MGASA-2012-0178
| Date: | July 24th, 2012 |
| Affected releases: | 1, 2 |
Description:
Updated krb5 packages fix security vulnerabilities:
The check_1_6_dummy function in lib/kadm5/srv/svr_principal.c in
kadmind in MIT Kerberos 5 (aka krb5) 1.8.x, 1.9.x, and 1.10.x before
1.10.2 allows remote authenticated administrators to cause a denial
of service (NULL pointer dereference and daemon crash) via a
KRB5_KDB_DISALLOW_ALL_TIX create request that lacks a password
(CVE-2012-1013).
Additionally, the paths to the principal database and kpropd access
list in the kadmin and kpropd init scripts have been fixed.
Finally, the paths to the rsh and rlogin commands used by krsh and
krlogin were fixed in the krb5-appl-clients package on Mageia 2.
Updated Packages:
Mageia 1:
krb5-1.8.3-5.3.mga1
krb5-pkinit-openssl-1.8.3-5.3.mga1
krb5-server-1.8.3-5.3.mga1
krb5-server-ldap-1.8.3-5.3.mga1
krb5-workstation-1.8.3-5.3.mga1
lib(64)krb53-1.8.3-5.3.mga1
lib(64)krb53-devel-1.8.3-5.3.mga1
Mageia 2:
krb5-1.9.2-2.2.mga2
krb5-pkinit-openssl-1.9.2-2.2.mga2
krb5-server-1.9.2-2.2.mga2
krb5-server-ldap-1.9.2-2.2.mga2
krb5-workstation-1.9.2-2.2.mga2
lib(64)krb53-1.9.2-2.2.mga2
lib(64)krb53-devel-1.9.2-2.2.mga2
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1013
http://lists.fedoraproject.org/pipermail/package-announce/2012-June/082183.html
https://bugs.mageia.org/show_bug.cgi?id=6469
