Skip to navigation

Security Advisory Important: krb5 security and bug fix update

Advisory: RHSA-2010:0343-1
Type: Security Advisory
Severity: Important
Issued on: 2010-04-06
Last updated on: 2010-04-06
Affected Products: RHEL Desktop Workstation (v. 5 client)
Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux Desktop (v. 5 client)
CVEs (cve.mitre.org): CVE-2010-0629

Details

Updated krb5 packages that fix one security issue and one bug are now
available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having
important security impact. A Common Vulnerability Scoring System (CVSS)
base score, which gives a detailed severity rating, is available from the
CVE link in the References section.

Kerberos is a network authentication system which allows clients and
servers to authenticate to each other using symmetric encryption and a
trusted third party, the Key Distribution Center (KDC).

A use-after-free flaw was discovered in the MIT Kerberos administration
daemon, kadmind. A remote, authenticated attacker could use this flaw to
crash the kadmind daemon. Administrative privileges are not required to
trigger this flaw, as any realm user can request information about their
own principal from kadmind. (CVE-2010-0629)

This update also fixes the following bug:

* when a Kerberos client seeks tickets for use with a service, it must
contact the Key Distribution Center (KDC) to obtain them. The client must
also determine which realm the service belongs to and it typically does
this with a combination of client configuration detail, DNS information and
guesswork.

If the service belongs to a realm other than the client's, cross-realm
authentication is required. Using a combination of client configuration and
guesswork, the client determines the trust relationship sequence which
forms the trusted path between the client's realm and the service's realm.
This may include one or more intermediate realms.

Anticipating the KDC has better knowledge of extant trust relationships,
the client then requests a ticket from the service's KDC, indicating it
will accept guidance from the service's KDC by setting a special flag in
the request. A KDC which recognizes the flag can, at its option, return a
ticket-granting ticket for the next realm along the trust path the client
should be following.

If the ticket-granting ticket returned by the service's KDC is for use with
a realm the client has already determined was in the trusted path, the
client accepts this as an optimization and continues. If, however, the
ticket is for use in a realm the client is not expecting, the client
responds incorrectly: it treats the case as an error rather than continuing
along the path suggested by the service's KDC.

For this update, the krb5 1.7 modifications which allow the client to trust
such KDCs to send them along the correct path, resulting in the client
obtaining the tickets it originally desired, were backported to krb 1.6.1
(the version shipped with Red Hat Enterprise Linux 5.5). (BZ#578540)

All krb5 users should upgrade to these updated packages, which contain
backported patches to correct these issues. All running KDC services must
be restarted for the update to take effect.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Updated packages

RHEL Desktop Workstation (v. 5 client)

SRPMS:
krb5-1.6.1-36.el5_5.2.src.rpm
File outdated by:  RHSA-2013:0942
    MD5: d3a4f16fa37e255ff44ff20a3282fa4d
SHA-256: ae39aae8be2533800bef6421ac878b9d4cb41875ad2de86d81b6496c65401e08
 
IA-32:
krb5-devel-1.6.1-36.el5_5.2.i386.rpm
File outdated by:  RHSA-2013:0942
    MD5: c857c4a52d6eb4f071cfd1e9059e83f2
SHA-256: 7b8455f61e91264f68047c2d814f9d475b5c73e6f7f6f57c1a26849f23e7ea32
krb5-server-1.6.1-36.el5_5.2.i386.rpm
File outdated by:  RHSA-2013:0942
    MD5: 794f5d35957589e1a1dcfba2960fadfd
SHA-256: 2759f4fc716171a4caf9cc9e08ed7babaa9a62384c5ee58860804104cedeb77d
 
x86_64:
krb5-devel-1.6.1-36.el5_5.2.i386.rpm
File outdated by:  RHSA-2013:0942
    MD5: c857c4a52d6eb4f071cfd1e9059e83f2
SHA-256: 7b8455f61e91264f68047c2d814f9d475b5c73e6f7f6f57c1a26849f23e7ea32
krb5-devel-1.6.1-36.el5_5.2.x86_64.rpm
File outdated by:  RHSA-2013:0942
    MD5: 145ba841b561f2f04ca735d9bbcfe856
SHA-256: 3f89f6da8aa11a06ead9f21cdee9f4a83fae7660d1f4b5ab29826e72853f886b
krb5-server-1.6.1-36.el5_5.2.x86_64.rpm
File outdated by:  RHSA-2013:0942
    MD5: 8db3d6099804b768a5f467345a3cc5cd
SHA-256: 8b024a3192e61a8787e76332db2a44809777083d262f0e0b1efd22aa314b650f
 
Red Hat Enterprise Linux (v. 5 server)

SRPMS:
krb5-1.6.1-36.el5_5.2.src.rpm
File outdated by:  RHSA-2013:0942
    MD5: d3a4f16fa37e255ff44ff20a3282fa4d
SHA-256: ae39aae8be2533800bef6421ac878b9d4cb41875ad2de86d81b6496c65401e08
 
IA-32:
krb5-devel-1.6.1-36.el5_5.2.i386.rpm
File outdated by:  RHSA-2013:0942
    MD5: c857c4a52d6eb4f071cfd1e9059e83f2
SHA-256: 7b8455f61e91264f68047c2d814f9d475b5c73e6f7f6f57c1a26849f23e7ea32
krb5-libs-1.6.1-36.el5_5.2.i386.rpm
File outdated by:  RHSA-2013:0942
    MD5: fe5d1f15ebc549fa6488438ec476aca1
SHA-256: 7c8246bf6cb9c9c1d5589a1c0f0292cd911a92183eb3e6a24bd35b869b6356f7
krb5-server-1.6.1-36.el5_5.2.i386.rpm
File outdated by:  RHSA-2013:0942
    MD5: 794f5d35957589e1a1dcfba2960fadfd
SHA-256: 2759f4fc716171a4caf9cc9e08ed7babaa9a62384c5ee58860804104cedeb77d
krb5-workstation-1.6.1-36.el5_5.2.i386.rpm
File outdated by:  RHSA-2013:0942
    MD5: 57d9e41f39a5226d4ee2943edeab1858
SHA-256: 3c29a59664eee7e785d7264801d3e5c3db7b0c901095176bb4518f72c4eba775
 
IA-64:
krb5-devel-1.6.1-36.el5_5.2.ia64.rpm
File outdated by:  RHSA-2013:0942
    MD5: 8cdd421ad2ea477c84bc4a716255f64b
SHA-256: c25ffe603b5246a77f7300a91f579994f807be4907e2e9a97c2d3b5ded4ef9a4
krb5-libs-1.6.1-36.el5_5.2.i386.rpm
File outdated by:  RHSA-2013:0942
    MD5: fe5d1f15ebc549fa6488438ec476aca1
SHA-256: 7c8246bf6cb9c9c1d5589a1c0f0292cd911a92183eb3e6a24bd35b869b6356f7
krb5-libs-1.6.1-36.el5_5.2.ia64.rpm
File outdated by:  RHSA-2013:0942
    MD5: 82ab6cb8abf21dd8bfb0b64c4583137a
SHA-256: 7a37b67e621aac86dd914c914ebe3b92279afc09223c4e207b6828975142f1fc
krb5-server-1.6.1-36.el5_5.2.ia64.rpm
File outdated by:  RHSA-2013:0942
    MD5: cb457a93f6dd76896251136ae2d44b81
SHA-256: bc032511c45ca70a09ba05e9146e632896c618a7c69bf69abd07cc24b6fe10a9
krb5-workstation-1.6.1-36.el5_5.2.ia64.rpm
File outdated by:  RHSA-2013:0942
    MD5: 003bc34a775afcffa463b715ce09c4a4
SHA-256: 6213e3ffb3aaffbd6c64b698ad1db3172255c16d0c6598d3d28fd969ffc71fb6
 
PPC:
krb5-devel-1.6.1-36.el5_5.2.ppc.rpm
File outdated by:  RHSA-2013:0942
    MD5: 7a54d60e1b0c4356b28fbfae49edbb10
SHA-256: e281ba8ee69fe6e81c08a27efb153def5d1ee9f6352ba05bd685af8cfe41f9d3
krb5-devel-1.6.1-36.el5_5.2.ppc64.rpm
File outdated by:  RHSA-2013:0942
    MD5: 49f5584ed1051d8b237a8fd5580ed042
SHA-256: 16264e4253290c8500fad7d551fbcbdd325c7c9ccb50b1938e0c98f1ec6da08e
krb5-libs-1.6.1-36.el5_5.2.ppc.rpm
File outdated by:  RHSA-2013:0942
    MD5: 76dec0616142fb0d8021ab77e89be093
SHA-256: 564988a827da30f00ec92d893b2db9aa05cf31dce6c53fb0f6045db093af7f2c
krb5-libs-1.6.1-36.el5_5.2.ppc64.rpm
File outdated by:  RHSA-2013:0942
    MD5: 51840b934c3e6171a37639d4ec466b99
SHA-256: 74abebec568cdcd7073338d904716a410943904c55608ef09297cfdfc43ec662
krb5-server-1.6.1-36.el5_5.2.ppc.rpm
File outdated by:  RHSA-2013:0942
    MD5: 62f0694b2f98fdc1e2380a42250ea651
SHA-256: e6815829dd7934cf2659161e714a2a3c752176c565b401947092ff5f52e01595
krb5-workstation-1.6.1-36.el5_5.2.ppc.rpm
File outdated by:  RHSA-2013:0942
    MD5: 6ce6411827b773f0243aeb26d994f7be
SHA-256: ab5d1f2fb1d6c38fc37ec49fa1b2f9d446f151a161c9443f4d7ce75739d04436
 
s390x:
krb5-devel-1.6.1-36.el5_5.2.s390.rpm
File outdated by:  RHSA-2013:0942
    MD5: b4f0305c1a0791a85f47034140212369
SHA-256: 85b44a6e18570d931b13b349493383400aee250f5fce42f7ce25010da4ea4fd3
krb5-devel-1.6.1-36.el5_5.2.s390x.rpm
File outdated by:  RHSA-2013:0942
    MD5: 323b1e7970114cbe04fed9562c383b21
SHA-256: 0b8cf9d6f2c695bbee0f277c2da106d0e2a9607cb3b6d41ca793b936b19100b0
krb5-libs-1.6.1-36.el5_5.2.s390.rpm
File outdated by:  RHSA-2013:0942
    MD5: 477a5d894a5dc88831ed6e35e252365f
SHA-256: 286f25b3c351b669d1f1140abad6aec35257a93f9b94e669015ca3c225c58d0f
krb5-libs-1.6.1-36.el5_5.2.s390x.rpm
File outdated by:  RHSA-2013:0942
    MD5: 547e5cb364a5677ff2739717c0bff1d7
SHA-256: 3fa191f573492bc60d5da94413cb733e4cc0ec7005296f6fb84c8c5f955849d7
krb5-server-1.6.1-36.el5_5.2.s390x.rpm
File outdated by:  RHSA-2013:0942
    MD5: 22c9dbf01e207b7673d6f3045e1af015
SHA-256: e7e10f188d001f72e5b7dae7635663f0781591a90c2c65a9ffaaa9b69a083563
krb5-workstation-1.6.1-36.el5_5.2.s390x.rpm
File outdated by:  RHSA-2013:0942
    MD5: 70a946c04efbd8ee97706c3584ebeba9
SHA-256: 981b6f73a67f3d229cf2d4df8f09f481223e7d215d58c88a0629278e383ca75a
 
x86_64:
krb5-devel-1.6.1-36.el5_5.2.i386.rpm
File outdated by:  RHSA-2013:0942
    MD5: c857c4a52d6eb4f071cfd1e9059e83f2
SHA-256: 7b8455f61e91264f68047c2d814f9d475b5c73e6f7f6f57c1a26849f23e7ea32
krb5-devel-1.6.1-36.el5_5.2.x86_64.rpm
File outdated by:  RHSA-2013:0942
    MD5: 145ba841b561f2f04ca735d9bbcfe856
SHA-256: 3f89f6da8aa11a06ead9f21cdee9f4a83fae7660d1f4b5ab29826e72853f886b
krb5-libs-1.6.1-36.el5_5.2.i386.rpm
File outdated by:  RHSA-2013:0942
    MD5: fe5d1f15ebc549fa6488438ec476aca1
SHA-256: 7c8246bf6cb9c9c1d5589a1c0f0292cd911a92183eb3e6a24bd35b869b6356f7
krb5-libs-1.6.1-36.el5_5.2.x86_64.rpm
File outdated by:  RHSA-2013:0942
    MD5: dbd03b83167cb2dee3d0b14737f31ea1
SHA-256: 86555fd0ec626f362a9d27e0043c61460414ac64cbd517b8d6b5af5c65e5e5b1
krb5-server-1.6.1-36.el5_5.2.x86_64.rpm
File outdated by:  RHSA-2013:0942
    MD5: 8db3d6099804b768a5f467345a3cc5cd
SHA-256: 8b024a3192e61a8787e76332db2a44809777083d262f0e0b1efd22aa314b650f
krb5-workstation-1.6.1-36.el5_5.2.x86_64.rpm
File outdated by:  RHSA-2013:0942
    MD5: dbfe172048d3893fac86d683a9524d9c
SHA-256: 3455a392deb43aba01ed1a435c03f898d383eb34f3db88754f33382c102dd06e
 
Red Hat Enterprise Linux Desktop (v. 5 client)

SRPMS:
krb5-1.6.1-36.el5_5.2.src.rpm
File outdated by:  RHSA-2013:0942
    MD5: d3a4f16fa37e255ff44ff20a3282fa4d
SHA-256: ae39aae8be2533800bef6421ac878b9d4cb41875ad2de86d81b6496c65401e08
 
IA-32:
krb5-libs-1.6.1-36.el5_5.2.i386.rpm
File outdated by:  RHSA-2013:0942
    MD5: fe5d1f15ebc549fa6488438ec476aca1
SHA-256: 7c8246bf6cb9c9c1d5589a1c0f0292cd911a92183eb3e6a24bd35b869b6356f7
krb5-workstation-1.6.1-36.el5_5.2.i386.rpm
File outdated by:  RHSA-2013:0942
    MD5: 57d9e41f39a5226d4ee2943edeab1858
SHA-256: 3c29a59664eee7e785d7264801d3e5c3db7b0c901095176bb4518f72c4eba775
 
x86_64:
krb5-libs-1.6.1-36.el5_5.2.i386.rpm
File outdated by:  RHSA-2013:0942
    MD5: fe5d1f15ebc549fa6488438ec476aca1
SHA-256: 7c8246bf6cb9c9c1d5589a1c0f0292cd911a92183eb3e6a24bd35b869b6356f7
krb5-libs-1.6.1-36.el5_5.2.x86_64.rpm
File outdated by:  RHSA-2013:0942
    MD5: dbd03b83167cb2dee3d0b14737f31ea1
SHA-256: 86555fd0ec626f362a9d27e0043c61460414ac64cbd517b8d6b5af5c65e5e5b1
krb5-workstation-1.6.1-36.el5_5.2.x86_64.rpm
File outdated by:  RHSA-2013:0942
    MD5: dbfe172048d3893fac86d683a9524d9c
SHA-256: 3455a392deb43aba01ed1a435c03f898d383eb34f3db88754f33382c102dd06e
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

576011 - CVE-2010-0629 krb5: kadmind use-after-free remote crash (MITKRB5-SA-2010-003)
578540 - [RFE] Backport referral-chasing code within krb5-1.7 to RHEL5


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/