Red Hat 8853 Published by

Updated krb5 packages are available for Red Hat Enterprise Linux 3

----------------------------------------------------------------------
Red Hat Security Advisory

Synopsis: Updated krb5 packages fix security issues
Advisory ID: RHSA-2004:350-01
Issue date: 2004-08-31
Updated on: 2004-08-31
Product: Red Hat Enterprise Linux
Keywords: krb5 client timeout
Obsoletes: RHSA-2004:236
CVE Names: CAN-2004-0642 CAN-2004-0643 CAN-2004-0644
----------------------------------------------------------------------

1. Summary:

Updated krb5 packages that improve client responsiveness and fix several security issues are now available for Red Hat Enterprise Linux 3.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, ppc64, s390, s390x, x86_64
Red Hat Desktop version 3 - i386, x86_64
Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64

3. Problem description:

Kerberos is a networked authentication system that uses a trusted third party (a KDC) to authenticate clients and servers to each other.

Several double-free bugs were found in the Kerberos 5 KDC and libraries. A remote attacker could potentially exploit these flaws to execuate arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CAN-2004-0642 and CAN-2004-0643 to these issues.

A double-free bug was also found in the krb524 server (CAN-2004-0772), however this issue does not affect Red Hat Enterprise Linux 3 Kerberos packages.

An infinite loop bug was found in the Kerberos 5 ASN.1 decoder library. A remote attacker may be able to trigger this flaw and cause a denial of service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0644 to this issue.

When attempting to contact a KDC, the Kerberos libraries will iterate through the list of configured servers, attempting to contact each in turn. If one of the servers becomes unresponsive, the client will time out and contact the next configured server. When the library attempts to contact the next KDC, the entire process is repeated. For applications which must contact a KDC several times, the accumulated time spent waiting can become significant.

This update modifies the libraries, notes which server for a given realm last responded to a request, and attempts to contact that server first before contacting any of the other configured servers.

All users of krb5 should upgrade to these updated packages, which contain backported security patches to resolve these issues.



4. Solution:

Before applying this update, make sure all previously released errata relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs.

Please note that this update is also available via Red Hat Network. Many people find this an easier way to apply updates. To use Red Hat Network, launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate RPMs being upgraded on your system.

If up2date fails to connect to Red Hat Network due to SSL Certificate Errors, you need to install a version of the up2date client with an updated certificate. The latest version of up2date is available from the Red Hat FTP site and may also be downloaded directly from the RHN website:

https://rhn.redhat.com/help/latest-up2date.pxt

5. RPMs required:

Red Hat Enterprise Linux AS version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/krb5-1.2.7-28.src.rpm
3c91ce8bc77bd9bc5bf2f00c09d23cff krb5-1.2.7-28.src.rpm

i386:
758976fe956ac98a73809b4cc716d4c5 krb5-devel-1.2.7-28.i386.rpm
6a5c52f4ec0a575ca3f22696c592ecc6 krb5-libs-1.2.7-28.i386.rpm
d805a5ef4dc5c16f1a6957cd60769076 krb5-server-1.2.7-28.i386.rpm
2fee85ec1cc48fe67b90cd9954149321 krb5-workstation-1.2.7-28.i386.rpm

ia64:
2d5b6ce0d861cb35c66e9ce11321ca09 krb5-devel-1.2.7-28.ia64.rpm
dd27b1cfed80262c724f20400d174ae6 krb5-libs-1.2.7-28.ia64.rpm
0c0b19114325ab9b9798398009abc745 krb5-server-1.2.7-28.ia64.rpm
b6d331840e0a625073c03f3629b71b6f krb5-workstation-1.2.7-28.ia64.rpm

ppc:
548446398708f1ee3a1820be932c427c krb5-devel-1.2.7-28.ppc.rpm
32f8d495713aad38cf0961e7eab8146f krb5-libs-1.2.7-28.ppc.rpm
2805823ff0ceeb7fd084f4cd1322f180 krb5-server-1.2.7-28.ppc.rpm
c896eb2e27858495ca85a7f4f60b7d9d krb5-workstation-1.2.7-28.ppc.rpm

ppc64:
9571b0242acad9ec5601b941aa5cf93e krb5-devel-1.2.7-28.ppc64.rpm
8bba9563078f648f8399be16a4a52d2a krb5-libs-1.2.7-28.ppc64.rpm
48df8c1d94161a229cf5d52e0f2224ed krb5-server-1.2.7-28.ppc64.rpm
683c8c478512a0d2ef8d4b631e038501 krb5-workstation-1.2.7-28.ppc64.rpm

s390:
e1ab9eb4bef50ef7830e9504c988e4b8 krb5-devel-1.2.7-28.s390.rpm
4786e0ba3adbccca954fb2dee1034dd7 krb5-libs-1.2.7-28.s390.rpm
3b17e6311a345c13efa0322a6f47e08f krb5-server-1.2.7-28.s390.rpm
ce72c91a8d4dd92969bc099866a693cd krb5-workstation-1.2.7-28.s390.rpm

s390x:
9c3c9f758c4a619e852f5289f31614fd krb5-devel-1.2.7-28.s390x.rpm
94d14bb7d2e34140941c51839b4cf4f6 krb5-libs-1.2.7-28.s390x.rpm
9e11ac40de7e36037cc4da2346c5f64f krb5-server-1.2.7-28.s390x.rpm
c2f65cd14134efa5794c732ed7e210df krb5-workstation-1.2.7-28.s390x.rpm

x86_64:
4b5d4f9ec25bf69bf3d1632b8f9dfece krb5-devel-1.2.7-28.x86_64.rpm
3ba1a8cda52f4c5c4f235390b5ab231c krb5-libs-1.2.7-28.x86_64.rpm
4dae049940b908786c4c18ec2c4633e0 krb5-server-1.2.7-28.x86_64.rpm
c68b7f6f4571165da841e89fb2de809d krb5-workstation-1.2.7-28.x86_64.rpm

Red Hat Desktop version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/krb5-1.2.7-28.src.rpm
3c91ce8bc77bd9bc5bf2f00c09d23cff krb5-1.2.7-28.src.rpm

i386:
758976fe956ac98a73809b4cc716d4c5 krb5-devel-1.2.7-28.i386.rpm
6a5c52f4ec0a575ca3f22696c592ecc6 krb5-libs-1.2.7-28.i386.rpm
d805a5ef4dc5c16f1a6957cd60769076 krb5-server-1.2.7-28.i386.rpm
2fee85ec1cc48fe67b90cd9954149321 krb5-workstation-1.2.7-28.i386.rpm

x86_64:
4b5d4f9ec25bf69bf3d1632b8f9dfece krb5-devel-1.2.7-28.x86_64.rpm
3ba1a8cda52f4c5c4f235390b5ab231c krb5-libs-1.2.7-28.x86_64.rpm
4dae049940b908786c4c18ec2c4633e0 krb5-server-1.2.7-28.x86_64.rpm
c68b7f6f4571165da841e89fb2de809d krb5-workstation-1.2.7-28.x86_64.rpm

Red Hat Enterprise Linux ES version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3ES/en/os/SRPMS/krb5-1.2.7-28.src.rpm
3c91ce8bc77bd9bc5bf2f00c09d23cff krb5-1.2.7-28.src.rpm

i386:
758976fe956ac98a73809b4cc716d4c5 krb5-devel-1.2.7-28.i386.rpm
6a5c52f4ec0a575ca3f22696c592ecc6 krb5-libs-1.2.7-28.i386.rpm
d805a5ef4dc5c16f1a6957cd60769076 krb5-server-1.2.7-28.i386.rpm
2fee85ec1cc48fe67b90cd9954149321 krb5-workstation-1.2.7-28.i386.rpm

ia64:
2d5b6ce0d861cb35c66e9ce11321ca09 krb5-devel-1.2.7-28.ia64.rpm
dd27b1cfed80262c724f20400d174ae6 krb5-libs-1.2.7-28.ia64.rpm
0c0b19114325ab9b9798398009abc745 krb5-server-1.2.7-28.ia64.rpm
b6d331840e0a625073c03f3629b71b6f krb5-workstation-1.2.7-28.ia64.rpm

x86_64:
4b5d4f9ec25bf69bf3d1632b8f9dfece krb5-devel-1.2.7-28.x86_64.rpm
3ba1a8cda52f4c5c4f235390b5ab231c krb5-libs-1.2.7-28.x86_64.rpm
4dae049940b908786c4c18ec2c4633e0 krb5-server-1.2.7-28.x86_64.rpm
c68b7f6f4571165da841e89fb2de809d krb5-workstation-1.2.7-28.x86_64.rpm

Red Hat Enterprise Linux WS version 3:

SRPMS:
ftp://updates.redhat.com/enterprise/3WS/en/os/SRPMS/krb5-1.2.7-28.src.rpm
3c91ce8bc77bd9bc5bf2f00c09d23cff krb5-1.2.7-28.src.rpm

i386:
758976fe956ac98a73809b4cc716d4c5 krb5-devel-1.2.7-28.i386.rpm
6a5c52f4ec0a575ca3f22696c592ecc6 krb5-libs-1.2.7-28.i386.rpm
d805a5ef4dc5c16f1a6957cd60769076 krb5-server-1.2.7-28.i386.rpm
2fee85ec1cc48fe67b90cd9954149321 krb5-workstation-1.2.7-28.i386.rpm

ia64:
2d5b6ce0d861cb35c66e9ce11321ca09 krb5-devel-1.2.7-28.ia64.rpm
dd27b1cfed80262c724f20400d174ae6 krb5-libs-1.2.7-28.ia64.rpm
0c0b19114325ab9b9798398009abc745 krb5-server-1.2.7-28.ia64.rpm
b6d331840e0a625073c03f3629b71b6f krb5-workstation-1.2.7-28.ia64.rpm

x86_64:
4b5d4f9ec25bf69bf3d1632b8f9dfece krb5-devel-1.2.7-28.x86_64.rpm
3ba1a8cda52f4c5c4f235390b5ab231c krb5-libs-1.2.7-28.x86_64.rpm
4dae049940b908786c4c18ec2c4633e0 krb5-server-1.2.7-28.x86_64.rpm
c68b7f6f4571165da841e89fb2de809d krb5-workstation-1.2.7-28.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key.html#package

6. References:

http://web.mit.edu/kerberos/advisories/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0642
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0643
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0644

7. Contact:

The Red Hat security contact is secalert@redhat.com. More contact details at https://www.redhat.com/security/team/contact.html

Copyright 2004 Red Hat, Inc.