The MIT Kerberos Development Team is aware of the following vulnerabilities in the MIT krb5 software. Please do not publicly disseminate this information prior to our public disclosure. Our current target date for public disclosure is 08 August 2006, not before 14:00 US/Eastern time. Vendors should contact tlyu@mit.edu via PGP-encrypted email for details and patches. Some vendors already known to the MIT Kerberos Development Team have been notified previously. Please let me know if you have any concerns about the release date. Advisory MITKRB5-SA-2006-001 concerns the following vulnerabilities: CVE-2006-3083: On Linux systems, local privilege escalation vulnerabilities exist in the krshd and v4rcp programs provided with the MIT implementation of Kerberos 5 in releases up to and including krb5-1.5. These vulnerabilities are due in part to specific properties of Linux. To our knowledge, no other operating systems are affected. CVE-2006-3084: Local privilege escalation vulnerabilities may exist in the ftpd and ksu programs provided with the MIT implementation of Kerberos 5 in releases up to and including krb5-1.5. To our knowledge, no operating systems are affected, but there may be operating systems with unknown specific properties which unmask these vulnerabilities.
Do NEVER open this bug, but open a public when it is time.
*** This bug has been marked as a duplicate of 143240 ***
