rPSA-2007-0179-2 krb5 krb5-server krb5-services krb5-test krb5-workstation
rPath Update Announcements
announce-noreply at rpath.com
Thu Sep 6 20:30:15 EDT 2007
rPath Security Advisory: 2007-0179-2
Published: 2007-09-06
Updated:
2007-09-06 CVE-2007-4743 also assigned to this vulnerability
Products: rPath Linux 1
Rating: Critical
Exposure Level Classification:
Remote Root Deterministic Unauthorized Access
Updated Versions:
krb5=/conary.rpath.com at rpl:devel//1/1.4.1-7.8-1
krb5-server=/conary.rpath.com at rpl:devel//1/1.4.1-7.8-1
krb5-services=/conary.rpath.com at rpl:devel//1/1.4.1-7.8-1
krb5-test=/conary.rpath.com at rpl:devel//1/1.4.1-7.8-1
krb5-workstation=/conary.rpath.com at rpl:devel//1/1.4.1-7.8-1
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3999
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4743
https://issues.rpath.com/browse/RPL-1696
Description:
Previous versions of the krb5 package are vulnerable to an
unauthenticated remote arbitrary code execution attack against
the kadmind server. rPath Linux systems are not automatically
configured with kadmind enabled. Systems configured as kerberos
administrative servers are vulnerable.
6 September 2007 Update: CVE-2007-4743 was also assigned to this
vulnerability due to a problem with the originally published patch
(for CVE-2007-3999), which did not fully correct the vulnerability.
The update provided for rPath Linux used the revised patch, which
fully corrected the vulnerability.
Note: rPath Linux 1 is not vulnerable to CVE-2007-4000 (which was
announced coincident with CVE-2007-3999); it does not apply to the
version of kerberos included in rPath Linux 1.
Copyright 2007 rPath, Inc.
This file is distributed under the terms of the MIT License.
A copy is available at http://www.rpath.com/permanent/mit-license.html
More information about the security-announce
mailing list