News

=========================================================== Ubuntu Security Notice USN-449-1 April 04, 2007 krb5 vulnerabilities CVE-2007-0956, CVE-2007-0957, CVE-2007-1216 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 5.10 Ubuntu 6.06 LTS Ubuntu 6.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 5.10: krb5-telnetd 1.3.6-4ubuntu0.2 libkadm55 1.3.6-4ubuntu0.2 libkrb53 1.3.6-4ubuntu0.2 Ubuntu 6.06 LTS: krb5-telnetd 1.4.3-5ubuntu0.3 libkadm55 1.4.3-5ubuntu0.3 libkrb53 1.4.3-5ubuntu0.3 Ubuntu 6.10: krb5-telnetd 1.4.3-9ubuntu1.2 libkadm55 1.4.3-9ubuntu1.2 libkrb53 1.4.3-9ubuntu1.2 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: The krb5 telnet service did not appropriately verify user names. A remote attacker could log in as the root user by requesting a specially crafted user name. (CVE-2007-0956) The krb5 syslog library did not correctly verify the size of log messages. A remote attacker could send a specially crafted message and execute arbitrary code with root privileges. (CVE-2007-0957) The krb5 administration service was vulnerable to a double-free in the GSS RPC library. A remote attacker could send a specially crafted request and execute arbitrary code with root privileges. (CVE-2007-1216)