Yellow Dog Linux Security Announcement -------------------------------------- Package: kerberos Issue Date: Apr 23,2003 Priority: medium Advisory ID: YDU-20030423-2 1. Topic: Updated Kerberos packages are available. 2. Problem: "Kerberos is a network authentication system. The MIT Kerberos team released an advisory describing a number of vulnerabilities that kerberos packages shipped as part of Red Hat Linux 9. These issues include: Vulnerabilities have been found in the triple-DES key support found in the implementation of the Kerberos IV authentication protocol included in MIT Kerberos. The Common Vulnerabilities and Exposures project has assigned the name CAN-2003-0139 to this issue. Vulnerabilities have been found in the Kerberos IV authentication protocol which allow an attacker with knowledge of a cross-realm key, which is shared with another realm, to impersonate any principal in that realm to any service in that realm. This vulnerability can only be closed by disabling cross-realm authentication in Kerberos IV (CAN-2003-0138). Vulnerabilities have been found in the RPC library used by the kadmin service in Kerberos 5. A faulty length check in the RPC library exposes kadmind to an integer overflow which can be used to crash kadmind (CAN-2003-0028). The Key Distribution Center (KDC) allows remote, authenticated attackers to cause a denial of service (crash) on KDCs within the same realm via a certain protocol request that causes the KDC to corrupt its heap (CAN-2003-0082). All users of Kerberos are advised to upgrade to these errata packages, which disable cross-realm authentication by default for Kerberos IV and which contain patches that correct these issues." (From Red Hat Advisory) 3. Solution: a) Updating via apt... We suggest that you use the apt-get program to keep your system up-to-date. The following command(s) will retrieve and install the fixed version of this update onto your system: apt-get update apt-get install kerberos b) Updating manually... Download the updates below and then run the following rpm command. (Please use a mirror site) rpm -Fvh [filenames] Yellow Dog Linux 3.0 ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/yellowdog-3.0/ ppc/krb5-devel-1.2.7-14.ppc.rpm ppc/krb5-libs-1.2.7-14.ppc.rpm ppc/krb5-server-1.2.7-14.ppc.rpm ppc/krb5-workstation-1.2.7-14.ppc.rpm Yellow Dog Linux 2.3 ftp://ftp.yellowdoglinux.com/pub/yellowdog/updates/yellowdog-2.3/ ppc/krb5-workstation-1.2.4-11.ppc.rpm ppc/krb5-server-1.2.4-11.ppc.rpm ppc/krb5-libs-1.2.4-11.ppc.rpm ppc/krb5-devel-1.2.4-11.ppc.rpm 4. Verification MD5 checksum Package -------------------------------- ---------------------------- [Yellow Dog Linux 3.0] 28bc073023ae063e2383e5a646279b01 SRPMS/krb5-1.2.7-14.src.rpm b0763fe01bd82ec1c52b88fd46c4eea7 ppc/krb5-devel-1.2.7-14.ppc.rpm ea51f17914281974c9177f608a6eb4d1 ppc/krb5-libs-1.2.7-14.ppc.rpm 18ffe8a6e6fabfb639cbf5bbe9e70c67 ppc/krb5-server-1.2.7-14.ppc.rpm e3081124c7ba4582dcf99d137c046a7b ppc/krb5-workstation-1.2.7-14.ppc.rpm [Yellow Dog Linux 2.3] fd5703f1b9428ba07ab4dd71f7e6efab SRPMS/krb5-1.2.4-11.src.rpm d3111da4173d34c297f9ca6351b0dd03 ppc/krb5-workstation-1.2.4-11.ppc.rpm 7b940af9b9c502b7ca957a4df38f6dfd ppc/krb5-server-1.2.4-11.ppc.rpm a63976d7b6635861dc4a309aca114ca9 ppc/krb5-libs-1.2.4-11.ppc.rpm f7d185bb5d112f0c746dd2b989a8104f ppc/krb5-devel-1.2.4-11.ppc.rpm If you wish to verify that each package has not been corrupted or tampered with, examine the md5sum with the following command: md5sum 5. Misc. Terra Soft has setup a moderated mailing list where these security, bugfix, and package enhancement announcements will be posted. See http://lists.terrasoftsolutions.com/ for more information. For information regarding the usage of apt-get, see: http://www.yellowdoglinux.com/support/solutions/ydl_general/apt-get.shtml