-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2011:077 http://www.mandriva.com/security/ _______________________________________________________________________ Package : krb5 Date : April 22, 2011 Affected: 2010.1, Enterprise Server 5.0 _______________________________________________________________________ Problem Description: A vulnerability has been found and corrected in krb5: The process_chpw_request function in schpw.c in the password-changing functionality in kadmind in MIT Kerberos 5 (aka krb5) 1.7 through 1.9 frees an invalid pointer, which allows remote attackers to execute arbitrary code or cause a denial of service (daemon crash) via a crafted request that triggers an error condition (CVE-2011-0285). The updated packages have been patched to correct this issue. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0285 http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-004.txt _______________________________________________________________________ Updated Packages: Mandriva Linux 2010.1: a3beaa4210ef88324b1f7403fe66d49b 2010.1/i586/krb5-1.8.1-5.5mdv2010.2.i586.rpm 5ef9a8a2b65c3cd54237bd486f5f3ea4 2010.1/i586/krb5-pkinit-openssl-1.8.1-5.5mdv2010.2.i586.rpm 53c539adf79bf75de0a69776a41ce9df 2010.1/i586/krb5-server-1.8.1-5.5mdv2010.2.i586.rpm 0d2ec063ef260df774b0fea3a9d7fe63 2010.1/i586/krb5-server-ldap-1.8.1-5.5mdv2010.2.i586.rpm ad07be92c68b3e9b8a7602e19aa8ab6e 2010.1/i586/krb5-workstation-1.8.1-5.5mdv2010.2.i586.rpm 732f0d7c394a867a71503fb5533c598e 2010.1/i586/libkrb53-1.8.1-5.5mdv2010.2.i586.rpm 363a6990320f5e1bcde2a894521b49f7 2010.1/i586/libkrb53-devel-1.8.1-5.5mdv2010.2.i586.rpm 7e2a03d05b7f86c1ec880eb26c156726 2010.1/SRPMS/krb5-1.8.1-5.5mdv2010.2.src.rpm Mandriva Linux 2010.1/X86_64: 4e79aa59df474ecc0472c1201d5e373b 2010.1/x86_64/krb5-1.8.1-5.5mdv2010.2.x86_64.rpm 6f66367684ad4633aedc9427153d2a5a 2010.1/x86_64/krb5-pkinit-openssl-1.8.1-5.5mdv2010.2.x86_64.rpm 41b1af27fd23b3ede880484cd3775688 2010.1/x86_64/krb5-server-1.8.1-5.5mdv2010.2.x86_64.rpm b5d9b7db106f4df3501a527054a1b5e2 2010.1/x86_64/krb5-server-ldap-1.8.1-5.5mdv2010.2.x86_64.rpm 78964ab9b21c5cc2ddb7e7d09f5496ce 2010.1/x86_64/krb5-workstation-1.8.1-5.5mdv2010.2.x86_64.rpm 715dad0872aac4d013dec2b5f022fe70 2010.1/x86_64/lib64krb53-1.8.1-5.5mdv2010.2.x86_64.rpm 3d605d0edfff276d65d41c5d5ed8eef2 2010.1/x86_64/lib64krb53-devel-1.8.1-5.5mdv2010.2.x86_64.rpm 7e2a03d05b7f86c1ec880eb26c156726 2010.1/SRPMS/krb5-1.8.1-5.5mdv2010.2.src.rpm Mandriva Enterprise Server 5: 62e270c8bb4276b9883f5fad04373ea4 mes5/i586/krb5-1.8.1-0.6mdvmes5.2.i586.rpm ef7eb35fda701aae33c23cdd41b2566e mes5/i586/krb5-pkinit-openssl-1.8.1-0.6mdvmes5.2.i586.rpm 4a19294f600f7f5fa40defc2bba50089 mes5/i586/krb5-server-1.8.1-0.6mdvmes5.2.i586.rpm 2fe89c0a2a2a0618f1c363c622dcaa68 mes5/i586/krb5-server-ldap-1.8.1-0.6mdvmes5.2.i586.rpm 1809ee8a5570aabe32e43f26686b4ab1 mes5/i586/krb5-workstation-1.8.1-0.6mdvmes5.2.i586.rpm a8fe576ff818ba02c9c0f8f9665999f8 mes5/i586/libkrb53-1.8.1-0.6mdvmes5.2.i586.rpm 412db60ca1427b5d9f31f387144870c9 mes5/i586/libkrb53-devel-1.8.1-0.6mdvmes5.2.i586.rpm 1a51198ce51d8801ea24af9d0a80a854 mes5/SRPMS/krb5-1.8.1-0.6mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: f7075001482119db8d21c94b6ef334d9 mes5/x86_64/krb5-1.8.1-0.6mdvmes5.2.x86_64.rpm 2c0c2882bb89b432f103fad9431ecbf8 mes5/x86_64/krb5-pkinit-openssl-1.8.1-0.6mdvmes5.2.x86_64.rpm 354082671bb193faaf025ecd33a8d5dd mes5/x86_64/krb5-server-1.8.1-0.6mdvmes5.2.x86_64.rpm 9697894ff2bc038bc5a06c29be265e17 mes5/x86_64/krb5-server-ldap-1.8.1-0.6mdvmes5.2.x86_64.rpm 4592d2d5e020e6efbfe469fd23bc4265 mes5/x86_64/krb5-workstation-1.8.1-0.6mdvmes5.2.x86_64.rpm 50e1b81524aba4f09bc2c60307d1b4b3 mes5/x86_64/lib64krb53-1.8.1-0.6mdvmes5.2.x86_64.rpm b8f5f879971561726b677e989384c1b6 mes5/x86_64/lib64krb53-devel-1.8.1-0.6mdvmes5.2.x86_64.rpm 1a51198ce51d8801ea24af9d0a80a854 mes5/SRPMS/krb5-1.8.1-0.6mdvmes5.2.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFNsSH/mqjQ0CJFipgRAnV1AKDPOs9aQTG+8dJqisy7/gMgmR9kkACgqwer Fk+nZv2piaaAWsBS/eJDGeA= =3Kv7 -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/