Summary: | app-crypt/mit-krb5 < 1.5.3-r1 multiple vulnerabilities (CVE-2007-3999, CVE-2007-4000) | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Heath Caldwell (RETIRED) <hncaldwell> | ||||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||||
Status: | RESOLVED FIXED | ||||||||
Severity: | major | CC: | gentoobugs, henson, kerberos, lkml_ccc | ||||||
Priority: | High | ||||||||
Version: | unspecified | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
Whiteboard: | B0 [glsa] vorlon | ||||||||
Package list: | Runtime testing required: | --- | |||||||
Attachments: |
|
Description
Heath Caldwell (RETIRED)
2007-09-04 21:23:49 UTC
*** Bug 191356 has been marked as a duplicate of this bug. *** kerberos, please advise. I think I have some patches laying around for this fix. Will report back. Created attachment 130116 [details, diff] Revised patch. See http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-006.txt "... The patch for CVE-2007-3999 has been revised; the patch originally released for svc_auth_gss.c allowed a 32-byte overflow. Depending on the compilation environment and machine architecture, this may or may not be a significant continued vulnerability. The new patch below correctly checks the buffer length. ..." *** Bug 191444 has been marked as a duplicate of this bug. *** thanks for that Heath. New ebuild is 1.5.3-r1. Arch teams can feel free to do what they need to. Thanks Seemant. Arches, please test and mark stable. Target keywords are: "alpha amd64 arm hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86" Stable for HPPA. alpha/ia64/x86 stable ppc stable amd64 done ppc64 stable mit-krb5-1.5.3-r1 emerged fine here on sparc64 with both: app-crypt/mit-krb5-1.5.3-r1 (ipv6 tcl) app-crypt/mit-krb5-1.5.3-r1 Created attachment 130389 [details]
sparc64 emerge --info
security: GLSA drafted and ready for review sparc team, please test and mark stable Stable for SPARC. GLSA 200709-01 thanks everyone |