Skip to navigation

Security Advisory Critical: krb5 security update

Advisory: RHSA-2011:1853-1
Type: Security Advisory
Severity: Critical
Issued on: 2011-12-28
Last updated on: 2011-12-28
Affected Products: Red Hat Enterprise Linux ELS (v. 3)
Red Hat Enterprise Linux EUS (v. 5.6.z server)
Red Hat Enterprise Linux Long Life (v. 5.3 server)
Red Hat Enterprise Linux Long Life (v. 5.6 server)
CVEs (cve.mitre.org): CVE-2011-4862

Details

Updated krb5 packages that fix one security issue are now available for
Red Hat Enterprise Linux 3 Extended Life Cycle Support, 5.3 Long Life and
5.6 Extended Update Support

The Red Hat Security Response Team has rated this update as having critical
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

Kerberos is a network authentication system which allows clients and
servers to authenticate to each other using symmetric encryption and a
trusted third-party, the Key Distribution Center (KDC).

A buffer overflow flaw was found in the MIT krb5 telnet daemon (telnetd).
A remote attacker who can access the telnet port of a target machine could
use this flaw to execute arbitrary code as root. (CVE-2011-4862)

Note that the krb5 telnet daemon is not enabled by default in any version
of Red Hat Enterprise Linux. In addition, the default firewall rules block
remote access to the telnet port. This flaw does not affect the telnet
daemon distributed in the telnet-server package.

For users who have installed the krb5-workstation package, have enabled the
telnet daemon, and have it accessible remotely, this update should be
applied immediately.

All krb5-workstation users should upgrade to these updated packages, which
contain a backported patch to correct this issue.


Solution

The krb5 telnet daemon is an xinetd service. You can determine if krb5
telnetd is enabled with the commands:

/sbin/chkconfig --list krb5-telnet
/sbin/chkconfig --list ekrb5-telnet

The output of these commands will display "on" if krb5 telnet is enabled.
krb5 telnet daemon can be immediately disabled with the commands:

/sbin/chkconfig krb5-telnet off
/sbin/chkconfig ekrb5-telnet off

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259

Updated packages

Red Hat Enterprise Linux ELS (v. 3)

IA-32:
krb5-devel-1.2.7-73.i386.rpm     MD5: 05181ffa2bd2e96de38b0c0a05ef741c
SHA-256: 0cb1e4473be89547516b6d308715c58b44a91b783e0f9e359b3856193edb5f3d
krb5-libs-1.2.7-73.i386.rpm     MD5: 01b9cc522409ca3e15a1f52606132556
SHA-256: 96e9b971dfe877051addb2e3efca6f529a9678e2c39f2ae1ee118fd3da761c56
krb5-server-1.2.7-73.i386.rpm     MD5: 2a401dff03f0068ac9cc37d0458151c9
SHA-256: c1b9f6e2fbdc5e62071b566eae29fb0a917ea5afb1a5e22a70a80e29cce7e908
krb5-workstation-1.2.7-73.i386.rpm     MD5: aa6a5b9c93a6ea31f4636d5fdad1657e
SHA-256: 425f07529e54507ff41a9cbd45598f6574e9afa3004045e2a506c2f8b8984450
 
Red Hat Enterprise Linux EUS (v. 5.6.z server)

SRPMS:
krb5-1.6.1-55.el5_6.3.src.rpm     MD5: 278366ea1eb82506b00a83b1afb9b3ce
SHA-256: 01dffe3024eb9d1a912792dcf4a339198d0662b582ee56256e32803b3cc3fad0
 
IA-32:
krb5-devel-1.6.1-55.el5_6.3.i386.rpm     MD5: f0503e6067590e243f421af5367b4ab6
SHA-256: fd0e2c946d92d4382afb563561f57ef198a4931972be86794f45be5876c12128
krb5-libs-1.6.1-55.el5_6.3.i386.rpm     MD5: fb429a2de65df09c51cf21984c507f69
SHA-256: cd4efaf6da8b4d53acdeff513cc8d0bf81245a5a52cff6e964d8aff16e1c730a
krb5-server-1.6.1-55.el5_6.3.i386.rpm     MD5: 1e0db03a3a37a051a91aae00090162e6
SHA-256: 60e3edf080f5b45836e1709bbd650c2e54e0f014937fc1a6a00420ccc96baf77
krb5-server-ldap-1.6.1-55.el5_6.3.i386.rpm     MD5: f49f96d5cc8d1a4e19570df7915a998b
SHA-256: cb150d9f5c0f70a55eb06ea6aaee834611c0a033c64f81e3b33544ca5f535687
krb5-workstation-1.6.1-55.el5_6.3.i386.rpm     MD5: 0171cda4ca337e0be1c1a9b078ebac99
SHA-256: 041d0ad893b184b880e0812b7ff8163dee17135e3238ca2d7a3fe26ef18fb333
 
IA-64:
krb5-devel-1.6.1-55.el5_6.3.ia64.rpm     MD5: 692de9def54a8aa4c93d6741677293a6
SHA-256: b68933e066f40361c97bc068856a0cb9a44df240a95a0dd9431669e0151c4ad9
krb5-libs-1.6.1-55.el5_6.3.i386.rpm     MD5: fb429a2de65df09c51cf21984c507f69
SHA-256: cd4efaf6da8b4d53acdeff513cc8d0bf81245a5a52cff6e964d8aff16e1c730a
krb5-libs-1.6.1-55.el5_6.3.ia64.rpm     MD5: bb31355b37490ecc38b0a67967cf61df
SHA-256: 9bc34736729b5246d434786d68dbf3631566f363b0eb1eff6bf2d3194199660b
krb5-server-1.6.1-55.el5_6.3.ia64.rpm     MD5: fd487bb0dd0bceed9690ed5574a844f0
SHA-256: 618fc8a3621d5244bb9baa4ef4507b6b7230cedd5d2ebbf57bfd0803978fdf51
krb5-server-ldap-1.6.1-55.el5_6.3.ia64.rpm     MD5: 193384646f9713caff5f769b8332bcbc
SHA-256: a040af055a9179b30523a335e6af499af7a03c255a44310baacd4defa2514769
krb5-workstation-1.6.1-55.el5_6.3.ia64.rpm     MD5: cb8c84f8592104575587e30790d96097
SHA-256: 0d0e266e8f85ca4ee4c18b018a4bd6a73414b7821bbe5875bdd228758f4d357d
 
PPC:
krb5-devel-1.6.1-55.el5_6.3.ppc.rpm     MD5: c5174bda4dfd86fbfa4bd3702a0c1e93
SHA-256: e4ed6357c057fced392f326d6425a9c7d9ffb18a5337932516b4fa3549d6a930
krb5-devel-1.6.1-55.el5_6.3.ppc64.rpm     MD5: 9e48e0107e2ad69388f83f175d834c1c
SHA-256: 8af9524c82ed63f8d820e2b9f0cd67b26e4c610685915883a18cc386b35f0da3
krb5-libs-1.6.1-55.el5_6.3.ppc.rpm     MD5: 60e61c91b75b863725518d3b05a0b8da
SHA-256: 7e4d743b8de342854c003d454c1b2bcbc9f792e46ef46eb2617e1354ff6d2b13
krb5-libs-1.6.1-55.el5_6.3.ppc64.rpm     MD5: bb8eaa4d1110eaff910128fec3466c9d
SHA-256: 89dbf1ea7d0673d5242fe25b372cb391c98d691018ff016a65a6e11226034347
krb5-server-1.6.1-55.el5_6.3.ppc.rpm     MD5: 8d6dc6009c231639c39d4392f92dc3db
SHA-256: 37de98cf59b42485793f2fb83670700fe21f33ba8bf511495169a911eccd7d2d
krb5-server-ldap-1.6.1-55.el5_6.3.ppc.rpm     MD5: 21a55ed1f439620a2a405307f4bb0369
SHA-256: d422262f97c79a65b89e1f452e653e82f7da9edb2f5f1b87604ff035d3c05e28
krb5-workstation-1.6.1-55.el5_6.3.ppc.rpm     MD5: 94d9dc1109857461742314e0657c00ae
SHA-256: 5f70d9b9ee62ed50b091dd21c61b68a03f1b6eb66df3ddae0e2f07670e03c1ba
 
s390x:
krb5-devel-1.6.1-55.el5_6.3.s390.rpm     MD5: 06b93455eec1e9aa27d1ed9dca7d9355
SHA-256: 7bd9534f27ad3c3e145b370d2489cacfb9e24e881c2162506fae8f4be2cf7e4e
krb5-devel-1.6.1-55.el5_6.3.s390x.rpm     MD5: 01dcf2572ad9f870789c3d6d9fd20411
SHA-256: 0364aedaedb2c93eeac5330ca89d746cf5ff457b53c0754c19ccff2a27de7e9e
krb5-libs-1.6.1-55.el5_6.3.s390.rpm     MD5: ba3646c9d676060138be41afea70e952
SHA-256: b6dde3e5fcef31b5f3b9eaf92baee12d6b034c08f8d4ab1f25a14839eec0306e
krb5-libs-1.6.1-55.el5_6.3.s390x.rpm     MD5: f70b4e4cf8bcbed5993bda3387d02668
SHA-256: 4f34a39a17d8835fa6163985e3de5f4262a87ad14dbef378ca501be5bceaf2c4
krb5-server-1.6.1-55.el5_6.3.s390x.rpm     MD5: 0ec31a649930e10facd78da21379af07
SHA-256: 00947b769cc182db9e0df7b35b7fb3eb694af2cf36f977061c23e7daf3e08dd8
krb5-server-ldap-1.6.1-55.el5_6.3.s390x.rpm     MD5: 746c3b201f1d2424189c18d58acca3fc
SHA-256: 968697f91f4f48bde79fc2f8047c9b1948cbb74eb16b3b6d5aa2aef754b03ef9
krb5-workstation-1.6.1-55.el5_6.3.s390x.rpm     MD5: 0a8f25d49787f7b93d3bb854d3b08093
SHA-256: 90cc68f3d3248824cd245c11f4eadc2c061a68a3543deabdc4ab6ffa684b43e9
 
x86_64:
krb5-devel-1.6.1-55.el5_6.3.i386.rpm     MD5: f0503e6067590e243f421af5367b4ab6
SHA-256: fd0e2c946d92d4382afb563561f57ef198a4931972be86794f45be5876c12128
krb5-devel-1.6.1-55.el5_6.3.x86_64.rpm     MD5: 9d5f22b0576d03e0aafbe7c3083ed6e8
SHA-256: d9b29952299ddeaf62a9975837d626d0bc412cf863e86ed479ef3b8773b27d60
krb5-libs-1.6.1-55.el5_6.3.i386.rpm     MD5: fb429a2de65df09c51cf21984c507f69
SHA-256: cd4efaf6da8b4d53acdeff513cc8d0bf81245a5a52cff6e964d8aff16e1c730a
krb5-libs-1.6.1-55.el5_6.3.x86_64.rpm     MD5: d103201e0b0544c016c5c3a7e937db14
SHA-256: 1783416d2e503d11158af34a4d8e6838d8dccb91be16ac91536345b5688098b0
krb5-server-1.6.1-55.el5_6.3.x86_64.rpm     MD5: d53df52bdffb49cc93c1c7c39924d127
SHA-256: b0b2b14b6751aa2681fc19665fd49c70d4b1306e901046b9dd9d4a4e3a57e8eb
krb5-server-ldap-1.6.1-55.el5_6.3.x86_64.rpm     MD5: bacc01707c6530426b89bbf8290ae729
SHA-256: 95572efddef3fe44995c32d0256f10747bb10ed04927b95773f0593c0fdf8602
krb5-workstation-1.6.1-55.el5_6.3.x86_64.rpm     MD5: b295d2fa4aeeae9014a4186fd336ad00
SHA-256: 25664db7a5a49acae3eabc8f65befd6c8b0fa6fc4593ca4ede4b228a130a065b
 
Red Hat Enterprise Linux Long Life (v. 5.3 server)

SRPMS:
krb5-1.6.1-31.el5_3.5.src.rpm     MD5: db34c689739161fa08f4a535fa0a0093
SHA-256: a604a7620da7f3400b06046d667052b9ae415ead0fae39001a622cbf4dd7355c
 
IA-32:
krb5-devel-1.6.1-31.el5_3.5.i386.rpm     MD5: b1f9cbc5cc90f0b01b1071f098230214
SHA-256: bb1f93c5f0e339fc74922625d2a42bda625242805af644fa74b4a7e4fef1d56a
krb5-libs-1.6.1-31.el5_3.5.i386.rpm     MD5: d74b3465d9323e6d661ad0c3b3749e46
SHA-256: fd8bab73fe66215266874dbcd5828ca339b6f8b2b19ffc6124d059fc096e3b6c
krb5-server-1.6.1-31.el5_3.5.i386.rpm     MD5: 86415169db2631e9a0fb7a0c14379025
SHA-256: 1f1e72250e6eaaf01c075d461dcf7e223a5e8f868db38a7c6a6b5d2b21d06e06
krb5-workstation-1.6.1-31.el5_3.5.i386.rpm     MD5: 54ee7ae997e648d0d6fa679e702bddda
SHA-256: 21ded81e60be12c07a47c38258c9fcd01eacb21db7003536bb257291bb30bdf4
 
IA-64:
krb5-devel-1.6.1-31.el5_3.5.ia64.rpm     MD5: e705014e8c3aef0985e6182ba7e7684d
SHA-256: 23cd5a30e820768adc60f47b830d13657d83de2078a265808567d8d26420480c
krb5-libs-1.6.1-31.el5_3.5.i386.rpm     MD5: d74b3465d9323e6d661ad0c3b3749e46
SHA-256: fd8bab73fe66215266874dbcd5828ca339b6f8b2b19ffc6124d059fc096e3b6c
krb5-libs-1.6.1-31.el5_3.5.ia64.rpm     MD5: 4b12f69d8ea64ea85140ba1d2d850e65
SHA-256: 6e1382b0cfc37b4647e6ef8cac35ddbf9926bdf2738aa299270987fe29856afd
krb5-server-1.6.1-31.el5_3.5.ia64.rpm     MD5: c6b473f8ef21d8c14a6cbff656d57771
SHA-256: 4e01b1a95d0e4bd245cd1fe6a9d3ab0fd5f202f14458b9358c0a5b5eb6aa7395
krb5-workstation-1.6.1-31.el5_3.5.ia64.rpm     MD5: 1a96baa9bfa9b9b3e93285328bbf822f
SHA-256: ebb22a8a7680c0cdae4188b3d3ae79945241bbf51f65d1d03eb790b8d143aa79
 
x86_64:
krb5-devel-1.6.1-31.el5_3.5.i386.rpm     MD5: b1f9cbc5cc90f0b01b1071f098230214
SHA-256: bb1f93c5f0e339fc74922625d2a42bda625242805af644fa74b4a7e4fef1d56a
krb5-devel-1.6.1-31.el5_3.5.x86_64.rpm     MD5: cb7bd8bee8e4202f547d60158c9f90e7
SHA-256: 60679049ffc68554f238aa3f5ae74352ec211455917cf5570d0131a9636e1890
krb5-libs-1.6.1-31.el5_3.5.i386.rpm     MD5: d74b3465d9323e6d661ad0c3b3749e46
SHA-256: fd8bab73fe66215266874dbcd5828ca339b6f8b2b19ffc6124d059fc096e3b6c
krb5-libs-1.6.1-31.el5_3.5.x86_64.rpm     MD5: c96ed1cc61f9e7a0ab9c423eef78037e
SHA-256: 4aafaf067e17e83fa8dd12fd30e4e08b52def287069f5edd1bd90002e3b7a87b
krb5-server-1.6.1-31.el5_3.5.x86_64.rpm     MD5: b45449f9e50ada2c7d686521655246b4
SHA-256: ff2e8555761dc9fb86caeb2e47ef221299bb36e322239c9e752ba1daf93faea7
krb5-workstation-1.6.1-31.el5_3.5.x86_64.rpm     MD5: 2dfdbb0ebae79ad90ea40fbd5609456e
SHA-256: 6ffb52d9228e77a1653f945b9ba27920c1d82a01bfe37d6f50af2c4bb3965db3
 
Red Hat Enterprise Linux Long Life (v. 5.6 server)

SRPMS:
krb5-1.6.1-55.el5_6.3.src.rpm     MD5: 278366ea1eb82506b00a83b1afb9b3ce
SHA-256: 01dffe3024eb9d1a912792dcf4a339198d0662b582ee56256e32803b3cc3fad0
 
IA-32:
krb5-devel-1.6.1-55.el5_6.3.i386.rpm     MD5: f0503e6067590e243f421af5367b4ab6
SHA-256: fd0e2c946d92d4382afb563561f57ef198a4931972be86794f45be5876c12128
krb5-libs-1.6.1-55.el5_6.3.i386.rpm     MD5: fb429a2de65df09c51cf21984c507f69
SHA-256: cd4efaf6da8b4d53acdeff513cc8d0bf81245a5a52cff6e964d8aff16e1c730a
krb5-server-1.6.1-55.el5_6.3.i386.rpm     MD5: 1e0db03a3a37a051a91aae00090162e6
SHA-256: 60e3edf080f5b45836e1709bbd650c2e54e0f014937fc1a6a00420ccc96baf77
krb5-server-ldap-1.6.1-55.el5_6.3.i386.rpm     MD5: f49f96d5cc8d1a4e19570df7915a998b
SHA-256: cb150d9f5c0f70a55eb06ea6aaee834611c0a033c64f81e3b33544ca5f535687
krb5-workstation-1.6.1-55.el5_6.3.i386.rpm     MD5: 0171cda4ca337e0be1c1a9b078ebac99
SHA-256: 041d0ad893b184b880e0812b7ff8163dee17135e3238ca2d7a3fe26ef18fb333
 
IA-64:
krb5-devel-1.6.1-55.el5_6.3.ia64.rpm     MD5: 692de9def54a8aa4c93d6741677293a6
SHA-256: b68933e066f40361c97bc068856a0cb9a44df240a95a0dd9431669e0151c4ad9
krb5-libs-1.6.1-55.el5_6.3.i386.rpm     MD5: fb429a2de65df09c51cf21984c507f69
SHA-256: cd4efaf6da8b4d53acdeff513cc8d0bf81245a5a52cff6e964d8aff16e1c730a
krb5-libs-1.6.1-55.el5_6.3.ia64.rpm     MD5: bb31355b37490ecc38b0a67967cf61df
SHA-256: 9bc34736729b5246d434786d68dbf3631566f363b0eb1eff6bf2d3194199660b
krb5-server-1.6.1-55.el5_6.3.ia64.rpm     MD5: fd487bb0dd0bceed9690ed5574a844f0
SHA-256: 618fc8a3621d5244bb9baa4ef4507b6b7230cedd5d2ebbf57bfd0803978fdf51
krb5-server-ldap-1.6.1-55.el5_6.3.ia64.rpm     MD5: 193384646f9713caff5f769b8332bcbc
SHA-256: a040af055a9179b30523a335e6af499af7a03c255a44310baacd4defa2514769
krb5-workstation-1.6.1-55.el5_6.3.ia64.rpm     MD5: cb8c84f8592104575587e30790d96097
SHA-256: 0d0e266e8f85ca4ee4c18b018a4bd6a73414b7821bbe5875bdd228758f4d357d
 
x86_64:
krb5-devel-1.6.1-55.el5_6.3.i386.rpm     MD5: f0503e6067590e243f421af5367b4ab6
SHA-256: fd0e2c946d92d4382afb563561f57ef198a4931972be86794f45be5876c12128
krb5-devel-1.6.1-55.el5_6.3.x86_64.rpm     MD5: 9d5f22b0576d03e0aafbe7c3083ed6e8
SHA-256: d9b29952299ddeaf62a9975837d626d0bc412cf863e86ed479ef3b8773b27d60
krb5-libs-1.6.1-55.el5_6.3.i386.rpm     MD5: fb429a2de65df09c51cf21984c507f69
SHA-256: cd4efaf6da8b4d53acdeff513cc8d0bf81245a5a52cff6e964d8aff16e1c730a
krb5-libs-1.6.1-55.el5_6.3.x86_64.rpm     MD5: d103201e0b0544c016c5c3a7e937db14
SHA-256: 1783416d2e503d11158af34a4d8e6838d8dccb91be16ac91536345b5688098b0
krb5-server-1.6.1-55.el5_6.3.x86_64.rpm     MD5: d53df52bdffb49cc93c1c7c39924d127
SHA-256: b0b2b14b6751aa2681fc19665fd49c70d4b1306e901046b9dd9d4a4e3a57e8eb
krb5-server-ldap-1.6.1-55.el5_6.3.x86_64.rpm     MD5: bacc01707c6530426b89bbf8290ae729
SHA-256: 95572efddef3fe44995c32d0256f10747bb10ed04927b95773f0593c0fdf8602
krb5-workstation-1.6.1-55.el5_6.3.x86_64.rpm     MD5: b295d2fa4aeeae9014a4186fd336ad00
SHA-256: 25664db7a5a49acae3eabc8f65befd6c8b0fa6fc4593ca4ede4b228a130a065b
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

770325 - CVE-2011-4862 krb5: remote buffer overflow in kerberized telnet daemon


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/