Description: | Description:
The remote host is missing updates announced in advisory CLA-2002:534.
The krb5 packages are MIT's[1] implementation of the Kerberos 5 authentication protocol.
There is a buffer overflow vulnerability[2][3] in the Kerberos 4 remote administration service (kadmind4) that could be used by a remote attacker to execute arbitrary commands on the server with root privileges.
The daemon which implements this service, kadmind4, is included in our krb5-server package, but not used by default. The package defaults to using the kadmind daemon, which is not vulnerable to this problem. Only administrators who explicitly run kadmind4 will be at risk.
The authors released an advisory[2] with a patch which fixes the vulnerability. This patch has been applied to the updated packages below.
Solution: The apt tool can be used to perform RPM package upgrades by running 'apt-get update' followed by 'apt-get upgrade'
http://web.mit.edu/Kerberos/www/index.html http://web.mit.edu/Kerberos/www/advisories/MITKRB5-SA-2002-002-kadm4.txt http://www.cert.org/advisories/CA-2002-29.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1235 http://www.securityspace.com/smysecure/catid.html?in=CLA-2002:534 http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=002002
Risk factor : Critical
CVSS Score: 10.0
|