Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2015.0272 krb5 security update 4 February 2015 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: krb5 Publisher: Debian Operating System: Debian GNU/Linux 7 Impact/Access: Administrator Compromise -- Existing Account Execute Arbitrary Code/Commands -- Existing Account Denial of Service -- Existing Account Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2014-9423 CVE-2014-9422 CVE-2014-9421 CVE-2014-5352 Reference: ESB-2015.0270 Original Bulletin: http://www.debian.org/security/2015/dsa-3153 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-3153-1 security@debian.org http://www.debian.org/security/ Moritz Muehlenhoff February 03, 2015 http://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : krb5 CVE ID : CVE-2014-5352 CVE-2014-9421 CVE-2014-9422 CVE-2014-9423 Multiples vulnerabilities have been found in krb5, the MIT implementation of Kerberos: CVE-2014-5352 Incorrect memory management in the libgssapi_krb5 library might result in denial of service or the execution of arbitrary code. CVE-2014-9421 Incorrect memory management in kadmind's processing of XDR data might result in denial of service or the execution of arbitrary code. CVE-2014-9422 Incorrect processing of two-component server principals might result in impersonation attacks. CVE-2014-9423 An information leak in the libgssrpc library. For the stable distribution (wheezy), these problems have been fixed in version 1.10.1+dfsg-5+deb7u3. For the unstable distribution (sid), these problems have been fixed in version 1.12.1+dfsg-17. We recommend that you upgrade your krb5 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJU0TPwAAoJEBDCk7bDfE42VWsQAMAWxgvkqjmlMZrTg6z6h6cG kCEFZ+pU+iMKO4DZzEkKt9mGp+skwaC4v91nA8p4KxtD7i0dTtm7/XmLCaVblbFQ O8ncFp4y9UPdnpOJxQXIxdGsmTOQ7NVc5clAYxFiEtLglC9inP6WubaNpxEnUe4+ gzlVg4kjYES1HAfVOncuD5ey2V/Ds7WCWOyNz1SrDnyyGDkzwRqvusfArqA3eBXB vN05tsw0mO7HzbtoaSXrLICGyZxfWnYSkKgLlVri1HL8e+kDwAVDiRrHZ409CuK1 bQkwLL6kN1gMudxoyTDiPd/oecA1SvQiBYQVsUKHckakbZImjod0DJBw2bDhFWI4 PT5roNzBgGRExXmk4iPLqsaJgj5lH/dimzaA/t9eypScUrOfAcdSdwCsxRvSuNdP HAIGdw091dL7quoyZBgPb4Ocx0lC2khF34GgSo2W+UD5E7mnHmdVYoUZ/R3l4csU n0psucFvDl5iCqlRqxLoKnLg/WW9VbZU99+gk8CpgvnuQ6vhRKJQMlZ8xhP2lOUv s8qHkO8VhL6F8P8zzVUjRIW5rLGx7icM6Ui2K8Mh379ePcnVuCjTfA0853uj0vVK fcQUxfSwLXyYdsodCNhhbcHHXApxLbo/dfSJewJdKblP3t6LIogC+MQWwk2FW0LI E4PmFVQe4nUGIS5eVkmS =6EfO - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVNGSthLndAQH1ShLAQLsfA//U50EnTSL5MM3FiI7Kz9CzFNRd6EzgvR2 GY4h0+ItuqE5sbaVW59NXPuVPc4sFNm4FB3UBOS8Ao2if7O186aORbzfN78EmH0M FwxIS5jEWr7q/z0FLOy8JAOaVGHFFpsrYHijZoZ9uIqXjvAWvvZbaJjsvnJx3Ptv HlIVwxGvu64MDjK9c8nAZ+BqvbNxyU8u/7h6ZQwNmE5weZpFF9+PSz+dwG1/w4/o 6bpLCXZUicbm5u+e7LwYwAfplLfF/8Bgc/Sz7Zg4koTHi3HhuFrcKqXTx3s1BEtG GQW8M5qseO4OMAhh5NPVJGsEgtnq7t805Vg4hK3/Et8U2FZAVCVFD8WJLyVqVKEA GPY6ZZ1bNRTlo++ThL1Qr4rqE6nOWQbRlplBLVLav9vXjCH9x9upXgEBWcCkt9u4 85idjaL3Rgkye+XLxazPsoE8sWDBvYBlZ8d2zlan5a+oJKZkP9spw4ZJIcdvNSuR fQRzZLqrchu4d5oQl4/us16B0LZ4liBJig7mbNSnc1ohmrrBizJ7gqSbBvDu9+H7 7Jg2Dl2h2gw5kBpht3Pr2Q0rfFxp6uOpi+lNDUQaH31DGYB0Ud6i5j6kuv/BAclE YKahaHOZij1PaSpDFMTtslPRRhkTZbXHPzqCfZ+irG3gFiWqh6DNfGqTYgPExuj9 yJi8Kg0de+U= =799X -----END PGP SIGNATURE-----