SuseSUSE-SA:2009:019remote code execution in krb5
0.932 High
EPSS
Percentile
98.8%
The Kerberos implementation from MIT is vulnerable to four different security issues that range from a remote crash to to possible, but very unlikely, remote code execution. - CVE-2009-0844: The SPNEGO GSS-API implementation can read beyond the end of a buffer (network input) which leads to a crash. - CVE-2009-0845: A NULL pointer dereference in the SPNEGO code can lead to a crash which affects programs using the GSS-API. - CVE-2009-0846: The ASN.1 decoder can free an uninitialized NULL pointer which leads to a crash and can possibly lead to remote code execution. This bug can be exploited before any authen- tication happened, - CVE-2009-0847: The ASN.1 decoder incorrectly validates a length parameter which leads to malloc() errors any possibly to a crash.
Solution
Please install the update.
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| openSUSE | 11.0 | ppc | krb5-devel | < 1.6.3-50.5 | krb5-devel-1.6.3-50.5.ppc.rpm |
| SUSE Linux Enterprise Server | 11 | i586 | krb5 | < 1.6.3-133.25.1 | krb5-1.6.3-133.25.1.i586.rpm |
| SUSE Linux Enterprise Server | 11 | s390x | krb5-debuginfo | < 1.6.3-133.25.1 | krb5-debuginfo-1.6.3-133.25.1.s390x.rpm |
| openSUSE | 10.3 | x86_64 | krb5-devel-32bit | < 1.6.2-22.9 | krb5-devel-32bit-1.6.2-22.9.x86_64.rpm |
| openSUSE | 11.1 | i586 | krb5-devel | < 1.6.3-132.5.1 | krb5-devel-1.6.3-132.5.1.i586.rpm |
| SUSE SUSE Linux Enterprise Software Development Kit | 10.2 | ia64 | krb5-server | < 1.4.3-19.41 | krb5-server-1.4.3-19.41.ia64.rpm |
| openSUSE | 11.0 | ppc | krb5-server | < 1.6.3-50.3 | krb5-server-1.6.3-50.3.ppc.rpm |
| openSUSE | 11.1 | i586 | krb5-debugsource | < 1.6.3-132.5.1 | krb5-debugsource-1.6.3-132.5.1.i586.rpm |
| openSUSE | 11.0 | i586 | krb5 | < 1.6.3-50.3 | krb5-1.6.3-50.3.i586.rpm |
| openSUSE | 11.1 | x86_64 | krb5-devel | < 1.6.3-132.5.1 | krb5-devel-1.6.3-132.5.1.x86_64.rpm |
Related
