krb4/dietlibc Updates for Debian
Posted on: 03/28/2003 05:22 PM

Two new security updates for Debian GNU/Linux are available:

DSA-273-1 krb4 -- Cryptographic weakness

A cryptographic weakness in version 4 of the Kerberos protocol allows an attacker to use a chosen-plaintext attack to impersonate any principal in a realm. Additional cryptographic weaknesses in the krb4 implementation permit the use of cut-and-paste attacks to fabricate krb4 tickets for unauthorized client principals if triple-DES keys are used to key krb4 services. These attacks can subvert a site's entire Kerberos authentication infrastructure.

Read more

DSA-272-1 dietlibc -- integer overflow

eEye Digital Security discovered an integer overflow in the xdrmem_getbytes() function of glibc, that is also present in dietlibc, a small libc useful especially for small and embedded systems. This function is part of the XDR encoder/decoder derived from Sun's RPC implementation. Depending upon the application, this vulnerability can cause buffer overflows and could possibly be exploited to execute arbitray code.

Read more




Printed from Linux Compatible (http://www.linuxcompatible.org/news/story/krb4dietlibc_updates_for_debian.html)