Eridani alert ERISA-2002:038 (krb5)
| From: | Eridani Star System <linux@eridani.co.uk> | |
| To: | eridani-announce@eridani.co.uk | |
| Subject: | [Eridani-Announce] ERISA-2002:038 - krb5 | |
| Date: | Fri, 16 Aug 2002 05:51:10 +0100 (BST) |
========================================================================= ERIDANI LINUX - SECURITY ANNOUNCEMENT ========================================================================= Package: krb5 (Kerberos) Summary: Buffer overflow in Sun RPC XDR decoder Date: 2002-08-16 ID: ERISA-2002:038 ========================================================================= Problem description: XDR is a mechanism for encoding data structures for use with Sun RPC, which allows client processes to invoke procedures in a server process over a network. The Kerberos 5 authentication system contains an RPC library for network authentication, which includes a decoder for XDR derived from Sun's RPC implementation. Although this implementation of XDR has been demonstrated to be vulnerable to a heap buffer overflow, it is currently believed the attacker would need to authenticate to kadmin for this attack to succeed. No exploit for this is currently known to exist, however upgrading to the updated packages is strongly recommended, as these are not vulnerable to this issue. ------------------------------------------------------------------------- Updated packages: 38ef2da7e43521b0a3a58b904e8f4b1e krb5-1.2.2-14.src.rpm 034a269c2967c39cee15b9d2788c6652 krb5-devel-1.2.2-14.i386.rpm 6d2ed6f572078406f59beb4e64ae2d82 krb5-libs-1.2.2-14.i386.rpm 9333f093834f269ce7ebb4c8378c1765 krb5-server-1.2.2-14.i386.rpm b65d5f5e32de4f974b60eab2fcf2f6ac krb5-workstation-1.2.2-14.i386.rpm ------------------------------------------------------------------------- References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0391 ========================================================================= Packages available from ftp://ftp.eridani.co.uk/pub/Aeryn/ or by HTTP from http://ftp.eridani.co.uk/ Packages are signed with our GNU GPG key, also on our FTP site. Users of releases of Eridani Linux prior to 6.3 are advised to download the source RPM and rebuild for their system. Copyright (C)2002 Eridani Star System -- Michael "Soruk" McConnell http://www.eridani.co.uk Eridani Linux -- The Most Up-to-Date Red Hat-based Linux CDROMs Available Email: linux@eridani.co.uk -- Also Debian, Slackware, Mandrake and more... _______________________________________________ Eridani-Announce mailing list To be removed from this list email linux@eridani.co.uk requesting removal.