[csw-users] Critical Kerberos security update
Derek Morr
dvm105 at psu.edu
Wed Jul 13 06:21:06 CEST 2005
MIT has uncovered three critical bugs in MIT Kerberos 1.4.1. These bugs
make MIT Kerberos vulnerable to a denial of service attack and to remote
code execution. Both the KDC server as well as arbitrary
Kerberos-enabled services are affected.
The MIT Kerberos team has released official patches for version 1.4.1,
and the bugfixes will also be included in the forthcoming 1.4.2 release.
I have already repackaged MIT Kerberos with the patched versions, and
the new packages should be distributed to the mirrors when they next sync.
It is recommended that all Blastwave sites using MIT Kerberos
immediately upgrade the CSWkrb5adminserver, CSWkrb5kdc, CSWkrb5lib,
CSWkrb5libdev and CSWkrb5user packages.
The bugs have been filed with the MITRE Common Vulnerabilities and
Exposures (CVE) database as CAN-2005-1174, CAN-2005-1175 and
CAN-2005-1689. MIT has released Kerberos Security Advisories 2005-002
and 2005-003 with more information. See
http://web.mit.edu/kerberos/www/advisories/ for more information on the
vulnerabilities.
Derek Morr,
Blastwave Kerberos Maintainer
derek at blastwave.org
More information about the users
mailing list