Ispravljene su višestruke ranjivosti paketa mit-krb5 koje udaljeni zlonamjerni korisnik može iskoristiti za proizvoljno izvršavanje programskog koda, izvođenje DoS napada, dobivanje većih privilegija, krivotvorenje GSS tokena, zaobilaženje postavljenih ograničenja te otkrivanje osjetljivih informacija.
Paket:
mit-krb5-appl 1.x
Operacijski sustavi:
Gentoo Linux
Kritičnost:
5.7
Problem:
cjelobrojno prepisivanje, neodgovarajuće rukovanje pogreškama, pogreška u programskoj funkciji
Propusti su posljedica pogrešaka u funkcijama "process_chpw_request", "prepare_error_as", "do_standalone", "merge_authdata", "kg_accept_krb5" i "prep_reprocess_req", datotekama "do_tgs_req.c", "kadmin/server/server_stubs.c" te komponenti "Key Distribution Center (KDC) ".
Posljedica:
Udaljeni, zlonamjerni korisnik može iskoristiti navedene propuste za pokretanje proizvoljnog programskog koda, DoS napad, povećanje ovlasti, krivotvorenje GSS tokena, zaobilaženje određenih ograničenja te otkrivanje osjetljivih informacija.
Rješenje:
Svim se korisnicima navedenog programskog paketa, u svrhu zaštite sigurnosti, savjetuje njegova nadogradnja na novije inačice.
Gentoo update for mit-krb5
Secunia Advisory SA47658
Release Date 2012-01-24
Criticality level Highly criticalHighly critical
Impact Security Bypass
Spoofing
DoS
System access
Where From remote
Authentication level Available in Customer Area
Report reliability Available in Customer Area
Solution Status Vendor Patch
Operating System
Gentoo Linux
Secunia CVSS Score Available in Customer Area
CVE Reference(s) CVE-2009-3295 CVSS available in Customer Area
CVE-2009-4212 CVSS available in Customer Area
CVE-2010-0283 CVSS available in Customer Area
CVE-2010-0629 CVSS available in Customer Area
CVE-2010-1320 CVSS available in Customer Area
CVE-2010-1321 CVSS available in Customer Area
CVE-2010-1322 CVSS available in Customer Area
CVE-2010-1323 CVSS available in Customer Area
CVE-2010-1324 CVSS available in Customer Area
CVE-2010-4020 CVSS available in Customer Area
CVE-2010-4021 CVSS available in Customer Area
CVE-2010-4022 CVSS available in Customer Area
CVE-2011-0281 CVSS available in Customer Area
CVE-2011-0282 CVSS available in Customer Area
CVE-2011-0283 CVSS available in Customer Area
CVE-2011-0284 CVSS available in Customer Area
CVE-2011-0285 CVSS available in Customer Area
CVE-2011-1527 CVSS available in Customer Area
CVE-2011-1528 CVSS available in Customer Area
CVE-2011-1529 CVSS available in Customer Area
CVE-2011-1530 CVSS available in Customer Area
CVE-2011-4151 CVSS available in Customer Area
Description
Gentoo has issued an update for mit-krb5. This fixes multiple vulnerabilities, which can be exploited by malicious users to conduct spoofing attacks, bypass certain security features, cause a DoS (Denial of Service), and potentially compromise a vulnerable system and by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system.
For more information:
SA37977
SA38080
SA38598
SA39315
SA39420
SA39762
SA41684
SA42396
SA43260
SA43783
SA44125
SA46494
SA47124
Solution
Update to "app-crypt/mit-krb5-1.9.2-r1" or later.
Original Advisory
GLSA 201201-13:
http://www.gentoo.org/security/en/glsa/glsa-201201-13.xml
Posljednje sigurnosne preporuke