Description: | Description: The remote host is missing updates announced in advisory RHSA-2010:0423.
Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third party, the Key Distribution Center (KDC).
A NULL pointer dereference flaw was discovered in the MIT Kerberos Generic Security Service Application Program Interface (GSS-API) library. A remote, authenticated attacker could use this flaw to crash any server application using the GSS-API authentication mechanism, by sending a specially-crafted GSS-API token with a missing checksum field. (CVE-2010-1321)
Red Hat would like to thank the MIT Kerberos Team for responsibly reporting this issue. Upstream acknowledges Shawn Emery of Oracle as the original reporter.
All krb5 users should upgrade to these updated packages, which contain a backported patch to correct this issue. All running services using the MIT Kerberos libraries must be restarted for the update to take effect.
Solution: Please note that this update is available via Red Hat Network. To use Red Hat Network, launch the Red Hat Update Agent with the following command: up2date
http://rhn.redhat.com/errata/RHSA-2010-0423.html http://www.redhat.com/security/updates/classification/#important http://web.mit.edu/Kerberos/advisories/MITKRB5-SA-2010-005.txt
Risk factor : High
CVSS Score: 6.8
|