What Are You Looking For?

Sign Up
Date:         Wed, 13 Jan 2010 10:01:49 -0600
Reply-To:     Troy Dawson 
Sender:       Security Errata for Scientific Linux
              
From:         Troy Dawson 
Subject:      Security ERRATA Critical: krb5 on SL3.x, SL4.x, SL5.x i386/x86_64
Comments: To: "scientific-linux-errata@fnal.gov"
          

Synopsis:	Critical: krb5 security update
Issue date:	2010-01-12
CVE Names:	CVE-2009-4212

CVE-2009-4212 krb: KDC integer overflows in AES and RC4 decryption 
routines (MITKRB5-SA-2009-004)

Multiple integer underflow flaws, leading to heap-based corruption, were
found in the way the MIT Kerberos Key Distribution Center (KDC) 
decrypted ciphertexts encrypted with the Advanced Encryption Standard 
(AES) and ARCFOUR (RC4) encryption algorithms. If a remote KDC client 
were able to provide a specially-crafted AES- or RC4-encrypted 
ciphertext or texts, it could potentially lead to either a denial of 
service of the central KDC (KDC crash or abort upon processing the 
crafted ciphertext), or arbitrary code execution with the privileges of 
the KDC (i.e., root privileges). (CVE-2009-4212)

All running services using the MIT Kerberos libraries must be restarted 
for the update to take effect.

SL 3.0.x

       SRPMS:
krb5-1.2.7-71.src.rpm
       i386:
krb5-devel-1.2.7-71.i386.rpm
krb5-libs-1.2.7-71.i386.rpm
krb5-server-1.2.7-71.i386.rpm
krb5-workstation-1.2.7-71.i386.rpm
       x86_64:
krb5-devel-1.2.7-71.x86_64.rpm
krb5-libs-1.2.7-71.i386.rpm
krb5-libs-1.2.7-71.x86_64.rpm
krb5-server-1.2.7-71.x86_64.rpm
krb5-workstation-1.2.7-71.x86_64.rpm

SL 4.x

       SRPMS:
krb5-1.3.4-62.el4_8.1.src.rpm
       i386:
krb5-devel-1.3.4-62.el4_8.1.i386.rpm
krb5-libs-1.3.4-62.el4_8.1.i386.rpm
krb5-server-1.3.4-62.el4_8.1.i386.rpm
krb5-workstation-1.3.4-62.el4_8.1.i386.rpm
       x86_64:
krb5-devel-1.3.4-62.el4_8.1.x86_64.rpm
krb5-libs-1.3.4-62.el4_8.1.i386.rpm
krb5-libs-1.3.4-62.el4_8.1.x86_64.rpm
krb5-server-1.3.4-62.el4_8.1.x86_64.rpm
krb5-workstation-1.3.4-62.el4_8.1.x86_64.rpm

SL 5.x

       SRPMS:
krb5-1.6.1-36.el5_4.1.src.rpm
       i386:
krb5-devel-1.6.1-36.el5_4.1.i386.rpm
krb5-libs-1.6.1-36.el5_4.1.i386.rpm
krb5-server-1.6.1-36.el5_4.1.i386.rpm
krb5-workstation-1.6.1-36.el5_4.1.i386.rpm
       x86_64:
krb5-devel-1.6.1-36.el5_4.1.i386.rpm
krb5-devel-1.6.1-36.el5_4.1.x86_64.rpm
krb5-libs-1.6.1-36.el5_4.1.i386.rpm
krb5-libs-1.6.1-36.el5_4.1.x86_64.rpm
krb5-server-1.6.1-36.el5_4.1.x86_64.rpm
krb5-workstation-1.6.1-36.el5_4.1.x86_64.rpm

-Connie Sieh
-Troy Dawson

SciLinux: CVE-2009-4212 Critical: krb5 SL3.x, SL4.x, SL5.x i386/x86_64

Critical: krb5 security update

Summary

Multiple integer underflow flaws, leading to heap-based corruption, werefound in the way the MIT Kerberos Key Distribution Center (KDC)decrypted ciphertexts encrypted with the Advanced Encryption Standard(AES) and ARCFOUR (RC4) encryption algorithms. If a remote KDC clientwere able to provide a specially-crafted AES- or RC4-encryptedciphertext or texts, it could potentially lead to either a denial ofservice of the central KDC (KDC crash or abort upon processing thecrafted ciphertext), or arbitrary code execution with the privileges ofthe KDC (i.e., root privileges). (CVE-2009-4212)All running services using the MIT Kerberos libraries must be restartedfor the update to take effect.SL 3.0.xSRPMS:krb5-1.2.7-71.src.rpmi386:krb5-devel-1.2.7-71.i386.rpmkrb5-libs-1.2.7-71.i386.rpmkrb5-server-1.2.7-71.i386.rpmkrb5-workstation-1.2.7-71.i386.rpmx86_64:krb5-devel-1.2.7-71.x86_64.rpmkrb5-libs-1.2.7-71.i386.rpmkrb5-libs-1.2.7-71.x86_64.rpmkrb5-server-1.2.7-71.x86_64.rpmkrb5-workstation-1.2.7-71.x86_64.rpm



Security Fixes

Severity
Issued Date: : 2010-01-12
CVE Names: CVE-2009-4212
CVE-2009-4212 krb: KDC integer overflows in AES and RC4 decryption
routines (MITKRB5-SA-2009-004)

Related News

Krasue RAT Malware Hides on Linux Servers Using Embedded Rootkits

Dec 7, 2023

Kali vs. ParrotOS: 2 Versatile Linux Distros for Security Pros

Dec 9, 2023

Kali Linux 2023.4 Released With New Hacking Tools

Dec 6, 2023

Severe Firefox, Thunderbird Bugs Could Lead to System Takeover

Dec 2, 2023

News

Advisories

HOWTOs

Features

Password Guessing as an Attack Vector
Using Open Source to Ensure Compliance & Data Integrity through Data Governance
Critical Linux Kernel Bugs Lead to DoS, Privilege Escalation - Patch Now!
Unlocking the Future of Authentication: Passkeys vs. Passwords
Empowering MSPs with Straightforward Linux Device Management

About Us

Powered By

Footer Logo