Summary: | app-crypt/mit-krb5 <1.6.3-r1 multiple issues (CVE-2007-{5901,5902, 5971, 5972, 5894}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | airsupply <airsupply> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | airsupply, ismail, jokey, kerberos, mueli |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://seclists.org/fulldisclosure/2007/Dec/0321.html | ||
Whiteboard: | B1 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
airsupply
2007-11-15 08:18:13 UTC
*** Bug 199211 has been marked as a duplicate of this bug. *** *** Bug 199212 has been marked as a duplicate of this bug. *** *** Bug 199214 has been marked as a duplicate of this bug. *** ok, now we only have one bug to handle. kerberos, please advise. Venustech, could you please make the reserved CVE descriptions public? we are waiting the vendor's response. maybe still need several days. vendor did not reply our email. we public the adv in fd. http://seclists.org/fulldisclosure/2007/Dec/0176.html See $URL for a reply from the Kerberos upstream. CVE-2007-5894 was disputed as not actually a bug. All the other vulnerabilities might occur, but only under very marginal circumstances. I believe we should continue tracking these issues and bump as soon as upstream releases a fixed version. No need to mask though. Please find the patches for the mentioned vulnerabilities below: CVE-2007-5894: http://anonsvn.mit.edu/cgi-bin/viewcvs.cgi?rev=20182&view=rev CVE-2007-5902: http://anonsvn.mit.edu/cgi-bin/viewcvs.cgi?rev=20181&view=rev CVE-2007-5971: http://anonsvn.mit.edu/cgi-bin/viewcvs.cgi?rev=20180&view=rev CVE-2007-5971: http://anonsvn.mit.edu/cgi-bin/viewcvs.cgi?rev=20178&view=rev CVE-2007-5972: http://anonsvn.mit.edu/cgi-bin/viewcvs.cgi?rev=20179&view=rev Fixed by jokey in app-crypt/mit-krb5-1.6.3-r1, which... already is stable. Sent as GLSA 200803-31 Please note that per the reply of MIT upstream, these patches were merged, but they are not considered vulnerabilities: > CVE-2007-5894: http://anonsvn.mit.edu/cgi-bin/viewcvs.cgi?rev=20182&view=rev > CVE-2007-5902: http://anonsvn.mit.edu/cgi-bin/viewcvs.cgi?rev=20181&view=rev > CVE-2007-5972: http://anonsvn.mit.edu/cgi-bin/viewcvs.cgi?rev=20179&view=rev These are considered vulnerabilities and were mentioned in the GLSA: > CVE-2007-5971: http://anonsvn.mit.edu/cgi-bin/viewcvs.cgi?rev=20180&view=rev > CVE-2007-5971: http://anonsvn.mit.edu/cgi-bin/viewcvs.cgi?rev=20178&view=rev whereas the last one is actually CVE-2007-5901. |