Описание
ELSA-2010-0423: krb5 security update (IMPORTANT)
[1.6.1-36.el5_5.4]
- add candidate patch to correct KDC null pointer dereference which could be triggered by malformed client requests (CVE-2010-1321, #583703)
[1.6.1-36.el5_5.3]
- add upstream patch to fix a few use-after-free bugs, including one in kadmind (CVE-2010-0629, #578185)
Обновленные пакеты
Oracle Linux 5
Oracle Linux ia64
krb5-devel
1.6.1-36.el5_5.4
krb5-libs
1.6.1-36.el5_5.4
krb5-server
1.6.1-36.el5_5.4
krb5-workstation
1.6.1-36.el5_5.4
Oracle Linux x86_64
krb5-devel
1.6.1-36.el5_5.4
krb5-libs
1.6.1-36.el5_5.4
krb5-server
1.6.1-36.el5_5.4
krb5-workstation
1.6.1-36.el5_5.4
Oracle Linux i386
krb5-devel
1.6.1-36.el5_5.4
krb5-libs
1.6.1-36.el5_5.4
krb5-server
1.6.1-36.el5_5.4
krb5-workstation
1.6.1-36.el5_5.4
Связанные CVE
Связанные уязвимости
The kg_accept_krb5 function in krb5/accept_sec_context.c in the GSS-API library in MIT Kerberos 5 (aka krb5) through 1.7.1 and 1.8 before 1.8.2, as used in kadmind and other applications, does not properly check for invalid GSS-API tokens, which allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via an AP-REQ message in which the authenticator's checksum field is missing.
The kg_accept_krb5 function in krb5/accept_sec_context.c in the GSS-API library in MIT Kerberos 5 (aka krb5) through 1.7.1 and 1.8 before 1.8.2, as used in kadmind and other applications, does not properly check for invalid GSS-API tokens, which allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via an AP-REQ message in which the authenticator's checksum field is missing.
The kg_accept_krb5 function in krb5/accept_sec_context.c in the GSS-API library in MIT Kerberos 5 (aka krb5) through 1.7.1 and 1.8 before 1.8.2, as used in kadmind and other applications, does not properly check for invalid GSS-API tokens, which allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via an AP-REQ message in which the authenticator's checksum field is missing.
The kg_accept_krb5 function in krb5/accept_sec_context.c in the GSS-AP ...
The kg_accept_krb5 function in krb5/accept_sec_context.c in the GSS-API library in MIT Kerberos 5 (aka krb5) through 1.7.1 and 1.8 before 1.8.2, as used in kadmind and other applications, does not properly check for invalid GSS-API tokens, which allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via an AP-REQ message in which the authenticator's checksum field is missing.