Does this problem affect the version in testing/unstable (1.6.dfsg.3~beta1-3)? The original advisory from MIT mentions version 1.6.3 and earlier are vulnerable, so I assume that the versions in lenny/sid are?
Thanks, Joshua Hutchins Noah Meyerhans wrote: > ------------------------------------------------------------------------ > Debian Security Advisory DSA-1524-1 [EMAIL PROTECTED] > http://www.debian.org/security/ Noah Meyerhans > March 18, 2008 http://www.debian.org/security/faq > ------------------------------------------------------------------------ > > Package : krb5 > Vulnerability : several > Problem type : remote > Debian-specific: no > CVE Id(s) : CVE-2008-0062 CVE-2008-0063 CVE-2008-0947 > > Several remote vulnerabilities have been discovered in the kdc component > of the krb5, a system for authenticating users and services on a > network. > > CVE-2008-0062 > > An unauthenticated remote attacker may cause a krb4-enabled KDC to > crash, expose information, or execute arbitrary code. Successful > exploitation of this vulnerability could compromise the Kerberos key > database and host security on the KDC host. > > CVE-2008-0063 > > An unauthenticated remote attacker may cause a krb4-enabled KDC to > expose information. It is theoretically possible for the exposed > information to include secret key data on some platforms. > > CVE-2008-0947 > > An unauthenticated remote attacker can cause memory corruption in the > kadmind process, which is likely to cause kadmind to crash, resulting in > a denial of service. It is at least theoretically possible for such > corruption to result in database corruption or arbitrary code execution, > though we have no such exploit and are not aware of any such exploits in > use in the wild. In versions of MIT Kerberos shipped by Debian, this > bug can only be triggered in configurations that allow large numbers of > open file descriptors in a process. > > For the stable distribution (etch), these problems have been fixed in > version 1.4.4-7etch5. > > For the old stable distribution (sarge), these problems have been fixed > in version krb5 1.3.6-2sarge6. > > We recommend that you upgrade your krb5 packages. > > Upgrade instructions > -------------------- > > wget url > will fetch the file for you > dpkg -i file.deb > will install the referenced file. > > If you are using the apt-get package manager, use the line for > sources.list as given below: > > apt-get update > will update the internal database > apt-get upgrade > will install corrected packages > > You may use an automated update by adding the resources from the > footer to the proper configuration. > > Debian 3.1 (oldstable) > ---------------------- > > Oldstable updates are available for alpha, amd64, arm, hppa, i386, > ia64, m68k, mips, mipsel, powerpc, s390 and sparc. > > Source archives: > > These files will probably be moved into the stable distribution on > its next update. > > --------------------------------------------------------------------------------- > For apt-get: deb http://security.debian.org/ stable/updates main > For dpkg-ftp: ftp://security.debian.org/debian-security > dists/stable/updates/main > Mailing list: [EMAIL PROTECTED] > Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
