CVE-2009-0360
First published: Fri Feb 13 2009(Updated: )
Russ Allbery pam-krb5 before 3.13, when linked against MIT Kerberos, does not properly initialize the Kerberos libraries for setuid use, which allows local users to gain privileges by pointing an environment variable to a modified Kerberos configuration file, and then launching a PAM-based setuid application.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Eyrie Pam-krb5 | =3.1 | |
| Eyrie Pam-krb5 | =2.4 | |
| Eyrie Pam-krb5 | =3.4 | |
| Eyrie Pam-krb5 | =3.5 | |
| Eyrie Pam-krb5 | =3.6 | |
| Eyrie Pam-krb5 | =3.7 | |
| Eyrie Pam-krb5 | =2.0 | |
| Eyrie Pam-krb5 | =3.10 | |
| Eyrie Pam-krb5 | =2.1 | |
| Eyrie Pam-krb5 | =2.2 | |
| Eyrie Pam-krb5 | =3.11 | |
| Eyrie Pam-krb5 | <=3.12 | |
| Eyrie Pam-krb5 | =3.0 | |
| Eyrie Pam-krb5 | =3.8 | |
| Eyrie Pam-krb5 | =3.9 | |
| Eyrie Pam-krb5 | =2.6 | |
| Eyrie Pam-krb5 | =2.3 | |
| Eyrie Pam-krb5 | =2.5 | |
| Eyrie Pam-krb5 | =3.2 | |
| Eyrie Pam-krb5 | =3.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://secunia.com/advisories/33917
- http://securitytracker.com/id?1021711
- http://www.debian.org/security/2009/dsa-1721
- http://secunia.com/advisories/33914
- http://www.eyrie.org/~eagle/software/pam-krb5/security/2009-02-11.html
- http://www.securityfocus.com/bid/33740
- http://www.ubuntu.com/usn/USN-719-1
- http://sunsolve.sun.com/search/document.do?assetkey=1-66-252767-1
- http://secunia.com/advisories/34260
- http://support.avaya.com/elmodocs2/security/ASA-2009-070.htm
- http://security.gentoo.org/glsa/glsa-200903-39.xml
- http://secunia.com/advisories/34449
- http://www.vupen.com/english/advisories/2009/0979
- http://www.vupen.com/english/advisories/2009/0426
- http://www.vupen.com/english/advisories/2009/0410
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5732
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5669
- http://www.securityfocus.com/archive/1/500892/100/0/threaded
- collector/nvd-historical
- collector/nvd-index
- agent/severity
- agent/references
- agent/weakness
- agent/author
- agent/description
- agent/tags
- agent/type
- agent/event
- agent/softwarecombine
- agent/first-publish-date
- agent/last-modified-date
- vendor/eyrie
- canonical/eyrie pam-krb5
- version/eyrie pam-krb5/3.1
- version/eyrie pam-krb5/2.4
- version/eyrie pam-krb5/3.4
- version/eyrie pam-krb5/3.5
- version/eyrie pam-krb5/3.6
- version/eyrie pam-krb5/3.7
- version/eyrie pam-krb5/2.0
- version/eyrie pam-krb5/3.10
- version/eyrie pam-krb5/2.1
- version/eyrie pam-krb5/2.2
- version/eyrie pam-krb5/3.11
- version/eyrie pam-krb5/3.12
- version/eyrie pam-krb5/3.0
- version/eyrie pam-krb5/3.8
- version/eyrie pam-krb5/3.9
- version/eyrie pam-krb5/2.6
- version/eyrie pam-krb5/2.3
- version/eyrie pam-krb5/2.5
- version/eyrie pam-krb5/3.2
- version/eyrie pam-krb5/3.3