Classification: UNCLASSIFIED Caveats: NONE Thanks Roberto,
That can help me with some direction. I have to provide guidance and automated shell scripts for Sun, HP, AIX and Redhat. I new about the changelog for Redhat, but didn't know about the krb5-config command. Jason Mackanick, CISSP DISA FSO Support & Standards Section Technical Support Team -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roberto C. Sánchez Sent: Wednesday, January 09, 2008 4:09 PM To: [email protected] Subject: Re: How to determine the version (UNCLASSIFIED) On Wed, Jan 09, 2008 at 10:53:11AM -0500, Mackanick, Jason W CTR DISA GIG-OP wrote: > Classification: UNCLASSIFIED > Caveats: NONE > > Various vendors for unix package kerberos with the operating system. > Is there a method to determine the version number for compliance > purposes with items such as advisories that are propagated to a CVE? > Jason, Assuming that the vendor ships the kerberos development packages, something like this might be what you want: krb5-config --version Kerberos 5 release 1.4.4 A cursory look would tell you that I am vulnerable to a heap of CVEs related to Kerberos. However, in my case I am running Debian Etch. Debian has a policy of not introducing new upstream versions just to patch security fixes, so they always do targeted security fixes. So, the version installed on my machine is something like this: apt-cache policy libkrb5-dev |grep Installed Installed: 1.4.4-7etch4 Looking at the package changelog, there are several entries (4, in fact) like this: krb5 (1.4.4-7etch4) stable-security; urgency=emergency * Fix bug in fix for CVE-2007-3999: the previous patch could allow an overflow of up to 32 bytes. Depending on how locals are layed out on the stack, this may or may not be a problem. -- Sam Hartman <[EMAIL PROTECTED]> Tue, 04 Sep 2007 19:51:49 -0400 The total number of CVEs noted in the changelog for the current release is six. So, while a look at the raw version number as reported by Kerberos looks bad, further infestigation shows that I am OK in that department (assuming there have only been six CVEs total since the release of 1.4.4; I have not checked). So, I guess it depends in part on your Unix vendor's security policy. Since you are .mil, you are most probably using Solaris. I know that Sun deploys packages (you can access information about them using pkginfo), but that about exhausts my knowledge of Solaris-specific sysadmin knowledge. So, if sun ships detailed changelogs with their packages (like Debian does), you might be able to glean the necessary information from there. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com Classification: UNCLASSIFIED Caveats: NONE ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
