Fedora Legacy Test Update Notification: krb5

Marc Deslauriers marcdeslauriers at videotron.ca
Mon Mar 7 00:27:20 UTC 2005 

---------------------------------------------------------------------
Fedora Legacy Test Update Notification
FEDORALEGACY-2005-2040
Bugzilla https://bugzilla.fedora.us/show_bug.cgi?id=2040
2005-03-06
---------------------------------------------------------------------

Name        : krb5
Versions    : rh7.3: krb5-1.2.4-16.legacy
Versions    : rh9: krb5-1.2.7-38.2.legacy
Versions    : fc1: krb5-1.3.4-5.2.legacy
Summary     : Kerberos 5 programs for use on workstations.
Description :
Kerberos is a network authentication system. The krb5-workstation
package contains the basic Kerberos programs (kinit, klist, kdestroy,
kpasswd) as well as kerberized versions of Telnet and FTP. If your
network uses Kerberos, this package should be installed on every
workstation.

---------------------------------------------------------------------
Update Information:

Updated Kerberos (krb5) packages that correct multiple security issues
are now available.

Kerberos is a networked authentication system that uses a trusted third
party (a KDC) to authenticate clients and servers to each other.

Note that some of these issues have already been fixed in Fedora Core 1.
Please refer to previous advisories for details.

Several buffer overflows were possible for all Kerberos versions up to
and including 1.3.3 in the krb5_aname_to_localname library function. The
Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2004-0523 to this issue.

Several double-free bugs were found in the Kerberos 5 KDC and libraries.
A remote attacker could potentially exploit these flaws to execuate
arbitrary code. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the names CAN-2004-0642 and CAN-2004-0643
to these issues.

A double-free bug was also found in the krb524 server. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the
name CAN-2004-0772 to this issue.

An infinite loop bug was found in the Kerberos 5 ASN.1 decoder library.
A remote attacker may be able to trigger this flaw and cause a denial of
service. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2004-0644 to this issue.

A heap based buffer overflow bug was found in the administration library
of Kerberos 1.3.5 and earlier. This bug could allow an authenticated
remote attacker to execute arbitrary commands on a realm's master
Kerberos KDC. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2004-1189 to this issue.

Additionally a temporary file bug was found in the Kerberos krb5-send-pr
program. It is possible that an attacker could create a temporary file
that would allow an arbitrary file to be overwritten which the victim
has write access to. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2004-0971 to this issue.

All users of krb5 should upgrade to these updated packages, which
contain backported security patches to resolve these issues.

---------------------------------------------------------------------
Changelogs

rh73:
* Sun Mar 06 2005 Marc Deslauriers <marcdeslauriers at videotron.ca> 
1.2.4-16.legacy
- Added missing libtool BuildPrereq

* Sat Feb 26 2005 Pekka Savola <pekkas at netcore.fi> 1.2.4-15.legacy
- apply ~all patches from RHEL21 between 1.2.2-24 to -32 (#2040)
- don't apply DNS usage patch, as it would be a new feature

rh9:
* Sun Mar 06 2005 Marc Deslauriers <marcdeslauriers at videotron.ca> 
1.2.7-38.2.legacy
- Added missing libtool and autoconf213 to BuildPrereq

* Sat Feb 26 2005 Pekka Savola <pekkas at netcore.fi> 1.2.7-38.1.legacy
- Rebuild for Fedora Legacy, to fix a number of bugs (#2040)

* Wed Dec 22 2004 Nalin Dahyabhai <nalin at redhat.com> 1.2.7-38
- add additional hunk to fix for #123031 for xdr encoding/decoding of gssapi
   buffers (part of #143127)

fc1:
* Sun Mar 06 2005 Marc Deslauriers <marcdeslauriers at videotron.ca> 
1.3.4-5.2.legacy
- Added missing autoconf BuildPrereq

* Wed Mar 02 2005 Marc Deslauriers <marcdeslauriers at videotron.ca> 
1.3.4-5.1.legacy
- Added security patches for CAN-2004-0971 and CAN-2004-1189

---------------------------------------------------------------------
This update can be downloaded from:
   http://download.fedoralegacy.org/
(sha1sums)

rh7.3:
50bbcee234a516ecdb33ddcc7fc5c8b1a5f3b5cd 
redhat/7.3/updates-testing/i386/krb5-devel-1.2.4-16.legacy.i386.rpm
5b8e4296a97f8ac0b5fb38fb634226216fc7a7bc 
redhat/7.3/updates-testing/i386/krb5-libs-1.2.4-16.legacy.i386.rpm
ea278b24980c972694b0f2f6715656eacad4165f 
redhat/7.3/updates-testing/i386/krb5-server-1.2.4-16.legacy.i386.rpm
fa8d49d3d9a3827b2862585a028ffdd42334e9d4 
redhat/7.3/updates-testing/i386/krb5-workstation-1.2.4-16.legacy.i386.rpm
160e8be6a52f236e9a15ac7e5f6bbcdbd34201f8 
redhat/7.3/updates-testing/SRPMS/krb5-1.2.4-16.legacy.src.rpm

rh9:
9bbac59bcc35c8a4cf2a3f201c42b66b9a1ac71d 
redhat/9/updates-testing/i386/krb5-devel-1.2.7-38.2.legacy.i386.rpm
126972c72a03391b34af7f20fafc282859d4c11a 
redhat/9/updates-testing/i386/krb5-libs-1.2.7-38.2.legacy.i386.rpm
89829ef757ddd4fe0605d607c662e85ee7297012 
redhat/9/updates-testing/i386/krb5-server-1.2.7-38.2.legacy.i386.rpm
ce1aaade9eefba47ff00f9832866ac14d44d4f46 
redhat/9/updates-testing/i386/krb5-workstation-1.2.7-38.2.legacy.i386.rpm
32033e8aa82973774b2e5e77a3d34b6b40fbf56c 
redhat/9/updates-testing/SRPMS/krb5-1.2.7-38.2.legacy.src.rpm

fc1:
0a9368bd99b7256632708849eaeb9fdc3e7bdd17 
fedora/1/updates-testing/i386/krb5-devel-1.3.4-5.2.legacy.i386.rpm
08c1b15601aa138b7fb3652cd5a20bb2325d27bc 
fedora/1/updates-testing/i386/krb5-libs-1.3.4-5.2.legacy.i386.rpm
d90437351de986298fd619325a5794626905959e 
fedora/1/updates-testing/i386/krb5-server-1.3.4-5.2.legacy.i386.rpm
f654069f92aabd66bb836210d4918039b7a161ac 
fedora/1/updates-testing/i386/krb5-workstation-1.3.4-5.2.legacy.i386.rpm
ecfd7f697814343945becd0fdd717b11c239152e 
fedora/1/updates-testing/SRPMS/krb5-1.3.4-5.2.legacy.src.rpm

---------------------------------------------------------------------

Please test and comment in bugzilla.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 256 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/fedora-legacy-list/attachments/20050306/7907cbae/attachment.sig>

More information about the fedora-legacy-list mailing list