-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2009-2834 2009-03-18 18:33:30 --------------------------------------------------------------------------------
Name : krb5 Product : Fedora 9 Version : 1.6.3 Release : 16.fc9 URL : http://web.mit.edu/kerberos/www/ Summary : The Kerberos network authentication system. Description : Kerberos V5 is a trusted-third-party network authentication system, which can improve your network's security by eliminating the insecure practice of cleartext passwords. -------------------------------------------------------------------------------- Update Information: This update incorporates patches to fix potential read overflow and NULL pointer dereferences in the implementation of the SPNEGO GSSAPI mechanism (CVE-2009-0844, CVE-2009-0845), attempts to free an uninitialized pointer during protocol parsing (CVE-2009-0846), and a bug in length validation during protocol parsing (CVE-2009-0847). -------------------------------------------------------------------------------- ChangeLog: * Tue Apr 7 2009 Nalin Dahyabhai <[email protected]> 1.6.3-16 - add patches for read overflow and null pointer dereference in the implementation of the SPNEGO mechanism (CVE-2009-0844, CVE-2009-0845) - add patch for attempt to free uninitialized pointer in libkrb5 (CVE-2009-0846) - add patch to fix length validation bug in libkrb5 (CVE-2009-0847) * Mon Apr 6 2009 Nalin Dahyabhai <[email protected]> - pull in a couple of defuzzed patches from the F-10 version of this package, dropping a redundant man page patch in the process * Tue Mar 17 2009 Nalin Dahyabhai <[email protected]> 1.6.3-15 - libgssapi_krb5: backport fix for some errors which can occur when we fail to set up the server half of a context (CVE-2009-0845) * Sat Jun 14 2008 Tom "spot" Callaway <[email protected]> 1.6.3-14 - generate src/include/krb5/krb5.h before building - fix conditional for sparcv9 * Wed Apr 16 2008 Nalin Dahyabhai <[email protected]> 1.6.3-13 - ftp: use the correct local filename during mget when the 'case' option is enabled (#442713) * Fri Apr 4 2008 Nalin Dahyabhai <[email protected]> 1.6.3-12 - stop exporting kadmin keys to a keytab file when kadmind starts -- the daemon's been able to use the database directly for a long long time now - belatedly add aes128,aes256 to the default set of supported key types * Tue Apr 1 2008 Nalin Dahyabhai <[email protected]> 1.6.3-11 - libgssapi_krb5: properly export the acceptor subkey when creating a lucid context (Kevin Coffman, via the nfs4 mailing list) -------------------------------------------------------------------------------- References: [ 1 ] Bug #490634 - CVE-2009-0845 krb5: Null pointer dereference in GSSAPI SPNEGO security mechanism https://bugzilla.redhat.com/show_bug.cgi?id=490634 [ 2 ] Bug #491033 - CVE-2009-0844 krb5: buffer over-read in SPNEGO GSS-API mechanism (MITKRB5-SA-2009-001) https://bugzilla.redhat.com/show_bug.cgi?id=491033 [ 3 ] Bug #491036 - CVE-2009-0846 krb5: ASN.1 decoder can free uninitialized pointer when decoding an invalid encoding (MITKRB5-SA-2009-002) https://bugzilla.redhat.com/show_bug.cgi?id=491036 [ 4 ] Bug #491034 - CVE-2009-0847 krb5: incorrect length check inside ASN.1 decoder (MITKRB5-SA-2009-001) https://bugzilla.redhat.com/show_bug.cgi?id=491034 -------------------------------------------------------------------------------- This update can be installed with the "yum" update program. Use su -c 'yum update krb5' at the command line. For more information, refer to "Managing Software with yum", available at http://docs.fedoraproject.org/yum/. All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at http://fedoraproject.org/keys -------------------------------------------------------------------------------- _______________________________________________ Fedora-package-announce mailing list [email protected] http://www.redhat.com/mailman/listinfo/fedora-package-announce
