Skip to navigation

Security Advisory Low: krb5 security and bug fix update

Advisory: RHSA-2012:0306-3
Type: Security Advisory
Severity: Low
Issued on: 2012-02-21
Last updated on: 2012-02-21
Affected Products: RHEL Desktop Workstation (v. 5 client)
Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux Desktop (v. 5 client)
CVEs (cve.mitre.org): CVE-2011-1526

Details

Updated krb5 packages that fix one security issue and various bugs are now
available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having low
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

Kerberos is a network authentication system which allows clients and
servers to authenticate to each other using symmetric encryption and a
trusted third-party, the Key Distribution Center (KDC).

It was found that ftpd, a Kerberos-aware FTP server, did not properly drop
privileges. On Red Hat Enterprise Linux 5, the ftpd daemon did not check
for the potential failure of the effective group ID change system call. If
the group ID change failed, a remote FTP user could use this flaw to gain
unauthorized read or write access to files that are owned by the root
group. (CVE-2011-1526)

Red Hat would like to thank the MIT Kerberos project for reporting this
issue. Upstream acknowledges Tim Zingelman as the original reporter.

This update also fixes the following bugs:

* Due to a mistake in the Kerberos libraries, a client could fail to
contact a Key Distribution Center (KDC) or terminate unexpectedly if the
client had already more than 1024 file descriptors in use. This update
backports modifications to the Kerberos libraries and the libraries use
the poll() function instead of the select() function, as poll() does not
have this limitation. (BZ#701444)

* The KDC failed to release memory when processing a TGS (ticket-granting
server) request from a client if the client request included an
authenticator with a subkey. As a result, the KDC consumed an excessive
amount of memory. With this update, the code releasing the memory has been
added and the problem no longer occurs. (BZ#708516)

* Under certain circumstances, if services requiring Kerberos
authentication sent two authentication requests to the authenticating
server, the second authentication request was flagged as a replay attack.
As a result, the second authentication attempt was denied. This update
applies an upstream patch that fixes this bug. (BZ#713500)

* Previously, if Kerberos credentials had expired, the klist command could
terminate unexpectedly with a segmentation fault when invoked with the -s
option. This happened when klist encountered and failed to process an entry
with no realm name while scanning the credential cache. With this update,
the underlying code has been modified and the command handles such entries
correctly. (BZ#729067)

* Due to a regression, multi-line FTP macros terminated prematurely with a
segmentation fault. This occurred because the previously-added patch failed
to properly support multi-line macros. This update restores the support for
multi-line macros and the problem no longer occurs. (BZ#735363, BZ#736132)

All users of krb5 are advised to upgrade to these updated packages, which
resolve these issues.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259

Updated packages

RHEL Desktop Workstation (v. 5 client)

SRPMS:
krb5-1.6.1-70.el5.src.rpm
File outdated by:  RHSA-2013:0942
    MD5: 912cfc6d9508de4c7922acadcf67714e
SHA-256: 5fbd4340f640f16d569dc6b2791613aaa91c808474bed7746d2b5a1c4a116fd3
 
IA-32:
krb5-debuginfo-1.6.1-70.el5.i386.rpm
File outdated by:  RHSA-2013:0942
    MD5: f179534acfeccf6b294cba6f939b10ec
SHA-256: f5e476f573ac51b9cd702d8935bfea5554cd71601a3db8e01e38693471339bb0
krb5-devel-1.6.1-70.el5.i386.rpm
File outdated by:  RHSA-2013:0942
    MD5: bd77e01422b3a0f81cc6fafe04d217df
SHA-256: 82f0f7f0a54af2492282b18eeb94cbc47ce76e64c71fcc9bbc99d2a2a66c5838
krb5-server-1.6.1-70.el5.i386.rpm
File outdated by:  RHSA-2013:0942
    MD5: f4c3037d2d4dffa35d07bf64da9db0d4
SHA-256: 9337caf697f0cec814a07e58af307f060e627c0765f88f7d86bc067bba5b5e93
krb5-server-ldap-1.6.1-70.el5.i386.rpm
File outdated by:  RHSA-2013:0942
    MD5: 58e553201523203e525ebf00a04d7cf5
SHA-256: 19528db8fefdce1dcf7d14e2e463a24f0b29e7207b35f06ead84fa6e300918a4
 
x86_64:
krb5-debuginfo-1.6.1-70.el5.i386.rpm
File outdated by:  RHSA-2013:0942
    MD5: f179534acfeccf6b294cba6f939b10ec
SHA-256: f5e476f573ac51b9cd702d8935bfea5554cd71601a3db8e01e38693471339bb0
krb5-debuginfo-1.6.1-70.el5.x86_64.rpm
File outdated by:  RHSA-2013:0942
    MD5: 763dffaf19f2eb3211bc70a06363104e
SHA-256: 9d45df9a9fef7a4fea12e09cdcb49b5f6e509171e852c7a0b29fdf0b222a739c
krb5-devel-1.6.1-70.el5.i386.rpm
File outdated by:  RHSA-2013:0942
    MD5: bd77e01422b3a0f81cc6fafe04d217df
SHA-256: 82f0f7f0a54af2492282b18eeb94cbc47ce76e64c71fcc9bbc99d2a2a66c5838
krb5-devel-1.6.1-70.el5.x86_64.rpm
File outdated by:  RHSA-2013:0942
    MD5: c954b117eebc4cbb7217970144c67e30
SHA-256: ba5092f9bb4e0411bde4dd78ad4f3ddf37152fdabd02e18d7496efc203a636b8
krb5-server-1.6.1-70.el5.x86_64.rpm
File outdated by:  RHSA-2013:0942
    MD5: 63321a677af2e82ca9ed2d8826f3f790
SHA-256: 87ae0b100fdf4bd8107dd7c40668e16b0b4eb319ed54bb9f6038ddcc23a9384b
krb5-server-ldap-1.6.1-70.el5.x86_64.rpm
File outdated by:  RHSA-2013:0942
    MD5: 4d12b3aa79465196a12192a48d3da4a6
SHA-256: 390d835e0fca2e437bb1a81e0cba955a16d017be2a99eed0aad068b4920ef7a6
 
Red Hat Enterprise Linux (v. 5 server)

SRPMS:
krb5-1.6.1-70.el5.src.rpm
File outdated by:  RHSA-2013:0942
    MD5: 912cfc6d9508de4c7922acadcf67714e
SHA-256: 5fbd4340f640f16d569dc6b2791613aaa91c808474bed7746d2b5a1c4a116fd3
 
IA-32:
krb5-debuginfo-1.6.1-70.el5.i386.rpm
File outdated by:  RHSA-2013:0942
    MD5: f179534acfeccf6b294cba6f939b10ec
SHA-256: f5e476f573ac51b9cd702d8935bfea5554cd71601a3db8e01e38693471339bb0
krb5-devel-1.6.1-70.el5.i386.rpm
File outdated by:  RHSA-2013:0942
    MD5: bd77e01422b3a0f81cc6fafe04d217df
SHA-256: 82f0f7f0a54af2492282b18eeb94cbc47ce76e64c71fcc9bbc99d2a2a66c5838
krb5-libs-1.6.1-70.el5.i386.rpm
File outdated by:  RHSA-2013:0942
    MD5: 87b133824b5f938137ed5ac05d302e1f
SHA-256: 4daf5670b8697637e93d197e324b4a3854bf533caa4680bbcb659c82878fda68
krb5-server-1.6.1-70.el5.i386.rpm
File outdated by:  RHSA-2013:0942
    MD5: f4c3037d2d4dffa35d07bf64da9db0d4
SHA-256: 9337caf697f0cec814a07e58af307f060e627c0765f88f7d86bc067bba5b5e93
krb5-server-ldap-1.6.1-70.el5.i386.rpm
File outdated by:  RHSA-2013:0942
    MD5: 58e553201523203e525ebf00a04d7cf5
SHA-256: 19528db8fefdce1dcf7d14e2e463a24f0b29e7207b35f06ead84fa6e300918a4
krb5-workstation-1.6.1-70.el5.i386.rpm
File outdated by:  RHSA-2013:0942
    MD5: 94a08a63be4e7fc9e60acadc4e7f507e
SHA-256: 5101e4a5dcc5603c3353c9259f818448a4c8e7b2479fced656e90987bc1ba30f
 
IA-64:
krb5-debuginfo-1.6.1-70.el5.i386.rpm
File outdated by:  RHSA-2013:0942
    MD5: f179534acfeccf6b294cba6f939b10ec
SHA-256: f5e476f573ac51b9cd702d8935bfea5554cd71601a3db8e01e38693471339bb0
krb5-debuginfo-1.6.1-70.el5.ia64.rpm
File outdated by:  RHSA-2013:0942
    MD5: 5ce2041e84939ca4ba769f11680034e6
SHA-256: f82b18cdb1d0dcfc1410f4b5fbea8f9302ad3b9e3e9d2b6c17456e12f05cc87a
krb5-devel-1.6.1-70.el5.ia64.rpm
File outdated by:  RHSA-2013:0942
    MD5: ee6cffaca3a4ec694727785eca60b3df
SHA-256: 81e0d8cb8681cc2f702495a096dba62fa0ecf118e59a04536a8f40977588d6f9
krb5-libs-1.6.1-70.el5.i386.rpm
File outdated by:  RHSA-2013:0942
    MD5: 87b133824b5f938137ed5ac05d302e1f
SHA-256: 4daf5670b8697637e93d197e324b4a3854bf533caa4680bbcb659c82878fda68
krb5-libs-1.6.1-70.el5.ia64.rpm
File outdated by:  RHSA-2013:0942
    MD5: cbad0c3fcccfa951250b68bcd6047e4a
SHA-256: 9d5bf5f87c2a69d232bb26185ba732565ed46aac7b377e49172a8f5a15bdcc2b
krb5-server-1.6.1-70.el5.ia64.rpm
File outdated by:  RHSA-2013:0942
    MD5: aa781fc6ae81a6fa929ad5c4e4c777b2
SHA-256: aa382f5e7fbb9f89c93e4ac4c507c8342050854cbf1abb925e8d4460c1566ccb
krb5-server-ldap-1.6.1-70.el5.ia64.rpm
File outdated by:  RHSA-2013:0942
    MD5: b4c6075ab2724d215054514dc84e4e6d
SHA-256: 536c4bb7ee2ce347663416af06d162357002b667ccdeba3c7b0646183f526877
krb5-workstation-1.6.1-70.el5.ia64.rpm
File outdated by:  RHSA-2013:0942
    MD5: 50ee076759cc83439b5ab01d11e8943e
SHA-256: 3da2a82afa246928e4796fe831bff9fb0396863112059c636de884242e4d6a2c
 
PPC:
krb5-debuginfo-1.6.1-70.el5.ppc.rpm
File outdated by:  RHSA-2013:0942
    MD5: c72e635cc5a3d23cec778a62a1332374
SHA-256: 14ec09a03e3d42a7a1f714811ac0e114ef56a4d1f98659ce644c323add3572a0
krb5-debuginfo-1.6.1-70.el5.ppc64.rpm
File outdated by:  RHSA-2013:0942
    MD5: 231c6baa75adace85a3fb9771f929622
SHA-256: 4f1894813a93fd5e568a93a75fb2bc0cdb47c81b06b2a5f93dd8e08e9578e68a
krb5-devel-1.6.1-70.el5.ppc.rpm
File outdated by:  RHSA-2013:0942
    MD5: 5be4974e5ce33c75c74c7f896f77e703
SHA-256: 9e2cc12b1dac7fd9b820457c55cb9160579e8c1acb29248518060e3037b7b2b2
krb5-devel-1.6.1-70.el5.ppc64.rpm
File outdated by:  RHSA-2013:0942
    MD5: a159794700d04547ab9c54ed79ad4ed4
SHA-256: 5a556c77188e7f6a77acc54b254a8b449cd1190cc3a82383a0c10f287de3fb78
krb5-libs-1.6.1-70.el5.ppc.rpm
File outdated by:  RHSA-2013:0942
    MD5: 11a3506698502536cd59c9a236aa317a
SHA-256: d384c91b3c972cbc86a8d457405ee8e7d4dda46868343dab05e4adea819bf234
krb5-libs-1.6.1-70.el5.ppc64.rpm
File outdated by:  RHSA-2013:0942
    MD5: 34d2b838d3fbabee5fbf1cc877fa6a25
SHA-256: a2f25845357db6415619d7458f216bf6460eec50a7f1cbbc5bbbc48327bf2bbb
krb5-server-1.6.1-70.el5.ppc.rpm
File outdated by:  RHSA-2013:0942
    MD5: e1001aa0861ef50ab90ea6d1d16e5928
SHA-256: 6d5f93090af2b258848d6da48dce1a4753a3bad588c855f5d72f8109468783ce
krb5-server-ldap-1.6.1-70.el5.ppc.rpm
File outdated by:  RHSA-2013:0942
    MD5: dbe756a88e381aa0e1674567267389e8
SHA-256: 87dbfe168c0c263d516df52320e7ba63358576da5c2e5bacf512cc8d8778487e
krb5-workstation-1.6.1-70.el5.ppc.rpm
File outdated by:  RHSA-2013:0942
    MD5: c14654314e05b43adb9cf45917626c24
SHA-256: 2427c8945560af56e62edf3a0f7c2676d7bc276aba60b52db94538ccb0577dc8
 
s390x:
krb5-debuginfo-1.6.1-70.el5.s390.rpm
File outdated by:  RHSA-2013:0942
    MD5: 8aa2fc272bc7dc01207323a084ffec6e
SHA-256: e5a0e5397ba159f951a13694c3ca84a9ec6590cb237e759e73233c9bf63ba156
krb5-debuginfo-1.6.1-70.el5.s390x.rpm
File outdated by:  RHSA-2013:0942
    MD5: a0724ef7e08c67e00fde0c5146d59297
SHA-256: 2329888e186b5534d80a24259399e1615d896a599ead2405dbc15461a2483b0f
krb5-devel-1.6.1-70.el5.s390.rpm
File outdated by:  RHSA-2013:0942
    MD5: 274ca496860d43e73c7808a9a507234d
SHA-256: 7ed31ca98f28ad6505113d6cd516dcbb34b4f2da09a273db394dc80af59ef437
krb5-devel-1.6.1-70.el5.s390x.rpm
File outdated by:  RHSA-2013:0942
    MD5: 34e7eea077c66f376a631d4dc36349ce
SHA-256: 3edd016fce79f8c5c006f3c29ea799d32925ffa7898517c582ca237b587dcae8
krb5-libs-1.6.1-70.el5.s390.rpm
File outdated by:  RHSA-2013:0942
    MD5: cf3288a9cadca0c8ff03f781c4b6cb4f
SHA-256: 2e61b4e056c3eff8b8f2d0918774d69ee2cc7ad283aa530134b5ac391c567c81
krb5-libs-1.6.1-70.el5.s390x.rpm
File outdated by:  RHSA-2013:0942
    MD5: 42b21cc0bc491b7ac04f08199454b1c4
SHA-256: f655ab55bab7a43f6e0f604e640f0f52479d0730e52fc8d03e3dee7e5870da48
krb5-server-1.6.1-70.el5.s390x.rpm
File outdated by:  RHSA-2013:0942
    MD5: ed7ee55bdf04a7d04db23734a6ad1e9e
SHA-256: fa6a0ed3eae66ed476f25bcf7bd027c467fe70fd5c2bec014e4bc78ae6c41c1b
krb5-server-ldap-1.6.1-70.el5.s390x.rpm
File outdated by:  RHSA-2013:0942
    MD5: 4e0f950338edccc472b243cfd6e10e08
SHA-256: c2633294424e74f3bd55556d8eeace7b694aec4ff178a90b7c8d792088939b89
krb5-workstation-1.6.1-70.el5.s390x.rpm
File outdated by:  RHSA-2013:0942
    MD5: 80c6f8dee758068bd98a6a88346712ea
SHA-256: e4b02aa8574ac161a23ad756d2e314eaf5be557a0cae4baaef0b8c3dbc292736
 
x86_64:
krb5-debuginfo-1.6.1-70.el5.i386.rpm
File outdated by:  RHSA-2013:0942
    MD5: f179534acfeccf6b294cba6f939b10ec
SHA-256: f5e476f573ac51b9cd702d8935bfea5554cd71601a3db8e01e38693471339bb0
krb5-debuginfo-1.6.1-70.el5.x86_64.rpm
File outdated by:  RHSA-2013:0942
    MD5: 763dffaf19f2eb3211bc70a06363104e
SHA-256: 9d45df9a9fef7a4fea12e09cdcb49b5f6e509171e852c7a0b29fdf0b222a739c
krb5-devel-1.6.1-70.el5.i386.rpm
File outdated by:  RHSA-2013:0942
    MD5: bd77e01422b3a0f81cc6fafe04d217df
SHA-256: 82f0f7f0a54af2492282b18eeb94cbc47ce76e64c71fcc9bbc99d2a2a66c5838
krb5-devel-1.6.1-70.el5.x86_64.rpm
File outdated by:  RHSA-2013:0942
    MD5: c954b117eebc4cbb7217970144c67e30
SHA-256: ba5092f9bb4e0411bde4dd78ad4f3ddf37152fdabd02e18d7496efc203a636b8
krb5-libs-1.6.1-70.el5.i386.rpm
File outdated by:  RHSA-2013:0942
    MD5: 87b133824b5f938137ed5ac05d302e1f
SHA-256: 4daf5670b8697637e93d197e324b4a3854bf533caa4680bbcb659c82878fda68
krb5-libs-1.6.1-70.el5.x86_64.rpm
File outdated by:  RHSA-2013:0942
    MD5: b19887826b60ea2e30fee3f2587798f0
SHA-256: f4205c573f80b6dbcb2ea8ec24e55c2d57b2987be6cdede564fcc790fb5d82f6
krb5-server-1.6.1-70.el5.x86_64.rpm
File outdated by:  RHSA-2013:0942
    MD5: 63321a677af2e82ca9ed2d8826f3f790
SHA-256: 87ae0b100fdf4bd8107dd7c40668e16b0b4eb319ed54bb9f6038ddcc23a9384b
krb5-server-ldap-1.6.1-70.el5.x86_64.rpm
File outdated by:  RHSA-2013:0942
    MD5: 4d12b3aa79465196a12192a48d3da4a6
SHA-256: 390d835e0fca2e437bb1a81e0cba955a16d017be2a99eed0aad068b4920ef7a6
krb5-workstation-1.6.1-70.el5.x86_64.rpm
File outdated by:  RHSA-2013:0942
    MD5: 078653cd36af21e97bbd5290dd9bc567
SHA-256: ae8089a7f01e66ef5fb4d94bab0fa6914780665eb474c5e97ef1c16deeb710bf
 
Red Hat Enterprise Linux Desktop (v. 5 client)

SRPMS:
krb5-1.6.1-70.el5.src.rpm
File outdated by:  RHSA-2013:0942
    MD5: 912cfc6d9508de4c7922acadcf67714e
SHA-256: 5fbd4340f640f16d569dc6b2791613aaa91c808474bed7746d2b5a1c4a116fd3
 
IA-32:
krb5-debuginfo-1.6.1-70.el5.i386.rpm
File outdated by:  RHSA-2013:0942
    MD5: f179534acfeccf6b294cba6f939b10ec
SHA-256: f5e476f573ac51b9cd702d8935bfea5554cd71601a3db8e01e38693471339bb0
krb5-libs-1.6.1-70.el5.i386.rpm
File outdated by:  RHSA-2013:0942
    MD5: 87b133824b5f938137ed5ac05d302e1f
SHA-256: 4daf5670b8697637e93d197e324b4a3854bf533caa4680bbcb659c82878fda68
krb5-workstation-1.6.1-70.el5.i386.rpm
File outdated by:  RHSA-2013:0942
    MD5: 94a08a63be4e7fc9e60acadc4e7f507e
SHA-256: 5101e4a5dcc5603c3353c9259f818448a4c8e7b2479fced656e90987bc1ba30f
 
x86_64:
krb5-debuginfo-1.6.1-70.el5.i386.rpm
File outdated by:  RHSA-2013:0942
    MD5: f179534acfeccf6b294cba6f939b10ec
SHA-256: f5e476f573ac51b9cd702d8935bfea5554cd71601a3db8e01e38693471339bb0
krb5-debuginfo-1.6.1-70.el5.x86_64.rpm
File outdated by:  RHSA-2013:0942
    MD5: 763dffaf19f2eb3211bc70a06363104e
SHA-256: 9d45df9a9fef7a4fea12e09cdcb49b5f6e509171e852c7a0b29fdf0b222a739c
krb5-libs-1.6.1-70.el5.i386.rpm
File outdated by:  RHSA-2013:0942
    MD5: 87b133824b5f938137ed5ac05d302e1f
SHA-256: 4daf5670b8697637e93d197e324b4a3854bf533caa4680bbcb659c82878fda68
krb5-libs-1.6.1-70.el5.x86_64.rpm
File outdated by:  RHSA-2013:0942
    MD5: b19887826b60ea2e30fee3f2587798f0
SHA-256: f4205c573f80b6dbcb2ea8ec24e55c2d57b2987be6cdede564fcc790fb5d82f6
krb5-workstation-1.6.1-70.el5.x86_64.rpm
File outdated by:  RHSA-2013:0942
    MD5: 078653cd36af21e97bbd5290dd9bc567
SHA-256: ae8089a7f01e66ef5fb4d94bab0fa6914780665eb474c5e97ef1c16deeb710bf
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

701444 - Fix libkrb5 to work when > 1024 file descriptors are in use
708516 - memory leak during kdc TGS request
711419 - CVE-2011-1526 krb5, krb5-appl: ftpd incorrect group privilege dropping (MITKRB5-SA-2011-005)
729067 - klist -s segfaults with expired credentials
750823 - Newly introduced defect into krb5


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/