Description: | Description:
The remote host is missing an update to krb5 announced via advisory FEDORA-2008-2647.
Update Information:
This update incorporates fixes included in MITKRB5-SA-2008-001 (use of uninitialized pointer / double-free in the KDC when v4 compatibility is enabled) and MITKRB5-SA-2008-002 (incorrect handling of high-numbered descriptors in the RPC library). This update also incorporates less-critical fixes for a double- free (CVE-2007-5971) and an incorrect attempt to free non-heap memory (CVE-2007-5901) in the GSSAPI library. This update also fixes an incorrect calculation of the length of the absolute path name of a file when the relative path is known and the library needs to look up which SELinux label to apply to the file.
ChangeLog:
* Tue Mar 18 2008 Nalin Dahyabhai 1.6.2-14 - add fixes from MITKRB5-SA-2008-001 for use of null or dangling pointer when v4 compatibility is enabled on the KDC (CVE-2008-0062, CVE-2008-0063, - add fixes from MITKRB5-SA-2008-002 for array out-of-bounds accesses when high-numbered descriptors are used (CVE-2008-0947, #433596) - add backport bug fix for an attempt to free non-heap memory in libgssapi_krb5 (CVE-2007-5901, #415321) - add backport bug fix for a double-free in out-of-memory situations in libgssapi_krb5 (CVE-2007-5971, #415351) - fix calculation of the length of relative filenames when looking up the SELinux labels they should be given (Pawel Salek, #436345)
References:
[ 1 ] Bug #415321 - CVE-2007-5901 krb5: use-after-free in gssapi lib https://bugzilla.redhat.com/show_bug.cgi?id=415321 [ 2 ] Bug #415351 - CVE-2007-5971 krb5: double free in gssapi lib https://bugzilla.redhat.com/show_bug.cgi?id=415351 [ 3 ] Bug #432620 - CVE-2008-0062 krb5: uninitialized pointer use in krb5kdc https://bugzilla.redhat.com/show_bug.cgi?id=432620 [ 4 ] Bug #432621 - CVE-2008-0063 krb5: possible leak of sensitive data from krb5kdc using krb4 request https://bugzilla.redhat.com/show_bug.cgi?id=432621 [ 5 ] Bug #433596 - CVE-2008-0947 krb5: file descriptor array overflow in RPC library https://bugzilla.redhat.com/show_bug.cgi?id=433596
Solution: Apply the appropriate updates.
This update can be installed with the yum update program. Use su -c 'yum update krb5' at the command line. For more information, refer to Managing Software with yum, available at http://docs.fedoraproject.org/yum/.
https://secure1.securityspace.com/smysecure/catid.html?in=FEDORA-2008-2647
Risk factor : Critical
CVSS Score: 10.0
|