USN-924-1: Kerberos vulnerabilities

Releases

• Ubuntu 9.04
• Ubuntu 8.10
• Ubuntu 8.04

Packages

• krb5 -

Details

Sol Jerome discovered that the Kerberos kadmind service did not correctly
free memory. An unauthenticated remote attacker could send specially
crafted traffic to crash the kadmind process, leading to a denial of
service. (CVE-2010-0629)

It was discovered that Kerberos did not correctly free memory in
the GSSAPI library. If a remote attacker were able to manipulate an
application using GSSAPI carefully, the service could crash, leading to
a denial of service. (Ubuntu 8.10 was not affected.) (CVE-2007-5901,
CVE-2007-5971)

It was discovered that Kerberos did not correctly free memory in the
GSSAPI and kdb libraries. If a remote attacker were able to manipulate
an application using these libraries carefully, the service could crash,
leading to a denial of service. (Only Ubuntu 8.04 LTS was affected.)
(CVE-2007-5902, CVE-2007-5972)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 9.04

• libkrb53 - 1.6.dfsg.4~beta1-5ubuntu2.3
• krb5-kdc - 1.6.dfsg.4~beta1-5ubuntu2.3

Ubuntu 8.10

• krb5-kdc - 1.6.dfsg.4~beta1-3ubuntu0.4

Ubuntu 8.04

• libkrb53 - 1.6.dfsg.3~beta1-2ubuntu1.4
• krb5-kdc - 1.6.dfsg.3~beta1-2ubuntu1.4

In general, a standard system upgrade is sufficient to effect the
necessary changes.

References

• CVE-2007-5901
• CVE-2007-5902
• CVE-2007-5971
• CVE-2007-5972
• CVE-2010-0629

Related notices

• USN-940-1: libkrb53, krb5, krb5-kdc, krb5-admin-server