Fedora Core 2: 2005-270 Critical Issue: Krb5 Buffer Overflow Alert

Kerberos V5 is a trusted-third-party network authentication system,

which can improve your network's security by eliminating the insecure

practice of cleartext passwords.

Updated krb5 packages which fix two buffer overflow vulnerabilities

in the included Kerberos-aware telnet client are now available.

Kerberos is a networked authentication system which uses a trusted

third party (a KDC) to authenticate clients and servers to each

other.

The krb5-workstation package includes a Kerberos-aware telnet client.

Two buffer overflow flaws were discovered in the way the telnet

client handles messages from a server. An attacker may be able to

execute arbitrary code on a victim's machine if the victim can be

tricked into connecting to a malicious telnet server. The Common

Vulnerabilities and Exposures project (cve.mitre.org) has assigned

the names CAN-2005-0468 and CAN-2005-0469 to these issues.

- drop krshd patch

* Thu Mar 17 2005 Nalin Dahyabhai

- add draft fix from Tom Yu for slc_add_reply() buffer overflow (CAN-2005-0469)

- add draft fix from Tom Yu for env_opt_add() buffer overflow (CAN-2005-0468)

3c210dbdcfb5f01a35f52632abbd3e58 SRPMS/krb5-1.3.6-4.src.rpm

2b4e4f7ffe208989572b173efa18c4b4 x86_64/krb5-devel-1.3.6-4.x86_64.rpm

67a3ffb77c8f92b235d503380ff54b32 x86_64/krb5-libs-1.3.6-4.x86_64.rpm

5d8e752002f27ca2ea7c8f40a6247b37 x86_64/krb5-server-1.3.6-4.x86_64.rpm

b01504865b91a46e9f6dab345a939bf6 x86_64/krb5-workstation-1.3.6-4.x86_64.rpm

72def6a5e69a30e63ab071f581ad1729 x86_64/debug/krb5-debuginfo-1.3.6-4.x86_64.rpm

891e77b16aa127543976583a0b134464 x86_64/krb5-libs-1.3.6-4.i386.rpm

e26b5c97144daa666babf9e01bc90b25 i386/krb5-devel-1.3.6-4.i386.rpm

891e77b16aa127543976583a0b134464 i386/krb5-libs-1.3.6-4.i386.rpm

16a523103910c903de48a8c2e33c6524 i386/krb5-server-1.3.6-4.i386.rpm

f36537a81b6330e72c01de759196fb35 i386/krb5-workstation-1.3.6-4.i386.rpm

123d9371167ecbe81399b256ece22399 i386/debug/krb5-debuginfo-1.3.6-4.i386.rpm

This update can also be installed with the Update Agent; you can

launch the Update Agent with the 'up2date' command. =20

Content-Type: application/pgp-signature

Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQFCSavBN5vOV3hoi/URAhHFAJ40VLeGnwyNAscU2T7PJjHafnRfPwCfdP3U

mQiNn+duV2S7fVUV23LMZmQ=45YW

-----END PGP SIGNATURE-------MGYHOYXEY6WxJCY8--

--===============1330397643=Content-Type: text/plain; charset="us-ascii"

MIME-Version: 1.0

Content-Transfer-Encoding: 7bit

Content-Disposition: inline

--fedora-announce-list mailing list

fedora-announce-list@redhat.com