English | Deutsch | Español | Português
 UserID:
 Passwd:
new user
 About:   Dedicated  | Advanced  | Standard  | Recurring  | No Risk  | Desktop  | Basic  | Single  | Security Seal  | FAQ
  Price/Feature Summary  | Order  | New Vulnerabilities  | Confidentiality  | Vulnerability Search
 Vulnerability   
Search   
    Search 95248 CVE descriptions
and 52540 test descriptions,
access 10,000+ cross references.
Tests   CVE   All  

Test ID:1.3.6.1.4.1.25623.1.0.51051
Category:Red Hat Local Security Checks
Title:RedHat Security Advisory RHSA-2004:350
Summary:Redhat Security Advisory RHSA-2004:350
Description:Description:

The remote host is missing updates announced in
advisory RHSA-2004:350.

Kerberos is a networked authentication system that uses a trusted third
party (a KDC) to authenticate clients and servers to each other.

Several double-free bugs were found in the Kerberos 5 KDC and libraries. A
remote attacker could potentially exploit these flaws to execuate arbitrary
code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the names CVE-2004-0642 and CVE-2004-0643 to these issues.

A double-free bug was also found in the krb524 server (CVE-2004-0772),
however this issue does not affect Red Hat Enterprise Linux 3 Kerberos
packages.

An infinite loop bug was found in the Kerberos 5 ASN.1 decoder library. A
remote attacker may be able to trigger this flaw and cause a denial of
service. The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2004-0644 to this issue.

When attempting to contact a KDC, the Kerberos libraries will iterate
through the list of configured servers, attempting to contact each in turn.
If one of the servers becomes unresponsive, the client will time out and
contact the next configured server. When the library attempts to contact
the next KDC, the entire process is repeated. For applications which must
contact a KDC several times, the accumulated time spent waiting can become
significant.

This update modifies the libraries, notes which server for a given realm
last responded to a request, and attempts to contact that server first
before contacting any of the other configured servers.

All users of krb5 should upgrade to these updated packages, which contain
backported security patches to resolve these issues.

Solution:
Please note that this update is available via
Red Hat Network. To use Red Hat Network, launch the Red
Hat Update Agent with the following command: up2date

http://rhn.redhat.com/errata/RHSA-2004-350.html
http://web.mit.edu/kerberos/advisories/

Risk factor : High

CVSS Score:
7.5

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2004-0642
Cert/CC Advisory: TA04-247A
http://www.us-cert.gov/cas/techalerts/TA04-247A.html
CERT/CC vulnerability note: VU#795632
http://www.kb.cert.org/vuls/id/795632
Conectiva Linux advisory: CLA-2004:860
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000860
Debian Security Information: DSA-543 (Google Search)
http://www.debian.org/security/2004/dsa-543
http://www.gentoo.org/security/en/glsa/glsa-200409-09.xml
RedHat Security Advisories: RHSA-2004:350
http://rhn.redhat.com/errata/RHSA-2004-350.html
http://www.trustix.net/errata/2004/0045/
Bugtraq: 20040913 [OpenPKG-SA-2004.039] OpenPKG Security Advisory (kerberos) (Google Search)
http://marc.theaimsgroup.com/?l=bugtraq&m=109508872524753&w=2
BugTraq ID: 11078
http://www.securityfocus.com/bid/11078
http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:4936
http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:10709
XForce ISS Database: kerberos-kdc-double-free(17157)
http://xforce.iss.net/xforce/xfdb/17157
Common Vulnerability Exposure (CVE) ID: CVE-2004-0643
CERT/CC vulnerability note: VU#866472
http://www.kb.cert.org/vuls/id/866472
http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:3322
http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:10267
XForce ISS Database: kerberos-krb5rdcred-double-free(17159)
http://xforce.iss.net/xforce/xfdb/17159
Common Vulnerability Exposure (CVE) ID: CVE-2004-0644
CERT/CC vulnerability note: VU#550464
http://www.kb.cert.org/vuls/id/550464
BugTraq ID: 11079
http://www.securityfocus.com/bid/11079
http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:2139
http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:10014
XForce ISS Database: kerberos-asn1-library-dos(17160)
http://xforce.iss.net/xforce/xfdb/17160
Common Vulnerability Exposure (CVE) ID: CVE-2004-0772
CERT/CC vulnerability note: VU#350792
http://www.kb.cert.org/vuls/id/350792
http://www.mandriva.com/security/advisories?name=MDKSA-2004:088
http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:4661
XForce ISS Database: kerberos-krb524d-double-free(17158)
http://xforce.iss.net/xforce/xfdb/17158
CopyrightCopyright (c) 2005 E-Soft Inc. http://www.securityspace.com

This is only one of 52540 vulnerability tests in our test suite. Find out more about running a complete security audit.

To run a free test of this vulnerability against your system, register below.

New User Registration
Email:
UserID:
Passwd:
Please email me your monthly newsletters, informing the latest services, improvements & surveys.
Please email me a vulnerability test announcement whenever a new test is added.
   Privacy
Registered User Login
 
UserID:   
Passwd:  

 Forgot userid or passwd?
Email/Userid:




Home | About Us | Contact Us | Partner Programs | Developer APIs | Privacy | Mailing Lists | Abuse
Security Audits | Managed DNS | Network Monitoring | Site Analyzer | Internet Research Reports
Web Probe | Whois

© 1998-2016 E-Soft Inc. All rights reserved.