Date: Thu, 15 Jun 2000 19:00 -0400
From: bugzilla@redhat.com
To: redhat-watch-list@redhat.com, linux-security@redhat.com
Subject: [RHSA-2000:025-12] Updated Kerberos 5 packages are now
available for Red Hat Linux.
Red Hat, Inc. Security Advisory
Synopsis: Updated Kerberos 5 packages are now available for Red Hat Linux.
Advisory ID: RHSA-2000:025-12
Issue date: 2000-05-16
Updated on: 2000-06-15
Product: Red Hat Linux
Keywords: N/A
Cross references: N/A
1. Topic:
Security vulnerabilities have been found in the Kerberos 5
implementation shipped with Red Hat Linux 6.2.
2. Relevant releases/architectures:
Red Hat Linux 6.2 – i386 alpha sparc
3. Problem description:
A number of possible buffer overruns were found in libraries
included in the affected packages. A denial-of-service
vulnerability was also found in the ksu program.
* A remote user may gain unauthorized root access to a machine
running services authenticated with Kerberos 4.
* A remote user may gain unauthorized root access to a machine
running krshd, regardless of whether the program is configured to
accept Kerberos 4 authentication.
* A local user may gain unauthorized root access by exploiting
v4rcp or ksu.
* A remote user can cause a KDC to become unresponsive or crash
by sending it an improperly formatted request.
* A remote user may execute certain FTP commands without
authorization on systems using the FTP server included in the
krb5-workstation package.
* An attacker with access to a local account may gain
unauthorized root access on systems using the FTP server included
in the krb5-workstation package.
4. Solution:
For each RPM for your particular architecture, run:
rpm -Fvh [filename]
where filename is the name of the RPM.
5. Bug IDs fixed http://bugzilla.redhat.com/bugzilla
for more info):
10653 – ‘stat’ unresolved on “libkrb5.so.2.2” load
11496 – security-updated krb5 packages fail dependencies
6. RPMs required:
Red Hat Linux 6.2:
intel:
ftp://ftp.redhat.com/redhat/updates/6.2/i386/krb5-configs-1.1.1-21.i386.rpm
ftp://ftp.redhat.com/redhat/updates/6.2/i386/krb5-devel-1.1.1-21.i386.rpm
ftp://ftp.redhat.com/redhat/updates/6.2/i386/krb5-libs-1.1.1-21.i386.rpm
ftp://ftp.redhat.com/redhat/updates/6.2/i386/krb5-server-1.1.1-21.i386.rpm
ftp://ftp.redhat.com/redhat/updates/6.2/i386/krb5-workstation-1.1.1-21.i386.rpm
alpha:
ftp://ftp.redhat.com/redhat/updates/6.2/alpha/krb5-configs-1.1.1-21.alpha.rpm
ftp://ftp.redhat.com/redhat/updates/6.2/alpha/krb5-devel-1.1.1-21.alpha.rpm
ftp://ftp.redhat.com/redhat/updates/6.2/alpha/krb5-libs-1.1.1-21.alpha.rpm
ftp://ftp.redhat.com/redhat/updates/6.2/alpha/krb5-server-1.1.1-21.alpha.rpm
ftp://ftp.redhat.com/redhat/updates/6.2/alpha/krb5-workstation-1.1.1-21.alpha.rpm
sparc:
ftp://ftp.redhat.com/redhat/updates/6.2/sparc/krb5-configs-1.1.1-21.sparc.rpm
ftp://ftp.redhat.com/redhat/updates/6.2/sparc/krb5-devel-1.1.1-21.sparc.rpm
ftp://ftp.redhat.com/redhat/updates/6.2/sparc/krb5-libs-1.1.1-21.sparc.rpm
ftp://ftp.redhat.com/redhat/updates/6.2/sparc/krb5-server-1.1.1-21.sparc.rpm
ftp://ftp.redhat.com/redhat/updates/6.2/sparc/krb5-workstation-1.1.1-21.sparc.rpm
sources:
ftp://ftp.redhat.com/redhat/updates/6.2/SRPMS/krb5-1.1.1-21.src.rpm
7. Verification:
MD5 sum Package Name
220dd8648e6560215475f29f12cf7fbf 6.2/SRPMS/krb5-1.1.1-21.src.rpm
506aa4887dbb63ee0fdf1b0617db5d92 6.2/alpha/krb5-configs-1.1.1-21.alpha.rpm
19d3648a64b259a3a83ef70ecf3c1d3e 6.2/alpha/krb5-devel-1.1.1-21.alpha.rpm
ea30e1a247aa7d4c516ead13c825c8cb 6.2/alpha/krb5-libs-1.1.1-21.alpha.rpm
55805f5199f7c2c24c03f4609a2cbd81 6.2/alpha/krb5-server-1.1.1-21.alpha.rpm
a98473df43eedf564efe9a05b30c2baf 6.2/alpha/krb5-workstation-1.1.1-21.alpha.rpm
43d0af74bb628d446dc8781e9d0ae08b 6.2/i386/krb5-configs-1.1.1-21.i386.rpm
d13ac3cc0e680b0e452aeb34749ea7b4 6.2/i386/krb5-devel-1.1.1-21.i386.rpm
76882356337e55cd3bd5e0d5cfa454de 6.2/i386/krb5-libs-1.1.1-21.i386.rpm
93efde6cc79b16245f5e27e793a8a4ad 6.2/i386/krb5-server-1.1.1-21.i386.rpm
aa00aa8b26a50b75317f51e447a17420 6.2/i386/krb5-workstation-1.1.1-21.i386.rpm
ff7f959f22e80e9aeabb3a1c6602e225 6.2/sparc/krb5-configs-1.1.1-21.sparc.rpm
1cce9df9c5591fe43c1340334d01d6be 6.2/sparc/krb5-devel-1.1.1-21.sparc.rpm
cc67fdfad917452f383e45a9945e5ae0 6.2/sparc/krb5-libs-1.1.1-21.sparc.rpm
0215d914b0d9e2f78830ef7df9b14fea 6.2/sparc/krb5-server-1.1.1-21.sparc.rpm
3f564e722e61c1e4e8bd1a3faa108b3d 6.2/sparc/krb5-workstation-1.1.1-21.sparc.rpm
These packages are GPG signed by Red Hat, Inc. for security. Our
key is available at:
http://www.redhat.com/corp/contact.html
You can verify each package with the following command:
rpm –checksig
If you only wish to verify that each package has not been
corrupted or tampered with, examine only the md5sum with the
following command:
rpm –checksig –nogpg
8. References:
http://www.securityfocus.com/bid/1220
http://www.securityfocus.com/bid/1338
http://web.mit.edu/kerberos/www/advisories/index.html
Thanks to Chris Evans, Mike Friedman, Jim Paris, Matt Power,
Andrew Newman, Christopher R. Thompson, and Marcus Watts for
reporting these problems to us and the Kerberos 5 team.
Web Webster has more than 20 years of writing and editorial experience in the tech sector. He’s written and edited news, demand generation, user-focused, and thought leadership content for business software solutions, consumer tech, and Linux Today, he edits and writes for a portfolio of tech industry news and analysis websites including webopedia.com, and DatabaseJournal.com.
LinuxToday is a trusted, contributor-driven news resource supporting all types of Linux users. Our thriving international community engages with us through social media and frequent content contributions aimed at solving problems ranging from personal computing to enterprise-level IT operations. LinuxToday serves as a home for a community that struggles to find comparable information elsewhere on the web.
Property of TechnologyAdvice. © 2025 TechnologyAdvice. All Rights Reserved
Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.