Security Advisory Critical: krb5 security update

Advisory: RHSA-2008:0180-4
Type: Security Advisory
Severity: Critical
Issued on: 2008-03-18
Last updated on: 2008-03-18
Affected Products: Red Hat Desktop (v. 4)
Red Hat Enterprise Linux AS (v. 4)
Red Hat Enterprise Linux AS (v. 4.6.z)
Red Hat Enterprise Linux ES (v. 4)
Red Hat Enterprise Linux ES (v. 4.6.z)
Red Hat Enterprise Linux WS (v. 4)
OVAL: com.redhat.rhsa-20080180.xml
CVEs (cve.mitre.org): CVE-2007-5971
CVE-2008-0062
CVE-2008-0063

Details

Updated krb5 packages that fix multiple security issues are now available
for Red Hat Enterprise Linux 4.

This update has been rated as having critical security impact by the Red
Hat Security Response Team.

Kerberos is a network authentication system which allows clients and
servers to authenticate to each other through use of symmetric encryption
and a trusted third party, the KDC.

A flaw was found in the way the MIT Kerberos Authentication Service and Key
Distribution Center server (krb5kdc) handled Kerberos v4 protocol packets.
An unauthenticated remote attacker could use this flaw to crash the
krb5kdc daemon, disclose portions of its memory, or possibly execute
arbitrary code using malformed or truncated Kerberos v4 protocol
requests. (CVE-2008-0062, CVE-2008-0063)

This issue only affected krb5kdc with Kerberos v4 protocol compatibility
enabled, which is the default setting on Red Hat Enterprise Linux 4.
Kerberos v4 protocol support can be disabled by adding "v4_mode=none"
(without the quotes) to the "[kdcdefaults]" section of
/var/kerberos/krb5kdc/kdc.conf.

Red Hat would like to thank MIT for reporting these issues.

A double-free flaw was discovered in the GSSAPI library used by MIT
Kerberos. This flaw could possibly cause a crash of the application using
the GSSAPI library. (CVE-2007-5971)

All krb5 users are advised to update to these erratum packages which
contain backported fixes to correct these issues.


Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188

Updated packages

Red Hat Desktop (v. 4)
SRPMS:
krb5-1.3.4-54.el4_6.1.src.rpm
File outdated by:  RHBA-2009:0997		     c88f23cd12d8036f021dd46eb47a84f5
 
IA-32:
krb5-devel-1.3.4-54.el4_6.1.i386.rpm
File outdated by:  RHBA-2009:0997		     6403a6be8ce568bc0cc088232f26932c
krb5-libs-1.3.4-54.el4_6.1.i386.rpm
File outdated by:  RHBA-2009:0997		     f3c1a1b9ff8cc72cbd118d2464c2ec4f
krb5-server-1.3.4-54.el4_6.1.i386.rpm
File outdated by:  RHBA-2009:0997		     18e1328b8fd52a47f799e09ce09d2c0e
krb5-workstation-1.3.4-54.el4_6.1.i386.rpm
File outdated by:  RHBA-2009:0997		     c1b4940b65343a1727eaeb394097451d
 
x86_64:
krb5-devel-1.3.4-54.el4_6.1.x86_64.rpm
File outdated by:  RHBA-2009:0997		     e9a412d7fc6d772a16469a5ba6fc6a1e
krb5-libs-1.3.4-54.el4_6.1.i386.rpm
File outdated by:  RHBA-2009:0997		     f3c1a1b9ff8cc72cbd118d2464c2ec4f
krb5-libs-1.3.4-54.el4_6.1.x86_64.rpm
File outdated by:  RHBA-2009:0997		     3ff5a0d93763f284431baf1949e8be20
krb5-server-1.3.4-54.el4_6.1.x86_64.rpm
File outdated by:  RHBA-2009:0997		     fdf24ba503a46b572701cd850a085041
krb5-workstation-1.3.4-54.el4_6.1.x86_64.rpm
File outdated by:  RHBA-2009:0997		     811afb3b09a31094d445fca3cdd32e1e
 
Red Hat Enterprise Linux AS (v. 4)
SRPMS:
krb5-1.3.4-54.el4_6.1.src.rpm
File outdated by:  RHBA-2009:0997		     c88f23cd12d8036f021dd46eb47a84f5
 
IA-32:
krb5-devel-1.3.4-54.el4_6.1.i386.rpm
File outdated by:  RHBA-2009:0997		     6403a6be8ce568bc0cc088232f26932c
krb5-libs-1.3.4-54.el4_6.1.i386.rpm
File outdated by:  RHBA-2009:0997		     f3c1a1b9ff8cc72cbd118d2464c2ec4f
krb5-server-1.3.4-54.el4_6.1.i386.rpm
File outdated by:  RHBA-2009:0997		     18e1328b8fd52a47f799e09ce09d2c0e
krb5-workstation-1.3.4-54.el4_6.1.i386.rpm
File outdated by:  RHBA-2009:0997		     c1b4940b65343a1727eaeb394097451d
 
IA-64:
krb5-devel-1.3.4-54.el4_6.1.ia64.rpm
File outdated by:  RHBA-2009:0997		     bd79d3f487329c222311775e851ebd80
krb5-libs-1.3.4-54.el4_6.1.i386.rpm
File outdated by:  RHBA-2009:0997		     f3c1a1b9ff8cc72cbd118d2464c2ec4f
krb5-libs-1.3.4-54.el4_6.1.ia64.rpm
File outdated by:  RHBA-2009:0997		     f56ae7b13c48b204586980011d5b36f9
krb5-server-1.3.4-54.el4_6.1.ia64.rpm
File outdated by:  RHBA-2009:0997		     74d3f5fdf681e7a9e0f0cbe5d01bf4a0
krb5-workstation-1.3.4-54.el4_6.1.ia64.rpm
File outdated by:  RHBA-2009:0997		     32789236ff32617f23a96068eb311802
 
PPC:
krb5-devel-1.3.4-54.el4_6.1.ppc.rpm
File outdated by:  RHBA-2009:0997		     834a1a360f9666ac7fbdbae5493f5852
krb5-libs-1.3.4-54.el4_6.1.ppc.rpm
File outdated by:  RHBA-2009:0997		     1bce09a83db089e1d450ed3f8622fd30
krb5-libs-1.3.4-54.el4_6.1.ppc64.rpm
File outdated by:  RHBA-2009:0997		     0323b68f5bd4685a3c5c816227b2fd61
krb5-server-1.3.4-54.el4_6.1.ppc.rpm
File outdated by:  RHBA-2009:0997		     b30529f067f44c23ea35abc7a4c032ca
krb5-workstation-1.3.4-54.el4_6.1.ppc.rpm
File outdated by:  RHBA-2009:0997		     b52bfb62121146f7f71cd9030b436a85
 
s390:
krb5-devel-1.3.4-54.el4_6.1.s390.rpm
File outdated by:  RHBA-2009:0997		     fc651071dbcc00bd9b3f274c3d213da7
krb5-libs-1.3.4-54.el4_6.1.s390.rpm
File outdated by:  RHBA-2009:0997		     1dffc0fce88826565acd018084501389
krb5-server-1.3.4-54.el4_6.1.s390.rpm
File outdated by:  RHBA-2009:0997		     280218a82eb2a7652d6da6a2be3e3da4
krb5-workstation-1.3.4-54.el4_6.1.s390.rpm
File outdated by:  RHBA-2009:0997		     0bf92452c7cabdecaf09e915b83fdfd9
 
s390x:
krb5-devel-1.3.4-54.el4_6.1.s390x.rpm
File outdated by:  RHBA-2009:0997		     f8b3a9d9ef87d716c868dec3d9b830ae
krb5-libs-1.3.4-54.el4_6.1.s390.rpm
File outdated by:  RHBA-2009:0997		     1dffc0fce88826565acd018084501389
krb5-libs-1.3.4-54.el4_6.1.s390x.rpm
File outdated by:  RHBA-2009:0997		     3c1931302070560e35ea13270da585d7
krb5-server-1.3.4-54.el4_6.1.s390x.rpm
File outdated by:  RHBA-2009:0997		     6a3054a5764f3d9558e0d817e7c22d83
krb5-workstation-1.3.4-54.el4_6.1.s390x.rpm
File outdated by:  RHBA-2009:0997		     1fcab97fb3a1a62a47f3243283e31222
 
x86_64:
krb5-devel-1.3.4-54.el4_6.1.x86_64.rpm
File outdated by:  RHBA-2009:0997		     e9a412d7fc6d772a16469a5ba6fc6a1e
krb5-libs-1.3.4-54.el4_6.1.i386.rpm
File outdated by:  RHBA-2009:0997		     f3c1a1b9ff8cc72cbd118d2464c2ec4f
krb5-libs-1.3.4-54.el4_6.1.x86_64.rpm
File outdated by:  RHBA-2009:0997		     3ff5a0d93763f284431baf1949e8be20
krb5-server-1.3.4-54.el4_6.1.x86_64.rpm
File outdated by:  RHBA-2009:0997		     fdf24ba503a46b572701cd850a085041
krb5-workstation-1.3.4-54.el4_6.1.x86_64.rpm
File outdated by:  RHBA-2009:0997		     811afb3b09a31094d445fca3cdd32e1e
 
Red Hat Enterprise Linux AS (v. 4.6.z)
SRPMS:
krb5-1.3.4-54.el4_6.1.src.rpm
File outdated by:  RHBA-2009:0997		     c88f23cd12d8036f021dd46eb47a84f5
 
IA-32:
krb5-devel-1.3.4-54.el4_6.1.i386.rpm
File outdated by:  RHBA-2008:0645		     6403a6be8ce568bc0cc088232f26932c
krb5-libs-1.3.4-54.el4_6.1.i386.rpm
File outdated by:  RHBA-2008:0645		     f3c1a1b9ff8cc72cbd118d2464c2ec4f
krb5-server-1.3.4-54.el4_6.1.i386.rpm
File outdated by:  RHBA-2008:0645		     18e1328b8fd52a47f799e09ce09d2c0e
krb5-workstation-1.3.4-54.el4_6.1.i386.rpm
File outdated by:  RHBA-2008:0645		     c1b4940b65343a1727eaeb394097451d
 
IA-64:
krb5-devel-1.3.4-54.el4_6.1.ia64.rpm
File outdated by:  RHBA-2008:0645		     bd79d3f487329c222311775e851ebd80
krb5-libs-1.3.4-54.el4_6.1.i386.rpm
File outdated by:  RHBA-2008:0645		     f3c1a1b9ff8cc72cbd118d2464c2ec4f
krb5-libs-1.3.4-54.el4_6.1.ia64.rpm
File outdated by:  RHBA-2008:0645		     f56ae7b13c48b204586980011d5b36f9
krb5-server-1.3.4-54.el4_6.1.ia64.rpm
File outdated by:  RHBA-2008:0645		     74d3f5fdf681e7a9e0f0cbe5d01bf4a0
krb5-workstation-1.3.4-54.el4_6.1.ia64.rpm
File outdated by:  RHBA-2008:0645		     32789236ff32617f23a96068eb311802
 
PPC:
krb5-devel-1.3.4-54.el4_6.1.ppc.rpm
File outdated by:  RHBA-2008:0645		     834a1a360f9666ac7fbdbae5493f5852
krb5-libs-1.3.4-54.el4_6.1.ppc.rpm
File outdated by:  RHBA-2008:0645		     1bce09a83db089e1d450ed3f8622fd30
krb5-libs-1.3.4-54.el4_6.1.ppc64.rpm
File outdated by:  RHBA-2008:0645		     0323b68f5bd4685a3c5c816227b2fd61
krb5-server-1.3.4-54.el4_6.1.ppc.rpm
File outdated by:  RHBA-2008:0645		     b30529f067f44c23ea35abc7a4c032ca
krb5-workstation-1.3.4-54.el4_6.1.ppc.rpm
File outdated by:  RHBA-2008:0645		     b52bfb62121146f7f71cd9030b436a85
 
s390:
krb5-devel-1.3.4-54.el4_6.1.s390.rpm
File outdated by:  RHBA-2008:0645		     fc651071dbcc00bd9b3f274c3d213da7
krb5-libs-1.3.4-54.el4_6.1.s390.rpm
File outdated by:  RHBA-2008:0645		     1dffc0fce88826565acd018084501389
krb5-server-1.3.4-54.el4_6.1.s390.rpm
File outdated by:  RHBA-2008:0645		     280218a82eb2a7652d6da6a2be3e3da4
krb5-workstation-1.3.4-54.el4_6.1.s390.rpm
File outdated by:  RHBA-2008:0645		     0bf92452c7cabdecaf09e915b83fdfd9
 
s390x:
krb5-devel-1.3.4-54.el4_6.1.s390x.rpm
File outdated by:  RHBA-2008:0645		     f8b3a9d9ef87d716c868dec3d9b830ae
krb5-libs-1.3.4-54.el4_6.1.s390.rpm
File outdated by:  RHBA-2008:0645		     1dffc0fce88826565acd018084501389
krb5-libs-1.3.4-54.el4_6.1.s390x.rpm
File outdated by:  RHBA-2008:0645		     3c1931302070560e35ea13270da585d7
krb5-server-1.3.4-54.el4_6.1.s390x.rpm
File outdated by:  RHBA-2008:0645		     6a3054a5764f3d9558e0d817e7c22d83
krb5-workstation-1.3.4-54.el4_6.1.s390x.rpm
File outdated by:  RHBA-2008:0645		     1fcab97fb3a1a62a47f3243283e31222
 
x86_64:
krb5-devel-1.3.4-54.el4_6.1.x86_64.rpm
File outdated by:  RHBA-2008:0645		     e9a412d7fc6d772a16469a5ba6fc6a1e
krb5-libs-1.3.4-54.el4_6.1.i386.rpm
File outdated by:  RHBA-2008:0645		     f3c1a1b9ff8cc72cbd118d2464c2ec4f
krb5-libs-1.3.4-54.el4_6.1.x86_64.rpm
File outdated by:  RHBA-2008:0645		     3ff5a0d93763f284431baf1949e8be20
krb5-server-1.3.4-54.el4_6.1.x86_64.rpm
File outdated by:  RHBA-2008:0645		     fdf24ba503a46b572701cd850a085041
krb5-workstation-1.3.4-54.el4_6.1.x86_64.rpm
File outdated by:  RHBA-2008:0645		     811afb3b09a31094d445fca3cdd32e1e
 
Red Hat Enterprise Linux ES (v. 4)
SRPMS:
krb5-1.3.4-54.el4_6.1.src.rpm
File outdated by:  RHBA-2009:0997		     c88f23cd12d8036f021dd46eb47a84f5
 
IA-32:
krb5-devel-1.3.4-54.el4_6.1.i386.rpm
File outdated by:  RHBA-2009:0997		     6403a6be8ce568bc0cc088232f26932c
krb5-libs-1.3.4-54.el4_6.1.i386.rpm
File outdated by:  RHBA-2009:0997		     f3c1a1b9ff8cc72cbd118d2464c2ec4f
krb5-server-1.3.4-54.el4_6.1.i386.rpm
File outdated by:  RHBA-2009:0997		     18e1328b8fd52a47f799e09ce09d2c0e
krb5-workstation-1.3.4-54.el4_6.1.i386.rpm
File outdated by:  RHBA-2009:0997		     c1b4940b65343a1727eaeb394097451d
 
IA-64:
krb5-devel-1.3.4-54.el4_6.1.ia64.rpm
File outdated by:  RHBA-2009:0997		     bd79d3f487329c222311775e851ebd80
krb5-libs-1.3.4-54.el4_6.1.i386.rpm
File outdated by:  RHBA-2009:0997		     f3c1a1b9ff8cc72cbd118d2464c2ec4f
krb5-libs-1.3.4-54.el4_6.1.ia64.rpm
File outdated by:  RHBA-2009:0997		     f56ae7b13c48b204586980011d5b36f9
krb5-server-1.3.4-54.el4_6.1.ia64.rpm
File outdated by:  RHBA-2009:0997		     74d3f5fdf681e7a9e0f0cbe5d01bf4a0
krb5-workstation-1.3.4-54.el4_6.1.ia64.rpm
File outdated by:  RHBA-2009:0997		     32789236ff32617f23a96068eb311802
 
x86_64:
krb5-devel-1.3.4-54.el4_6.1.x86_64.rpm
File outdated by:  RHBA-2009:0997		     e9a412d7fc6d772a16469a5ba6fc6a1e
krb5-libs-1.3.4-54.el4_6.1.i386.rpm
File outdated by:  RHBA-2009:0997		     f3c1a1b9ff8cc72cbd118d2464c2ec4f
krb5-libs-1.3.4-54.el4_6.1.x86_64.rpm
File outdated by:  RHBA-2009:0997		     3ff5a0d93763f284431baf1949e8be20
krb5-server-1.3.4-54.el4_6.1.x86_64.rpm
File outdated by:  RHBA-2009:0997		     fdf24ba503a46b572701cd850a085041
krb5-workstation-1.3.4-54.el4_6.1.x86_64.rpm
File outdated by:  RHBA-2009:0997		     811afb3b09a31094d445fca3cdd32e1e
 
Red Hat Enterprise Linux ES (v. 4.6.z)
SRPMS:
krb5-1.3.4-54.el4_6.1.src.rpm
File outdated by:  RHBA-2009:0997		     c88f23cd12d8036f021dd46eb47a84f5
 
IA-32:
krb5-devel-1.3.4-54.el4_6.1.i386.rpm
File outdated by:  RHBA-2008:0645		     6403a6be8ce568bc0cc088232f26932c
krb5-libs-1.3.4-54.el4_6.1.i386.rpm
File outdated by:  RHBA-2008:0645		     f3c1a1b9ff8cc72cbd118d2464c2ec4f
krb5-server-1.3.4-54.el4_6.1.i386.rpm
File outdated by:  RHBA-2008:0645		     18e1328b8fd52a47f799e09ce09d2c0e
krb5-workstation-1.3.4-54.el4_6.1.i386.rpm
File outdated by:  RHBA-2008:0645		     c1b4940b65343a1727eaeb394097451d
 
IA-64:
krb5-devel-1.3.4-54.el4_6.1.ia64.rpm
File outdated by:  RHBA-2008:0645		     bd79d3f487329c222311775e851ebd80
krb5-libs-1.3.4-54.el4_6.1.i386.rpm
File outdated by:  RHBA-2008:0645		     f3c1a1b9ff8cc72cbd118d2464c2ec4f
krb5-libs-1.3.4-54.el4_6.1.ia64.rpm
File outdated by:  RHBA-2008:0645		     f56ae7b13c48b204586980011d5b36f9
krb5-server-1.3.4-54.el4_6.1.ia64.rpm
File outdated by:  RHBA-2008:0645		     74d3f5fdf681e7a9e0f0cbe5d01bf4a0
krb5-workstation-1.3.4-54.el4_6.1.ia64.rpm
File outdated by:  RHBA-2008:0645		     32789236ff32617f23a96068eb311802
 
x86_64:
krb5-devel-1.3.4-54.el4_6.1.x86_64.rpm
File outdated by:  RHBA-2008:0645		     e9a412d7fc6d772a16469a5ba6fc6a1e
krb5-libs-1.3.4-54.el4_6.1.i386.rpm
File outdated by:  RHBA-2008:0645		     f3c1a1b9ff8cc72cbd118d2464c2ec4f
krb5-libs-1.3.4-54.el4_6.1.x86_64.rpm
File outdated by:  RHBA-2008:0645		     3ff5a0d93763f284431baf1949e8be20
krb5-server-1.3.4-54.el4_6.1.x86_64.rpm
File outdated by:  RHBA-2008:0645		     fdf24ba503a46b572701cd850a085041
krb5-workstation-1.3.4-54.el4_6.1.x86_64.rpm
File outdated by:  RHBA-2008:0645		     811afb3b09a31094d445fca3cdd32e1e
 
Red Hat Enterprise Linux WS (v. 4)
SRPMS:
krb5-1.3.4-54.el4_6.1.src.rpm
File outdated by:  RHBA-2009:0997		     c88f23cd12d8036f021dd46eb47a84f5
 
IA-32:
krb5-devel-1.3.4-54.el4_6.1.i386.rpm
File outdated by:  RHBA-2009:0997		     6403a6be8ce568bc0cc088232f26932c
krb5-libs-1.3.4-54.el4_6.1.i386.rpm
File outdated by:  RHBA-2009:0997		     f3c1a1b9ff8cc72cbd118d2464c2ec4f
krb5-server-1.3.4-54.el4_6.1.i386.rpm
File outdated by:  RHBA-2009:0997		     18e1328b8fd52a47f799e09ce09d2c0e
krb5-workstation-1.3.4-54.el4_6.1.i386.rpm
File outdated by:  RHBA-2009:0997		     c1b4940b65343a1727eaeb394097451d
 
IA-64:
krb5-devel-1.3.4-54.el4_6.1.ia64.rpm
File outdated by:  RHBA-2009:0997		     bd79d3f487329c222311775e851ebd80
krb5-libs-1.3.4-54.el4_6.1.i386.rpm
File outdated by:  RHBA-2009:0997		     f3c1a1b9ff8cc72cbd118d2464c2ec4f
krb5-libs-1.3.4-54.el4_6.1.ia64.rpm
File outdated by:  RHBA-2009:0997		     f56ae7b13c48b204586980011d5b36f9
krb5-server-1.3.4-54.el4_6.1.ia64.rpm
File outdated by:  RHBA-2009:0997		     74d3f5fdf681e7a9e0f0cbe5d01bf4a0
krb5-workstation-1.3.4-54.el4_6.1.ia64.rpm
File outdated by:  RHBA-2009:0997		     32789236ff32617f23a96068eb311802
 
x86_64:
krb5-devel-1.3.4-54.el4_6.1.x86_64.rpm
File outdated by:  RHBA-2009:0997		     e9a412d7fc6d772a16469a5ba6fc6a1e
krb5-libs-1.3.4-54.el4_6.1.i386.rpm
File outdated by:  RHBA-2009:0997		     f3c1a1b9ff8cc72cbd118d2464c2ec4f
krb5-libs-1.3.4-54.el4_6.1.x86_64.rpm
File outdated by:  RHBA-2009:0997		     3ff5a0d93763f284431baf1949e8be20
krb5-server-1.3.4-54.el4_6.1.x86_64.rpm
File outdated by:  RHBA-2009:0997		     fdf24ba503a46b572701cd850a085041
krb5-workstation-1.3.4-54.el4_6.1.x86_64.rpm
File outdated by:  RHBA-2009:0997		     811afb3b09a31094d445fca3cdd32e1e
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

415351 - CVE-2007-5971 krb5: double free in gssapi lib
432620 - CVE-2008-0062 krb5: uninitialized pointer use in krb5kdc
432621 - CVE-2008-0063 krb5: possible leak of sensitive data from krb5kdc using krb4 request


References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5971
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0062
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0063
http://www.redhat.com/security/updates/classification/#critical

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/