News

=========================================================== Ubuntu Security Notice USN-224-1 December 06, 2005 krb4, krb5 vulnerabilities CVE-2005-0468, CVE-2005-0469, CVE-2005-1174, CVE-2005-1175, CVE-2005-1689 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 4.10 (Warty Warthog) Ubuntu 5.04 (Hoary Hedgehog) The following packages are affected: kerberos4kth-clients krb5-clients krb5-kdc krb5-rsh-server krb5-telnetd On Ubuntu 4.10, the problem can be corrected by upgrading the affected package to version 1.2.2-10ubuntu0.1 (kerberos4kth-clients), and 1.3.4-3ubuntu0.2 (krb5-clients, krb5-kdc, krb5-rsh-server, krb5-telnetd). On Ubuntu 5.04, the problem can be corrected by upgrading the affected package to version 1.2.2-10ubuntu0.1 (kerberos4kth-client ), and 1.3.6-1ubuntu0.1 (krb5-clients, krb5-kdc, krb5-rsh-server, krb5-telnetd). In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Gaël Delalleau discovered a buffer overflow in the env_opt_add() function of the Kerberos 4 and 5 telnet clients. By sending specially crafted replies, a malicious telnet server could exploit this to execute arbitrary code with the privileges of the user running the telnet client. (CVE-2005-0468) Gaël Delalleau discovered a buffer overflow in the handling of the LINEMODE suboptions in the telnet clients of Kerberos 4 and 5. By sending a specially constructed reply containing a large number of SLC (Set Local Character) commands, a remote attacker (i. e. a malicious telnet server) could execute arbitrary commands with the privileges of the user running the telnet client. (CVE-2005-0469) Daniel Wachdorf discovered two remote vulnerabilities in the Key Distribution Center of Kerberos 5 (krb5-kdc). By sending certain TCP connection requests, a remote attacker could trigger a double-freeing of memory, which led to memory corruption and a crash of the KDC server. (CVE-2005-1174). Under rare circumstances the same type of TCP connection requests could also trigger a buffer overflow that could be exploited to run arbitrary code with the privileges of the KDC server. (CVE-2005-1175) Magnus Hagander discovered that the krb5_recvauth() function attempted to free previously freed memory in some situations. A remote attacker could possibly exploit this to run arbitrary code with the privileges of the program that called this function. Most imporantly, this affects the following daemons: kpropd (from the krb5-kdc package), klogind, and kshd (both from the krb5-rsh-server package). (CVE-2005-1689) Please note that these packages are not officially supported by Ubuntu (they are in the 'universe' component of the archive).