[csw-users] Critical Kerberos security update

Derek Morr dvm105 at psu.edu
Wed Jul 13 06:21:06 CEST 2005


MIT has uncovered three critical bugs in MIT Kerberos 1.4.1. These bugs 
make MIT Kerberos vulnerable to a denial of service attack and to remote 
code execution. Both the KDC server as well as arbitrary 
Kerberos-enabled services are affected.

The MIT Kerberos team has released official patches for version 1.4.1, 
and the bugfixes will also be included in the forthcoming 1.4.2 release. 
I have already repackaged MIT Kerberos with the patched versions, and 
the new packages should be distributed to the mirrors when they next sync.

It is recommended that all Blastwave sites using MIT Kerberos 
immediately upgrade the CSWkrb5adminserver, CSWkrb5kdc, CSWkrb5lib, 
CSWkrb5libdev and CSWkrb5user packages.

The bugs have been filed with the MITRE Common Vulnerabilities and 
Exposures (CVE) database as CAN-2005-1174, CAN-2005-1175 and 
CAN-2005-1689. MIT has released Kerberos Security Advisories 2005-002 
and 2005-003 with more information. See 
http://web.mit.edu/kerberos/www/advisories/ for more information on the 
vulnerabilities.


Derek Morr,
Blastwave Kerberos Maintainer
derek at blastwave.org



More information about the users mailing list