pjp
Administrator
Joined: 16 Apr 2002
Posts: 20589
|
 Posted: Tue May 27, 2003 3:29 pm Post subject: [gentoo-security] GLSA: heimdal (200305-09) |
 |
|
| Daniel Ahlberg wrote: | - - - ---------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT 200305-09
- - - ---------------------------------------------------------------------
PACKAGE : heimdal
SUMMARY : protocol bug in the kerberos v4 cross-realm operation
DATE : 2003-05-27 08:46 UTC
EXPLOIT : remote
VERSIONS AFFECTED : <heimdal-0.6
FIXED VERSION : >=heimdal-0.6
CVE : CAN-2003-0139 CAN-2003-0138
- - - ---------------------------------------------------------------------
heimdal suffers from the same vulnerability as mit-krb5 does, hence
the identical advisory.
- - From advisory:
"A cryptographic weakness in version 4 of the Kerberos protocol allows
an attacker to use a chosen-plaintext attack to impersonate any
principal in a realm. Additional cryptographic weaknesses in the krb4
implementation included in the MIT krb5 distribution permit the use of
cut-and-paste attacks to fabricate krb4 tickets for unauthorized
client principals if triple-DES keys are used to key krb4 services.
These attacks can subvert a site's entire Kerberos authentication
infrastructure."
Read the full advisory at
http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-004-krb4.txt
SOLUTION
It is recommended that all Gentoo Linux users who are running
app-crypt/heimdal upgrade to heimdal-0.6 as follows
emerge sync
emerge heimdal
emerge clean
- - - ---------------------------------------------------------------------
aliz@gentoo.org - GnuPG key is available at http://cvs.gentoo.org/~aliz
- - - --------------------------------------------------------------------- |
Mailing List Archive: Unavailable
_________________
Quis separabit? Quo animo? |
|
News & Announcements
