SciLinux: CVE-2011-1526 Important krb5-appl Security Update

Date: Tue, 5 Jul 2011 14:38:41 -0500
Reply-To: Troy Dawson 
Sender: Security Errata for Scientific Linux
 
From: Troy Dawson 
Subject: FASTBUGS for SL 5.x i386/x86_64
Comments: To: "This email address is being protected from spambots. You need JavaScript enabled to view it."
 
MIME-Version: 1.0

The following FASTBUGS have been uploaded to

 i386:
kdenetwork-3.5.4-13.el5_6.1.i386.rpm
kdenetwork-devel-3.5.4-13.el5_6.1.i386.rpm
ypbind-1.19-12.el5_6.1.i386.rpm

 x86_64:
kdenetwork-3.5.4-13.el5_6.1.i386.rpm
kdenetwork-3.5.4-13.el5_6.1.x86_64.rpm
kdenetwork-devel-3.5.4-13.el5_6.1.i386.rpm
kdenetwork-devel-3.5.4-13.el5_6.1.x86_64.rpm
ypbind-1.19-12.el5_6.1.x86_64.rpm

-Connie Sieh
-Troy Dawson
Date: Tue, 5 Jul 2011 16:26:44 -0500
Reply-To: Troy Dawson 
Sender: Security Errata for Scientific Linux
 
From: Troy Dawson 
Subject: Security ERRATA Important: krb5-appl on SL6.x i386/x86_64
Comments: To: "This email address is being protected from spambots. You need JavaScript enabled to view it."
 
MIME-Version: 1.0

Synopsis:	Important: krb5-appl security update
Issue date:	2011-07-05
CVE Names:	CVE-2011-1526

The krb5-appl packages provide Kerberos-aware telnet, ftp, rcp, rsh, and
rlogin clients and servers. While these have been replaced by tools such
as OpenSSH in most environments, they remain in use in others.

It was found that gssftp, a Kerberos-aware FTP server, did not properly
drop privileges. A remote FTP user could use this flaw to gain
unauthorized read or write access to files that are owned by the root
group. (CVE-2011-1526)

SL 6.x

 SRPMS:
krb5-appl-1.0.1-2.el6_1.1.src.rpm
 i386:
krb5-appl-clients-1.0.1-2.el6_1.1.i686.rpm
krb5-appl-servers-1.0.1-2.el6_1.1.i686.rpm
 x86_64:
krb5-appl-clients-1.0.1-2.el6_1.1.x86_64.rpm
krb5-appl-servers-1.0.1-2.el6_1.1.x86_64.rpm

- Scientific Linux Development Team