Summary: | <app-crypt/mit-krb5-1.11.2-r1 : kpasswd UDP ping-pong vulnerability (CVE-2002-2443) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | kerberos |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.openwall.com/lists/oss-security/2013/05/13/4 | ||
Whiteboard: | B3 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2013-05-13 21:10:32 UTC
+*mit-krb5-1.11.2-r1 (14 May 2013) + + 14 May 2013; Eray Aslan <eras@gentoo.org> +files/CVE-2002-2443.patch, + +mit-krb5-1.11.2-r1.ebuild: + Security bump - bug #469752 + @security: We can stabilize =app-crypt/mit-krb5-1.11.2-r1. Thank you. All right, let's stabilize. Arches, please stabilize =app-crypt/mit-krb5-1.11.3, target arches: alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86. Thanks! amd64 stable x86 stable ppc stable Stable for HPPA. ppc64 stable alpha stable arm stable ia64 stable sh stable sparc stable s390 stable Thanks for your work GLSA vote: yes GLSA vote: yes, added to GLSA. CVE-2002-2443 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2002-2443): schpw.c in the kpasswd service in kadmind in MIT Kerberos 5 (aka krb5) before 1.11.3 does not properly validate UDP packets before sending responses, which allows remote attackers to cause a denial of service (CPU and bandwidth consumption) via a forged packet that triggers a communication loop, as demonstrated by krb_pingpong.nasl, a related issue to CVE-1999-0103. This issue was resolved and addressed in GLSA 201312-12 at http://security.gentoo.org/glsa/glsa-201312-12.xml by GLSA coordinator Sergey Popov (pinkbyte). |