / Log in / New account

OpenPKG alert OpenPKG-SA-2007.006 (kerberos)

From:  OpenPKG GmbH <>
Subject:  [OpenPKG-SA-2007.006] OpenPKG Security Advisory (kerberos)
Date:  Wed, 10 Jan 2007 10:44:23 +0100

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ____________________________________________________________________________ Publisher Name: OpenPKG GmbH Publisher Home: Advisory Id (public): OpenPKG-SA-2007.006 Advisory Type: OpenPKG Security Advisory (SA) Advisory Directory: Advisory Document: Advisory Published: 2007-01-10 10:44 UTC Issue Id (internal): OpenPKG-SI-20070110.01 Issue First Created: 2007-01-10 Issue Last Modified: 2007-01-10 Issue Revision: 07 ____________________________________________________________________________ Subject Name: MIT Kerberos Subject Summary: Kerberos Network Authentication System Subject Home: Subject Versions: * <= 1.5.1 Vulnerability Id: CVE-2006-6143, cert:VU#481564, CVE-2006-6144, cert:VU#831452, cert:TA07-009B Vulnerability Scope: global (not OpenPKG specific) Attack Feasibility: run-time Attack Vector: remote network Attack Impact: denial of service, arbitrary code execution Description: According to vendor security advisories [0][1], two security issues exist in the Kerberos network authentication system implementation MIT Kerberos [2]. First, the RPC library could call an uninitialized function pointer, which created a security vulnerability for kadmind(8). Second, the GSS-API "mechglue" layer could fail to initialize some output pointers, causing callers to attempt to free uninitialized pointers. This caused another security vulnerability in kadmind(8). References: [0] [1] [2] ____________________________________________________________________________ Primary Package Name: kerberos Primary Package Home: Corrected Distribution: Corrected Branch: Corrected Package: OpenPKG Enterprise E1.0-SOLID kerberos-1.5.1-E1.0.1 OpenPKG Community 2-STABLE-20061018 kerberos-1.6-2.20070110 OpenPKG Community 2-STABLE kerberos-1.6-2.20070110 OpenPKG Community CURRENT kerberos-1.6-20070110 ____________________________________________________________________________ For security reasons, this document was digitally signed with the OpenPGP public key of the OpenPKG GmbH (public key id 61B7AE34) which you can download from or retrieve from the OpenPGP keyserver at hkp:// Follow the instructions at for more details on how to verify the integrity of this document. ____________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Comment: OpenPKG GmbH <> iD8DBQFFpLVzZwQuyWG3rjQRAjHvAJ4/HGsZEborEXqqWQmd+IW7eCwbPACfTkDf eBFl17XLkM2oeEx1Asx4q0Y= =SZ1f -----END PGP SIGNATURE-----

(Log in to post comments)

Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds