-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2015.0272
                           krb5 security update
                              4 February 2015

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           krb5
Publisher:         Debian
Operating System:  Debian GNU/Linux 7
Impact/Access:     Administrator Compromise        -- Existing Account      
                   Execute Arbitrary Code/Commands -- Existing Account      
                   Denial of Service               -- Existing Account      
                   Access Confidential Data        -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-9423 CVE-2014-9422 CVE-2014-9421
                   CVE-2014-5352  

Reference:         ESB-2015.0270

Original Bulletin: 
   http://www.debian.org/security/2015/dsa-3153

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-3153-1                   security@debian.org
http://www.debian.org/security/                        Moritz Muehlenhoff
February 03, 2015                      http://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : krb5
CVE ID         : CVE-2014-5352 CVE-2014-9421 CVE-2014-9422 CVE-2014-9423

Multiples vulnerabilities have been found in krb5, the MIT
implementation of Kerberos:

CVE-2014-5352

    Incorrect memory management in the libgssapi_krb5 library might
    result in denial of service or the execution of arbitrary code.

CVE-2014-9421

    Incorrect memory management in kadmind's processing of XDR data
    might result in denial of service or the execution of arbitrary code.

CVE-2014-9422

    Incorrect processing of two-component server principals might result
    in impersonation attacks.

CVE-2014-9423

    An information leak in the libgssrpc library.

For the stable distribution (wheezy), these problems have been fixed in
version 1.10.1+dfsg-5+deb7u3.

For the unstable distribution (sid), these problems have been fixed in
version 1.12.1+dfsg-17.

We recommend that you upgrade your krb5 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJU0TPwAAoJEBDCk7bDfE42VWsQAMAWxgvkqjmlMZrTg6z6h6cG
kCEFZ+pU+iMKO4DZzEkKt9mGp+skwaC4v91nA8p4KxtD7i0dTtm7/XmLCaVblbFQ
O8ncFp4y9UPdnpOJxQXIxdGsmTOQ7NVc5clAYxFiEtLglC9inP6WubaNpxEnUe4+
gzlVg4kjYES1HAfVOncuD5ey2V/Ds7WCWOyNz1SrDnyyGDkzwRqvusfArqA3eBXB
vN05tsw0mO7HzbtoaSXrLICGyZxfWnYSkKgLlVri1HL8e+kDwAVDiRrHZ409CuK1
bQkwLL6kN1gMudxoyTDiPd/oecA1SvQiBYQVsUKHckakbZImjod0DJBw2bDhFWI4
PT5roNzBgGRExXmk4iPLqsaJgj5lH/dimzaA/t9eypScUrOfAcdSdwCsxRvSuNdP
HAIGdw091dL7quoyZBgPb4Ocx0lC2khF34GgSo2W+UD5E7mnHmdVYoUZ/R3l4csU
n0psucFvDl5iCqlRqxLoKnLg/WW9VbZU99+gk8CpgvnuQ6vhRKJQMlZ8xhP2lOUv
s8qHkO8VhL6F8P8zzVUjRIW5rLGx7icM6Ui2K8Mh379ePcnVuCjTfA0853uj0vVK
fcQUxfSwLXyYdsodCNhhbcHHXApxLbo/dfSJewJdKblP3t6LIogC+MQWwk2FW0LI
E4PmFVQe4nUGIS5eVkmS
=6EfO
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVNGSthLndAQH1ShLAQLsfA//U50EnTSL5MM3FiI7Kz9CzFNRd6EzgvR2
GY4h0+ItuqE5sbaVW59NXPuVPc4sFNm4FB3UBOS8Ao2if7O186aORbzfN78EmH0M
FwxIS5jEWr7q/z0FLOy8JAOaVGHFFpsrYHijZoZ9uIqXjvAWvvZbaJjsvnJx3Ptv
HlIVwxGvu64MDjK9c8nAZ+BqvbNxyU8u/7h6ZQwNmE5weZpFF9+PSz+dwG1/w4/o
6bpLCXZUicbm5u+e7LwYwAfplLfF/8Bgc/Sz7Zg4koTHi3HhuFrcKqXTx3s1BEtG
GQW8M5qseO4OMAhh5NPVJGsEgtnq7t805Vg4hK3/Et8U2FZAVCVFD8WJLyVqVKEA
GPY6ZZ1bNRTlo++ThL1Qr4rqE6nOWQbRlplBLVLav9vXjCH9x9upXgEBWcCkt9u4
85idjaL3Rgkye+XLxazPsoE8sWDBvYBlZ8d2zlan5a+oJKZkP9spw4ZJIcdvNSuR
fQRzZLqrchu4d5oQl4/us16B0LZ4liBJig7mbNSnc1ohmrrBizJ7gqSbBvDu9+H7
7Jg2Dl2h2gw5kBpht3Pr2Q0rfFxp6uOpi+lNDUQaH31DGYB0Ud6i5j6kuv/BAclE
YKahaHOZij1PaSpDFMTtslPRRhkTZbXHPzqCfZ+irG3gFiWqh6DNfGqTYgPExuj9
yJi8Kg0de+U=
=799X
-----END PGP SIGNATURE-----