Vulnerability   
Search   
    Search 219043 CVE descriptions
and 99761 test descriptions,
access 10,000+ cross references.
Tests   CVE   All  

Test ID:1.3.6.1.4.1.25623.1.0.60578
Category:Debian Local Security Checks
Title:Debian Security Advisory DSA 1524-1 (krb5)
Summary:NOSUMMARY
Description:Description:
The remote host is missing an update to krb5
announced via advisory DSA 1524-1.

Several remote vulnerabilities have been discovered in the kdc component
of the krb5, a system for authenticating users and services on a
network.

CVE-2008-0062

An unauthenticated remote attacker may cause a krb4-enabled KDC to
crash, expose information, or execute arbitrary code. Successful
exploitation of this vulnerability could compromise the Kerberos key
database and host security on the KDC host.

CVE-2008-0063

An unauthenticated remote attacker may cause a krb4-enabled KDC to
expose information. It is theoretically possible for the exposed
information to include secret key data on some platforms.

CVE-2008-0947

An unauthenticated remote attacker can cause memory corruption in the
kadmind process, which is likely to cause kadmind to crash, resulting in
a denial of service. It is at least theoretically possible for such
corruption to result in database corruption or arbitrary code execution,
though we have no such exploit and are not aware of any such exploits in
use in the wild. In versions of MIT Kerberos shipped by Debian, this
bug can only be triggered in configurations that allow large numbers of
open file descriptors in a process.

For the stable distribution (etch), these problems have been fixed in
version 1.4.4-7etch5.

For the old stable distribution (sarge), these problems have been fixed
in version krb5 1.3.6-2sarge6.

We recommend that you upgrade your krb5 packages.

Solution:
https://secure1.securityspace.com/smysecure/catid.html?in=DSA%201524-1

CVSS Score:
10.0

CVSS Vector:
AV:N/AC:L/Au:N/C:C/I:C/A:C

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2008-0062
http://lists.apple.com/archives/security-announce/2008/Mar/msg00001.html
BugTraq ID: 28303
http://www.securityfocus.com/bid/28303
Bugtraq: 20080318 MITKRB5-SA-2008-001: double-free, uninitialized data vulnerabilities in krb5kdc (Google Search)
http://www.securityfocus.com/archive/1/489761
Bugtraq: 20080319 rPSA-2008-0112-1 krb5 krb5-server krb5-services krb5-test krb5-workstation (Google Search)
http://www.securityfocus.com/archive/1/489883/100/0/threaded
Bugtraq: 20080604 VMSA-2008-0009 Updates to VMware Workstation, VMware Player, VMware ACE, VMware Fusion, VMware Server, VMware VIX API, VMware ESX, VMware ESXi resolve critical security issues (Google Search)
http://www.securityfocus.com/archive/1/493080/100/0/threaded
CERT/CC vulnerability note: VU#895609
http://www.kb.cert.org/vuls/id/895609
Debian Security Information: DSA-1524 (Google Search)
http://www.debian.org/security/2008/dsa-1524
https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00537.html
https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00544.html
http://www.gentoo.org/security/en/glsa/glsa-200803-31.xml
HPdes Security Advisory: HPSBOV02682
http://marc.info/?l=bugtraq&m=130497213107107&w=2
HPdes Security Advisory: SSRT100495
http://www.mandriva.com/security/advisories?name=MDVSA-2008:069
http://www.mandriva.com/security/advisories?name=MDVSA-2008:070
http://www.mandriva.com/security/advisories?name=MDVSA-2008:071
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9496
http://www.redhat.com/support/errata/RHSA-2008-0164.html
http://www.redhat.com/support/errata/RHSA-2008-0180.html
http://www.redhat.com/support/errata/RHSA-2008-0181.html
http://www.redhat.com/support/errata/RHSA-2008-0182.html
http://www.securitytracker.com/id?1019626
http://secunia.com/advisories/29420
http://secunia.com/advisories/29423
http://secunia.com/advisories/29424
http://secunia.com/advisories/29428
http://secunia.com/advisories/29435
http://secunia.com/advisories/29438
http://secunia.com/advisories/29450
http://secunia.com/advisories/29451
http://secunia.com/advisories/29457
http://secunia.com/advisories/29462
http://secunia.com/advisories/29464
http://secunia.com/advisories/29516
http://secunia.com/advisories/29663
http://secunia.com/advisories/30535
SuSE Security Announcement: SUSE-SA:2008:016 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00006.html
http://www.ubuntu.com/usn/usn-587-1
http://www.vupen.com/english/advisories/2008/0922/references
http://www.vupen.com/english/advisories/2008/0924/references
http://www.vupen.com/english/advisories/2008/1102/references
http://www.vupen.com/english/advisories/2008/1744
XForce ISS Database: krb5-kdc-code-execution(41275)
https://exchange.xforce.ibmcloud.com/vulnerabilities/41275
Common Vulnerability Exposure (CVE) ID: CVE-2008-0063
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8916
http://www.securitytracker.com/id?1019627
XForce ISS Database: krb5-kdc-kerberos4-info-disclosure(41277)
https://exchange.xforce.ibmcloud.com/vulnerabilities/41277
Common Vulnerability Exposure (CVE) ID: CVE-2008-0947
BugTraq ID: 28302
http://www.securityfocus.com/bid/28302
http://www.securityfocus.com/archive/1/489762/100/0/threaded
Bugtraq: 20080318 MITKRB5-SA-2008-002: array overrun in RPC library used by kadmin (resend, corrected subject) (Google Search)
http://www.securityfocus.com/archive/1/489784/100/0/threaded
Cert/CC Advisory: TA08-079B
http://www.us-cert.gov/cas/techalerts/TA08-079B.html
CERT/CC vulnerability note: VU#374121
http://www.kb.cert.org/vuls/id/374121
http://security.gentoo.org/glsa/glsa-200803-31.xml
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10984
http://www.securitytracker.com/id?1019631
http://securityreason.com/securityalert/3752
XForce ISS Database: krb5-rpclibrary-bo(41273)
https://exchange.xforce.ibmcloud.com/vulnerabilities/41273
CopyrightCopyright (c) 2008 E-Soft Inc. http://www.securityspace.com

This is only one of 99761 vulnerability tests in our test suite. Find out more about running a complete security audit.

To run a free test of this vulnerability against your system, register below.




© 1998-2024 E-Soft Inc. All rights reserved.