USN-924-1: Kerberos vulnerabilities

7 April 2010

krb5 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 9.04
  • Ubuntu 8.10
  • Ubuntu 8.04 LTS

Software Description

  • krb5

Details

Sol Jerome discovered that the Kerberos kadmind service did not correctly free memory. An unauthenticated remote attacker could send specially crafted traffic to crash the kadmind process, leading to a denial of service. (CVE-2010-0629)

It was discovered that Kerberos did not correctly free memory in the GSSAPI library. If a remote attacker were able to manipulate an application using GSSAPI carefully, the service could crash, leading to a denial of service. (Ubuntu 8.10 was not affected.) (CVE-2007-5901, CVE-2007-5971)

It was discovered that Kerberos did not correctly free memory in the GSSAPI and kdb libraries. If a remote attacker were able to manipulate an application using these libraries carefully, the service could crash, leading to a denial of service. (Only Ubuntu 8.04 LTS was affected.) (CVE-2007-5902, CVE-2007-5972)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 9.04
krb5-kdc - 1.6.dfsg.4~beta1-5ubuntu2.3
libkrb53 - 1.6.dfsg.4~beta1-5ubuntu2.3
Ubuntu 8.10
krb5-kdc - 1.6.dfsg.4~beta1-3ubuntu0.4
Ubuntu 8.04 LTS
krb5-kdc - 1.6.dfsg.3~beta1-2ubuntu1.4
libkrb53 - 1.6.dfsg.3~beta1-2ubuntu1.4

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system upgrade is sufficient to effect the necessary changes.

References