Welcome to our website
To take full advantage of all features you need to login or register. Registration is completely free and takes only a few seconds.
GLSA 200404-09: Cross-realm trust vulnerability in Heimdal
Posted by Philipp Esselbach on: 04/09/2004 09:44 AM [ Print | 0 comment(s) ]
A Heimdal update has been released for Gentoo Linux
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200404-09
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Cross-realm trust vulnerability in Heimdal
Date: April 09, 2004
Bugs: #46590
ID: 200404-09
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Heimdal contains cross-realm vulnerability allowing someone with control over a realm to impersonate anyone in the cross-realm trust path.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200404-09
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Cross-realm trust vulnerability in Heimdal
Date: April 09, 2004
Bugs: #46590
ID: 200404-09
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Heimdal contains cross-realm vulnerability allowing someone with control over a realm to impersonate anyone in the cross-realm trust path.
Background
==========
Heimdal is a free implementation of Kerberos 5.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
app-crypt/heimdal <= 0.6.0 >= 0.6.1
Description
===========
Heimdal does not properly perform certain consistency checks for cross-realm requests, which allows remote attackers with control of a realm to impersonate others in the cross-realm trust path.
Impact
======
Remote attackers with control of a realm may be able to impersonate other users in the cross-realm trust path.
Workaround
==========
A workaround is not currently known for this issue. All users are advised to upgrade to the latest version of the affected package.
Resolution
==========
Heimdal users should upgrade to version 0.6.1 or later:
# emerge sync
# emerge -pv ">=app-crypt/heimdal-0.6.1"
# emerge ">=app-crypt/heimdal-0.6.1"
References
==========
[ 1 ] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0371
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org.
==========
Heimdal is a free implementation of Kerberos 5.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
app-crypt/heimdal <= 0.6.0 >= 0.6.1
Description
===========
Heimdal does not properly perform certain consistency checks for cross-realm requests, which allows remote attackers with control of a realm to impersonate others in the cross-realm trust path.
Impact
======
Remote attackers with control of a realm may be able to impersonate other users in the cross-realm trust path.
Workaround
==========
A workaround is not currently known for this issue. All users are advised to upgrade to the latest version of the affected package.
Resolution
==========
Heimdal users should upgrade to version 0.6.1 or later:
# emerge sync
# emerge -pv ">=app-crypt/heimdal-0.6.1"
# emerge ">=app-crypt/heimdal-0.6.1"
References
==========
[ 1 ] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0371
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org.
