Debian: New libapache-mod-auth-kerb packages fix remote denial of service

    Date08 Jan 2007
    CategoryDebian
    4477
    Posted ByLinuxSecurity Advisories
    An off-by-one error leading to a heap-based buffer overflow has been identified in libapache-mod-auth-kerb, an Apache module for Kerberos authentication. The error could allow an attacker to trigger an application crash or potentially execute arbitrary code by sending a specially crafted kerberos message.
    - ------------------------------------------------------------------------
    Debian Security Advisory DSA-1247-1                This email address is being protected from spambots. You need JavaScript enabled to view it.
    http://www.debian.org/security/                         Noah Meyerhans
    January 08, 2007
    - ------------------------------------------------------------------------
    
    Package        : libapache-mod-auth-kerb
    Vulnerability  : heap overflow
    Problem type   : remote
    Debian-specific: no
    CVE Id(s)      : CVE-2006-5989
    BugTraq ID     : 21214
    Debian Bug     : 400589
    
    An off-by-one error leading to a heap-based buffer overflow has been
    identified in libapache-mod-auth-kerb, an Apache module for Kerberos
    authentication.  The error could allow an attacker to trigger an
    application crash or potentially execute arbitrary code by sending a
    specially crafted kerberos message.
    
    For the stable distribution (sarge), this problem has been fixed in
    version 4.996-5.0-rc6-1sarge1.
    
    For the unstable version (sid) and the forthcoming stable version
    (etch), this problem has been fixed in version 5.3-1.
    
    We recommend that you upgrade your libapache-mod-auth-kerb package.
    
    Upgrade instructions
    - --------------------
    
    wget url
            will fetch the file for you
    dpkg -i file.deb
            will install the referenced file.
    
    If you are using the apt-get package manager, use the line for
    sources.list as given below:
    
    apt-get update
            will update the internal database
    apt-get upgrade
            will install corrected packages
    
    You may use an automated update by adding the resources from the
    footer to the proper configuration.
    
    Debian 3.1 (stable)
    - -------------------
    
    Stable updates are available for alpha, amd64, arm, hppa, i386, ia64, m68k, mips, mipsel, powerpc, s390 and sparc.
    
    Source archives:
    
      http://security.debian.org/pool/updates/main/liba/libapache-mod-auth-kerb/libapache-mod-auth-kerb_4.996-5.0-rc6-1sarge1.dsc
        Size/MD5 checksum:      744 5e045be08755cab316754a7f214eeaae
      http://security.debian.org/pool/updates/main/liba/libapache-mod-auth-kerb/libapache-mod-auth-kerb_4.996-5.0-rc6-1sarge1.diff.gz
        Size/MD5 checksum:    49849 3ebbb5101629ddd8917159c1cbdf20ab
      http://security.debian.org/pool/updates/main/liba/libapache-mod-auth-kerb/libapache-mod-auth-kerb_4.996-5.0-rc6.orig.tar.gz
        Size/MD5 checksum:    68787 b6a6c80b25b362eb7394f69cdc91f76d
    
    amd64 architecture (AMD x86_64 (AMD64))
    
      http://security.debian.org/pool/updates/main/liba/libapache-mod-auth-kerb/libapache2-mod-auth-kerb_4.996-5.0-rc6-1sarge1_amd64.deb
        Size/MD5 checksum:    28574 65078aa7e78f2728499849047eaf2fbb
      http://security.debian.org/pool/updates/main/liba/libapache-mod-auth-kerb/libapache-mod-auth-kerb_4.996-5.0-rc6-1sarge1_amd64.deb
        Size/MD5 checksum:    27148 60ce4d39ac022335bd98ea7ed412f24d
    
    arm architecture (ARM)
    
      http://security.debian.org/pool/updates/main/liba/libapache-mod-auth-kerb/libapache-mod-auth-kerb_4.996-5.0-rc6-1sarge1_arm.deb
        Size/MD5 checksum:    24078 053e0b54c348251be97c7708d43b5542
      http://security.debian.org/pool/updates/main/liba/libapache-mod-auth-kerb/libapache2-mod-auth-kerb_4.996-5.0-rc6-1sarge1_arm.deb
        Size/MD5 checksum:    25498 e1882b8b0e408cb2339ef4d43c800bd7
    
    hppa architecture (HP PA RISC)
    
      http://security.debian.org/pool/updates/main/liba/libapache-mod-auth-kerb/libapache2-mod-auth-kerb_4.996-5.0-rc6-1sarge1_hppa.deb
        Size/MD5 checksum:    28796 e29c79c55af53fc66cc1ea9084c63403
      http://security.debian.org/pool/updates/main/liba/libapache-mod-auth-kerb/libapache-mod-auth-kerb_4.996-5.0-rc6-1sarge1_hppa.deb
        Size/MD5 checksum:    27246 4d2394e0fc2a429c03ad6063c9ea2cce
    
    i386 architecture (Intel ia32)
    
      http://security.debian.org/pool/updates/main/liba/libapache-mod-auth-kerb/libapache-mod-auth-kerb_4.996-5.0-rc6-1sarge1_i386.deb
        Size/MD5 checksum:    25014 20666ea4edbce196ba0b4ea120425af5
      http://security.debian.org/pool/updates/main/liba/libapache-mod-auth-kerb/libapache2-mod-auth-kerb_4.996-5.0-rc6-1sarge1_i386.deb
        Size/MD5 checksum:    27176 6e7e40781f4beadec9226a918c8d4591
    
    ia64 architecture (Intel ia64)
    
      http://security.debian.org/pool/updates/main/liba/libapache-mod-auth-kerb/libapache-mod-auth-kerb_4.996-5.0-rc6-1sarge1_ia64.deb
        Size/MD5 checksum:    31886 8146de1df6e65b32e213bfdc9b1320d2
      http://security.debian.org/pool/updates/main/liba/libapache-mod-auth-kerb/libapache2-mod-auth-kerb_4.996-5.0-rc6-1sarge1_ia64.deb
        Size/MD5 checksum:    33946 a2f93809df0703311c64ab28bc71a435
    
    m68k architecture (Motorola Mc680x0)
    
      http://security.debian.org/pool/updates/main/liba/libapache-mod-auth-kerb/libapache-mod-auth-kerb_4.996-5.0-rc6-1sarge1_m68k.deb
        Size/MD5 checksum:    24592 111a715b11307ad90a8c3c72d144067d
      http://security.debian.org/pool/updates/main/liba/libapache-mod-auth-kerb/libapache2-mod-auth-kerb_4.996-5.0-rc6-1sarge1_m68k.deb
        Size/MD5 checksum:    24904 058b9470f905b33b7db5c1b7c82b704c
    
    mips architecture (MIPS (Big Endian))
    
      http://security.debian.org/pool/updates/main/liba/libapache-mod-auth-kerb/libapache2-mod-auth-kerb_4.996-5.0-rc6-1sarge1_mips.deb
        Size/MD5 checksum:    26282 32ea8b07b5884759d0be1ae80aff2cbe
      http://security.debian.org/pool/updates/main/liba/libapache-mod-auth-kerb/libapache-mod-auth-kerb_4.996-5.0-rc6-1sarge1_mips.deb
        Size/MD5 checksum:    24916 3086189cc29784d14c3c262bf5db79c6
    
    mipsel architecture (MIPS (Little Endian))
    
      http://security.debian.org/pool/updates/main/liba/libapache-mod-auth-kerb/libapache-mod-auth-kerb_4.996-5.0-rc6-1sarge1_mipsel.deb
        Size/MD5 checksum:    24750 4e60ed40a92ebd95eac8b1b1a047eeb1
      http://security.debian.org/pool/updates/main/liba/libapache-mod-auth-kerb/libapache2-mod-auth-kerb_4.996-5.0-rc6-1sarge1_mipsel.deb
        Size/MD5 checksum:    26078 3debbde1ea8f7bfdded64641019ee035
    
    powerpc architecture (PowerPC)
    
      http://security.debian.org/pool/updates/main/liba/libapache-mod-auth-kerb/libapache2-mod-auth-kerb_4.996-5.0-rc6-1sarge1_powerpc.deb
        Size/MD5 checksum:    27564 224b00ca30cfbc147af1359bb97d5bf2
      http://security.debian.org/pool/updates/main/liba/libapache-mod-auth-kerb/libapache-mod-auth-kerb_4.996-5.0-rc6-1sarge1_powerpc.deb
        Size/MD5 checksum:    26050 26618825bca0ebce62a17f372c945dc5
    
    s390 architecture (IBM S/390)
    
      http://security.debian.org/pool/updates/main/liba/libapache-mod-auth-kerb/libapache2-mod-auth-kerb_4.996-5.0-rc6-1sarge1_s390.deb
        Size/MD5 checksum:    28890 4a105cf32ef83ab8b2f3ea41a3303d69
      http://security.debian.org/pool/updates/main/liba/libapache-mod-auth-kerb/libapache-mod-auth-kerb_4.996-5.0-rc6-1sarge1_s390.deb
        Size/MD5 checksum:    27520 9582e86ab07a5fe726c88c35b4463a74
    
    sparc architecture (Sun SPARC/UltraSPARC)
    
      http://security.debian.org/pool/updates/main/liba/libapache-mod-auth-kerb/libapache-mod-auth-kerb_4.996-5.0-rc6-1sarge1_sparc.deb
        Size/MD5 checksum:    24014 d7e4b7d6fe57acd4cf5bb100e35a964f
      http://security.debian.org/pool/updates/main/liba/libapache-mod-auth-kerb/libapache2-mod-auth-kerb_4.996-5.0-rc6-1sarge1_sparc.deb
        Size/MD5 checksum:    25022 78f3c5282673219f044955496aaed10b
    
    
      These files will probably be moved into the stable distribution on
      its next update.
    
    - ---------------------------------------------------------------------------------
    For apt-get: deb http://security.debian.org/ stable/updates main
    For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
    Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"65","type":"x","order":"1","pct":57.52,"resources":[]},{"id":"88","title":"Should be more technical","votes":"15","type":"x","order":"2","pct":13.27,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"33","type":"x","order":"3","pct":29.2,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.