USN-924-1: Kerberos vulnerabilities

Ubuntu Security Notice USN-924-1

6th April, 2010

krb5 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 9.04
  • Ubuntu 8.10
  • Ubuntu 8.04 LTS

Software description

  • krb5

Details

Sol Jerome discovered that the Kerberos kadmind service did not correctly
free memory. An unauthenticated remote attacker could send specially
crafted traffic to crash the kadmind process, leading to a denial of
service. (CVE-2010-0629)

It was discovered that Kerberos did not correctly free memory in
the GSSAPI library. If a remote attacker were able to manipulate an
application using GSSAPI carefully, the service could crash, leading to
a denial of service. (Ubuntu 8.10 was not affected.) (CVE-2007-5901,
CVE-2007-5971)

It was discovered that Kerberos did not correctly free memory in the
GSSAPI and kdb libraries. If a remote attacker were able to manipulate
an application using these libraries carefully, the service could crash,
leading to a denial of service. (Only Ubuntu 8.04 LTS was affected.)
(CVE-2007-5902, CVE-2007-5972)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 9.04:
libkrb53 1.6.dfsg.4~beta1-5ubuntu2.3
krb5-kdc 1.6.dfsg.4~beta1-5ubuntu2.3
Ubuntu 8.10:
krb5-kdc 1.6.dfsg.4~beta1-3ubuntu0.4
Ubuntu 8.04 LTS:
libkrb53 1.6.dfsg.3~beta1-2ubuntu1.4
krb5-kdc 1.6.dfsg.3~beta1-2ubuntu1.4

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system upgrade is sufficient to effect the
necessary changes.

References

CVE-2007-5901, CVE-2007-5902, CVE-2007-5971, CVE-2007-5972, CVE-2010-0629