Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.0322 Debian LTS: DLA-1265-1: krb5 security update 1 February 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: krb5 Publisher: Debian Operating System: Debian GNU/Linux 7 Impact/Access: Denial of Service -- Remote/Unauthenticated Unauthorised Access -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2016-3120 CVE-2016-3119 CVE-2014-5355 CVE-2014-5353 CVE-2014-5351 CVE-2013-1418 Reference: ASB-2017.0219 ESB-2014.1836 ESB-2014.1604 Original Bulletin: https://lists.debian.org/debian-lts-announce/2018/01/msg00040.html - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Package : krb5 Version : 1.10.1+dfsg-5+deb7u9 CVE ID : CVE-2013-1418 CVE-2014-5351 CVE-2014-5353 CVE-2014-5355 CVE-2016-3119 CVE-2016-3120 Debian Bug : 728845 762479 773226 778647 819468 832572 Kerberos, a system for authenticating users and services on a network, was affected by several vulnerabilities. The Common Vulnerabilities and Exposures project identifies the following issues. CVE-2013-1418 Kerberos allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted request when multiple realms are configured. CVE-2014-5351 Kerberos sends old keys in a response to a -randkey -keepold request, which allows remote authenticated users to forge tickets by leveraging administrative access. CVE-2014-5353 When the KDC uses LDAP, allows remote authenticated users to cause a denial of service (daemon crash) via a successful LDAP query with no results, as demonstrated by using an incorrect object type for a password policy. CVE-2014-5355 Kerberos expects that a krb5_read_message data field is represented as a string ending with a '\0' character, which allows remote attackers to (1) cause a denial of service (NULL pointer dereference) via a zero-byte version string or (2) cause a denial of service (out-of-bounds read) by omitting the '\0' character, CVE-2016-3119 Kerberos allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted request to modify a principal. CVE-2016-3120 Kerberos allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via an S4U2Self request. For Debian 7 "Wheezy", these problems have been fixed in version 1.10.1+dfsg-5+deb7u9. We recommend that you upgrade your krb5 packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlpx95pfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeRd+g/7B1Fgvyn2LEQB5QlDyxDQG46KLTwihMnrDc0Km8sZ0zAQsoRCzjnL/96G pxsxnAMuTYkwAS98SKtODgQ3SRfD9gMrUXsIJHAMfqTEVrjWRXOZeJ00LIgj3g6d 690aKQv7TLYtmzizGo3w4KDkmUiVWzpgaGEEO7UCQCClpSODFmvNXYDOe4VRLwVS MsB8VJ7D9UyjzEhfD2MJZSngBEG5Y+RxB5TZoVCGiHjaC6HiFp3CxEIn2cIuihWU I3RQGVSPH/dlWkYTi9PIbZBhy+uf/f1V6K8LbPjD3kyMtyNLalc0mv+b61X5LfqQ 8M0hliMldGkhSLFEzpoQbabEYqm6jrnvlXIRY4mJzh0r9NRLdHYXyArw8FKdIq5J MH0+6Fsmg2CXOguLc6U0GHkPLgrVaSQG2FSDhbb2G2Q866m+n5x9CQLQ68VluQDG 4DsCwIufklh96ZaYsISbOpH7taTLExAusf0xbhdaqqNqd7vcN5A2ciCburUERtLU Wc8nAJIk5Uf9PU/RipNMNow5yXHZ8mdOUqjDXkJBvNOvgrzMUp3bWJ5aQwWkHbCI +sw8C5W4KHNpbAAW7ega6tDxV9piEVlwYXFGH6B6ko+tT/L4mcUnB2h4139Dcap4 wnnWbe6i4YA7QspOQbT8iyK6c040gLaV3PmDWY/IcU+IIk4p1ZI= =4hT1 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWnKfO4x+lLeg9Ub1AQgy7A//UorX10nEBdFMo5FhDVXeHcX3arBJbMY0 Yb8XMdV1ttayVaKjap9ocE7rZXzUXJC7PT/nuENFwhACRGmrtQAMRVsnXUsLDKq4 MffoWcBdK/45PxmDXmscPsdUcJdOOihxabpxF9xH2CuxcOxPcuD6CPRRQ2F+mw4u qL/BsfIKAkVnWqlG6T+pG2mZwMbgTs7ubRxWaXOrGU3Hd9q7Ghi6fkga4Szn3yID 1mVUCtFQBrE+edZ+WwSbt4GYd4bUL9i5ZjptMff/47xNgcqcJ3PLphXEXMyDZvaP C3YDSACsUKvHRdQlPKwgYXCTrG1pdFnh207BsJN9xi/GvkyCbS7Acdkvhdt2vnYf YM9uI74oGyUQftEdDBn9YB5n0AS/1wbhONjQDaYGpxAUZJz95GSy9XQuCoYG3Vhx SWcBXFOO32DwwJZB7Vr/1QBsyWu0l1IZORk1b0RI75oStrSqm0ZtxVqHNIcj2YET iGTSrPA7n3IUODBHT3csY/fyU0VpT/I0r7unu/RaNX2VF/dM3jqhEOPlW4Y4020H KUrGBzl3luLiKCfTO+p6exxpCTFIoWmvpZ1h++K7+VntR+LtXHaJhfMWbn6ucUPB m7dEW/30gqUoyws/CYVlO6S8VVRRq7RL1RMvA+PjD0S1TtOcrBM2MfNfNtvA0+nF 7RHIBn6Dt74= =P+BJ -----END PGP SIGNATURE-----