Updated krb5 package fixes security vulnerabilities
Publication date: 22 Aug 2014Modification date: 22 Aug 2014
Type: security
Affected Mageia releases : 3 , 4
CVE: CVE-2014-4341 , CVE-2014-4342 , CVE-2014-4343 , CVE-2014-4344 , CVE-2014-4345
Description
MIT Kerberos 5 allows attackers to cause a denial of service via a buffer
over-read or NULL pointer dereference, by injecting invalid tokens into a
GSSAPI application session (CVE-2014-4341, CVE-2014-4342).
MIT Kerberos 5 allows attackers to cause a denial of service via a
double-free flaw or NULL pointer dereference, while processing invalid
SPNEGO tokens (CVE-2014-4343, CVE-2014-4344).
In MIT Kerberos 5, when kadmind is configured to use LDAP for the KDC
database, an authenticated remote attacker can cause it to perform an
out-of-bounds write (buffer overflow) (CVE-2014-4345).
References
- https://bugs.mageia.org/show_bug.cgi?id=13882
- http://web.mit.edu/Kerberos/advisories/MITKRB5-SA-2014-001.txt
- https://lists.fedoraproject.org/pipermail/package-announce/2014-August/136360.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4341
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4342
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4343
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4344
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4345
SRPMS
3/core
- krb5-1.11.1-1.4.mga3
4/core
- krb5-1.11.4-1.1.mga4