RHSA-2007:0858: Important: krb5 security update
First published: Tue Sep 04 2007(Updated: )
Kerberos is a network authentication system which allows clients and<br>servers to authenticate to each other through use of symmetric encryption<br>and a trusted third party, the KDC. kadmind is the KADM5 administration<br>server.<br>Tenable Network Security discovered a stack buffer overflow flaw in the RPC<br>library used by kadmind. A remote unauthenticated attacker who can access<br>kadmind could trigger this flaw and cause kadmind to crash. On Red Hat<br>Enterprise Linux 5 it is not possible to exploit this flaw to run arbitrary<br>code as the overflow is blocked by FORTIFY_SOURCE. (CVE-2007-3999)<br>Garrett Wollman discovered an uninitialized pointer flaw in kadmind. A<br>remote unauthenticated attacker who can access kadmind could trigger this<br>flaw and cause kadmind to crash. (CVE-2007-4000)<br>These issues did not affect the versions of Kerberos distributed with Red<br>Hat Enterprise Linux 2.1, 3, or 4.<br>Users of krb5-server are advised to update to these erratum packages which<br>contain backported fixes to correct these issues.
| Affected Software | Affected Version | How to fix |
|---|
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/title
- agent/type
- agent/weakness
- collector/redhat-errata
- source/Red Hat
- anchor-id/RHSA-2007:0858