Skip to navigation

Security Advisory krb5 security update

Advisory: RHSA-2004:350-12
Type: Security Advisory
Severity: Critical
Issued on: 2004-08-31
Last updated on: 2004-08-31
Affected Products: Red Hat Desktop (v. 3)
Red Hat Enterprise Linux AS (v. 3)
Red Hat Enterprise Linux ES (v. 3)
Red Hat Enterprise Linux WS (v. 3)
CVEs (cve.mitre.org): CVE-2004-0642
CVE-2004-0643
CVE-2004-0644

Details

Updated krb5 packages that improve client responsiveness and fix several
security issues are now available for Red Hat Enterprise Linux 3.

Kerberos is a networked authentication system that uses a trusted third
party (a KDC) to authenticate clients and servers to each other.

Several double-free bugs were found in the Kerberos 5 KDC and libraries. A
remote attacker could potentially exploit these flaws to execuate arbitrary
code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the names CAN-2004-0642 and CAN-2004-0643 to these issues.

A double-free bug was also found in the krb524 server (CAN-2004-0772),
however this issue does not affect Red Hat Enterprise Linux 3 Kerberos
packages.

An infinite loop bug was found in the Kerberos 5 ASN.1 decoder library. A
remote attacker may be able to trigger this flaw and cause a denial of
service. The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CAN-2004-0644 to this issue.

When attempting to contact a KDC, the Kerberos libraries will iterate
through the list of configured servers, attempting to contact each in turn.
If one of the servers becomes unresponsive, the client will time out and
contact the next configured server. When the library attempts to contact
the next KDC, the entire process is repeated. For applications which must
contact a KDC several times, the accumulated time spent waiting can become
significant.

This update modifies the libraries, notes which server for a given realm
last responded to a request, and attempts to contact that server first
before contacting any of the other configured servers.

All users of krb5 should upgrade to these updated packages, which contain
backported security patches to resolve these issues.


Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which are
not installed but included in the list will not be updated. Note that you
can also use wildcards (*.rpm) if your current directory *only* contains the
desired RPMs.

Please note that this update is also available via Red Hat Network. Many
people find this an easier way to apply updates. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

If up2date fails to connect to Red Hat Network due to SSL
Certificate Errors, you need to install a version of the
up2date client with an updated certificate. The latest version of
up2date is available from the Red Hat FTP site and may also be
downloaded directly from the RHN website:

https://rhn.redhat.com/help/latest-up2date.pxt

Updated packages

Red Hat Desktop (v. 3)

SRPMS:
krb5-1.2.7-28.src.rpm
File outdated by:  RHSA-2010:0423
    MD5: 3c91ce8bc77bd9bc5bf2f00c09d23cff
 
IA-32:
krb5-devel-1.2.7-28.i386.rpm
File outdated by:  RHSA-2010:0423
    MD5: 758976fe956ac98a73809b4cc716d4c5
krb5-libs-1.2.7-28.i386.rpm
File outdated by:  RHSA-2010:0423
    MD5: 6a5c52f4ec0a575ca3f22696c592ecc6
krb5-server-1.2.7-28.i386.rpm
File outdated by:  RHSA-2010:0423
    MD5: d805a5ef4dc5c16f1a6957cd60769076
krb5-workstation-1.2.7-28.i386.rpm
File outdated by:  RHSA-2010:0423
    MD5: 2fee85ec1cc48fe67b90cd9954149321
 
x86_64:
krb5-devel-1.2.7-28.x86_64.rpm
File outdated by:  RHSA-2010:0423
    MD5: 4b5d4f9ec25bf69bf3d1632b8f9dfece
krb5-libs-1.2.7-28.i386.rpm
File outdated by:  RHSA-2010:0423
    MD5: 6a5c52f4ec0a575ca3f22696c592ecc6
krb5-libs-1.2.7-28.x86_64.rpm
File outdated by:  RHSA-2010:0423
    MD5: 3ba1a8cda52f4c5c4f235390b5ab231c
krb5-server-1.2.7-28.x86_64.rpm
File outdated by:  RHSA-2010:0423
    MD5: 4dae049940b908786c4c18ec2c4633e0
krb5-workstation-1.2.7-28.x86_64.rpm
File outdated by:  RHSA-2010:0423
    MD5: c68b7f6f4571165da841e89fb2de809d
 
Red Hat Enterprise Linux AS (v. 3)

SRPMS:
krb5-1.2.7-28.src.rpm
File outdated by:  RHSA-2010:0423
    MD5: 3c91ce8bc77bd9bc5bf2f00c09d23cff
 
IA-32:
krb5-devel-1.2.7-28.i386.rpm
File outdated by:  RHSA-2010:0423
    MD5: 758976fe956ac98a73809b4cc716d4c5
krb5-libs-1.2.7-28.i386.rpm
File outdated by:  RHSA-2010:0423
    MD5: 6a5c52f4ec0a575ca3f22696c592ecc6
krb5-server-1.2.7-28.i386.rpm
File outdated by:  RHSA-2010:0423
    MD5: d805a5ef4dc5c16f1a6957cd60769076
krb5-workstation-1.2.7-28.i386.rpm
File outdated by:  RHSA-2010:0423
    MD5: 2fee85ec1cc48fe67b90cd9954149321
 
IA-64:
krb5-devel-1.2.7-28.ia64.rpm
File outdated by:  RHSA-2010:0423
    MD5: 2d5b6ce0d861cb35c66e9ce11321ca09
krb5-libs-1.2.7-28.i386.rpm
File outdated by:  RHSA-2010:0423
    MD5: 6a5c52f4ec0a575ca3f22696c592ecc6
krb5-libs-1.2.7-28.ia64.rpm
File outdated by:  RHSA-2010:0423
    MD5: dd27b1cfed80262c724f20400d174ae6
krb5-server-1.2.7-28.ia64.rpm
File outdated by:  RHSA-2010:0423
    MD5: 0c0b19114325ab9b9798398009abc745
krb5-workstation-1.2.7-28.ia64.rpm
File outdated by:  RHSA-2010:0423
    MD5: b6d331840e0a625073c03f3629b71b6f
 
PPC:
krb5-devel-1.2.7-28.ppc.rpm
File outdated by:  RHSA-2010:0423
    MD5: 548446398708f1ee3a1820be932c427c
ftp://updates.redhat.com/rhn/repository/NULL/krb5-devel/1.2.7-28/ppc64/krb5-devel-1.2.7-28.ppc64.rpm
Missing file
    MD5: 9571b0242acad9ec5601b941aa5cf93e
krb5-libs-1.2.7-28.ppc.rpm
File outdated by:  RHSA-2010:0423
    MD5: 32f8d495713aad38cf0961e7eab8146f
krb5-libs-1.2.7-28.ppc64.rpm
File outdated by:  RHSA-2010:0423
    MD5: 8bba9563078f648f8399be16a4a52d2a
krb5-server-1.2.7-28.ppc.rpm
File outdated by:  RHSA-2010:0423
    MD5: 2805823ff0ceeb7fd084f4cd1322f180
ftp://updates.redhat.com/rhn/repository/NULL/krb5-server/1.2.7-28/ppc64/krb5-server-1.2.7-28.ppc64.rpm
Missing file
    MD5: 48df8c1d94161a229cf5d52e0f2224ed
krb5-workstation-1.2.7-28.ppc.rpm
File outdated by:  RHSA-2010:0423
    MD5: c896eb2e27858495ca85a7f4f60b7d9d
ftp://updates.redhat.com/rhn/repository/NULL/krb5-workstation/1.2.7-28/ppc64/krb5-workstation-1.2.7-28.ppc64.rpm
Missing file
    MD5: 683c8c478512a0d2ef8d4b631e038501
 
s390:
krb5-devel-1.2.7-28.s390.rpm
File outdated by:  RHSA-2010:0423
    MD5: e1ab9eb4bef50ef7830e9504c988e4b8
krb5-libs-1.2.7-28.s390.rpm
File outdated by:  RHSA-2010:0423
    MD5: 4786e0ba3adbccca954fb2dee1034dd7
krb5-server-1.2.7-28.s390.rpm
File outdated by:  RHSA-2010:0423
    MD5: 3b17e6311a345c13efa0322a6f47e08f
krb5-workstation-1.2.7-28.s390.rpm
File outdated by:  RHSA-2010:0423
    MD5: ce72c91a8d4dd92969bc099866a693cd
 
s390x:
krb5-devel-1.2.7-28.s390x.rpm
File outdated by:  RHSA-2010:0423
    MD5: 9c3c9f758c4a619e852f5289f31614fd
krb5-libs-1.2.7-28.s390.rpm
File outdated by:  RHSA-2010:0423
    MD5: 4786e0ba3adbccca954fb2dee1034dd7
krb5-libs-1.2.7-28.s390x.rpm
File outdated by:  RHSA-2010:0423
    MD5: 94d14bb7d2e34140941c51839b4cf4f6
krb5-server-1.2.7-28.s390x.rpm
File outdated by:  RHSA-2010:0423
    MD5: 9e11ac40de7e36037cc4da2346c5f64f
krb5-workstation-1.2.7-28.s390x.rpm
File outdated by:  RHSA-2010:0423
    MD5: c2f65cd14134efa5794c732ed7e210df
 
x86_64:
krb5-devel-1.2.7-28.x86_64.rpm
File outdated by:  RHSA-2010:0423
    MD5: 4b5d4f9ec25bf69bf3d1632b8f9dfece
krb5-libs-1.2.7-28.i386.rpm
File outdated by:  RHSA-2010:0423
    MD5: 6a5c52f4ec0a575ca3f22696c592ecc6
krb5-libs-1.2.7-28.x86_64.rpm
File outdated by:  RHSA-2010:0423
    MD5: 3ba1a8cda52f4c5c4f235390b5ab231c
krb5-server-1.2.7-28.x86_64.rpm
File outdated by:  RHSA-2010:0423
    MD5: 4dae049940b908786c4c18ec2c4633e0
krb5-workstation-1.2.7-28.x86_64.rpm
File outdated by:  RHSA-2010:0423
    MD5: c68b7f6f4571165da841e89fb2de809d
 
Red Hat Enterprise Linux ES (v. 3)

SRPMS:
krb5-1.2.7-28.src.rpm
File outdated by:  RHSA-2010:0423
    MD5: 3c91ce8bc77bd9bc5bf2f00c09d23cff
 
IA-32:
krb5-devel-1.2.7-28.i386.rpm
File outdated by:  RHSA-2010:0423
    MD5: 758976fe956ac98a73809b4cc716d4c5
krb5-libs-1.2.7-28.i386.rpm
File outdated by:  RHSA-2010:0423
    MD5: 6a5c52f4ec0a575ca3f22696c592ecc6
krb5-server-1.2.7-28.i386.rpm
File outdated by:  RHSA-2010:0423
    MD5: d805a5ef4dc5c16f1a6957cd60769076
krb5-workstation-1.2.7-28.i386.rpm
File outdated by:  RHSA-2010:0423
    MD5: 2fee85ec1cc48fe67b90cd9954149321
 
IA-64:
krb5-devel-1.2.7-28.ia64.rpm
File outdated by:  RHSA-2010:0423
    MD5: 2d5b6ce0d861cb35c66e9ce11321ca09
krb5-libs-1.2.7-28.i386.rpm
File outdated by:  RHSA-2010:0423
    MD5: 6a5c52f4ec0a575ca3f22696c592ecc6
krb5-libs-1.2.7-28.ia64.rpm
File outdated by:  RHSA-2010:0423
    MD5: dd27b1cfed80262c724f20400d174ae6
krb5-server-1.2.7-28.ia64.rpm
File outdated by:  RHSA-2010:0423
    MD5: 0c0b19114325ab9b9798398009abc745
krb5-workstation-1.2.7-28.ia64.rpm
File outdated by:  RHSA-2010:0423
    MD5: b6d331840e0a625073c03f3629b71b6f
 
x86_64:
krb5-devel-1.2.7-28.x86_64.rpm
File outdated by:  RHSA-2010:0423
    MD5: 4b5d4f9ec25bf69bf3d1632b8f9dfece
krb5-libs-1.2.7-28.i386.rpm
File outdated by:  RHSA-2010:0423
    MD5: 6a5c52f4ec0a575ca3f22696c592ecc6
krb5-libs-1.2.7-28.x86_64.rpm
File outdated by:  RHSA-2010:0423
    MD5: 3ba1a8cda52f4c5c4f235390b5ab231c
krb5-server-1.2.7-28.x86_64.rpm
File outdated by:  RHSA-2010:0423
    MD5: 4dae049940b908786c4c18ec2c4633e0
krb5-workstation-1.2.7-28.x86_64.rpm
File outdated by:  RHSA-2010:0423
    MD5: c68b7f6f4571165da841e89fb2de809d
 
Red Hat Enterprise Linux WS (v. 3)

SRPMS:
krb5-1.2.7-28.src.rpm
File outdated by:  RHSA-2010:0423
    MD5: 3c91ce8bc77bd9bc5bf2f00c09d23cff
 
IA-32:
krb5-devel-1.2.7-28.i386.rpm
File outdated by:  RHSA-2010:0423
    MD5: 758976fe956ac98a73809b4cc716d4c5
krb5-libs-1.2.7-28.i386.rpm
File outdated by:  RHSA-2010:0423
    MD5: 6a5c52f4ec0a575ca3f22696c592ecc6
krb5-server-1.2.7-28.i386.rpm
File outdated by:  RHSA-2010:0423
    MD5: d805a5ef4dc5c16f1a6957cd60769076
krb5-workstation-1.2.7-28.i386.rpm
File outdated by:  RHSA-2010:0423
    MD5: 2fee85ec1cc48fe67b90cd9954149321
 
IA-64:
krb5-devel-1.2.7-28.ia64.rpm
File outdated by:  RHSA-2010:0423
    MD5: 2d5b6ce0d861cb35c66e9ce11321ca09
krb5-libs-1.2.7-28.i386.rpm
File outdated by:  RHSA-2010:0423
    MD5: 6a5c52f4ec0a575ca3f22696c592ecc6
krb5-libs-1.2.7-28.ia64.rpm
File outdated by:  RHSA-2010:0423
    MD5: dd27b1cfed80262c724f20400d174ae6
krb5-server-1.2.7-28.ia64.rpm
File outdated by:  RHSA-2010:0423
    MD5: 0c0b19114325ab9b9798398009abc745
krb5-workstation-1.2.7-28.ia64.rpm
File outdated by:  RHSA-2010:0423
    MD5: b6d331840e0a625073c03f3629b71b6f
 
x86_64:
krb5-devel-1.2.7-28.x86_64.rpm
File outdated by:  RHSA-2010:0423
    MD5: 4b5d4f9ec25bf69bf3d1632b8f9dfece
krb5-libs-1.2.7-28.i386.rpm
File outdated by:  RHSA-2010:0423
    MD5: 6a5c52f4ec0a575ca3f22696c592ecc6
krb5-libs-1.2.7-28.x86_64.rpm
File outdated by:  RHSA-2010:0423
    MD5: 3ba1a8cda52f4c5c4f235390b5ab231c
krb5-server-1.2.7-28.x86_64.rpm
File outdated by:  RHSA-2010:0423
    MD5: 4dae049940b908786c4c18ec2c4633e0
krb5-workstation-1.2.7-28.x86_64.rpm
File outdated by:  RHSA-2010:0423
    MD5: c68b7f6f4571165da841e89fb2de809d
 

References


Keywords

client, krb5, timeout


These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/