Forum: >>> Magnum BBS <<<

[SECURITY] [DSA-2129-1] New krb5 packages fix checksum verification wea

From Stefan Fritsch@1:229/2 to All on Wed Dec 1 21:30:03 2010

From: [email protected]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------ Debian Security Advisory DSA-2129-1 [email protected] http://www.debian.org/security/ Stefan Fritsch December 1, 2010 http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package : krb5
Vulnerability : checksum verification weakness
Problem type : remote
Debian-specific: no
CVE Id(s) : CVE-2010-1323

A vulnerability has been found in krb5, the MIT implementation of
Kerberos.

MIT krb5 clients incorrectly accept an unkeyed checksums in the SAM-2 preauthentication challenge: An unauthenticated remote attacker could
alter a SAM-2 challenge, affecting the prompt text seen by the user or
the kind of response sent to the KDC. Under some circumstances, this
can negate the incremental security benefit of using a single-use authentication mechanism token.

MIT krb5 incorrectly accepts RFC 3961 key-derivation checksums using
RC4 keys when verifying KRB-SAFE messages: An unauthenticated remote
attacker has a 1/256 chance of forging KRB-SAFE messages in an
application protocol if the targeted pre-existing session uses an RC4
session key. Few application protocols use KRB-SAFE messages.

The Common Vulnerabilities and Exposures project has assigned
CVE-2010-1323 to these issues.

For the stable distribution (lenny), these problems have been fixed in
version 1.6.dfsg.4~beta1-5lenny6.

The builds for the mips architecture are not included in this advisory.
They will be released as soon as they are available.

For the testing distribution (squeeze) and the unstable distribution
(sid), these problem have been fixed in version 1.8.3+dfsg-3.

We recommend that you upgrade your krb5 packages.

Upgrade instructions
- --------------------

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 5.0 alias lenny (stable)
- -----------------------------------------

Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mipsel, powerpc, s390 and sparc.

Source archives:

http://security.debian.org/pool/updates/main/k/krb5/krb5_1.6.dfsg.4~beta1-5lenny6.dsc
Size/MD5 checksum: 1537 6f0899080bda14e0a277120d9395a707
http://security.debian.org/pool/updates/main/k/krb5/krb5_1.6.dfsg.4~beta1-5lenny6.diff.gz
Size/MD5 checksum: 850645 fe444178e83d0010636cf3c50129a437
http://security.debian.org/pool/updates/main/k/krb5/krb5_1.6.dfsg.4~beta1.orig.tar.gz
Size/MD5 checksum: 11647547 08d6ce311204803acbe878ef0bb23c71

Architecture independent packages:

http://security.debian.org/pool/updates/main/k/krb5/krb5-doc_1.6.dfsg.4~beta1-5lenny6_all.deb
Size/MD5 checksum: 2147158 2cfbb257055a479cfd20c28ac036841a

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.6.dfsg.4~beta1-5lenny6_alpha.deb
Size/MD5 checksum: 83438 ef4ea5d711704df27427ff9f31adf0ea
http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.6.dfsg.4~beta1-5lenny6_alpha.deb
Size/MD5 checksum: 72510 006248eab3a97b16f58672cd071ad364
http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.6.dfsg.4~beta1-5lenny6_alpha.deb
Size/MD5 checksum: 150098 2d6b0db75b4fb0cbaf9f35ae3222418a
http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.6.dfsg.4~beta1-5lenny6_alpha.deb
Size/MD5 checksum: 93104 063e77172ad83b511cec94744897774a
http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.6.dfsg.4~beta1-5lenny6_alpha.deb
Size/MD5 checksum: 179996 1308d85575bc72553091415ddf495f1d
http://security.debian.org/pool/updates/main/k/krb5/krb5-pkinit_1.6.dfsg.4~beta1-5lenny6_alpha.deb
Size/MD5 checksum: 70572 e344d6c4b97d5cb687c545a8c23bd509
http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.6.dfsg.4~beta1-5lenny6_alpha.deb
Size/MD5 checksum: 538936 53fa646ff8cd2cbfeaedec1f163658a0
http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.6.dfsg.4~beta1-5lenny6_alpha.deb
Size/MD5 checksum: 98862 54f5ec1148fd23369ad3939668ebf354
http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dbg_1.6.dfsg.4~beta1-5lenny6_alpha.deb
Size/MD5 checksum: 1352374 008f7018c0f89e6a4a65efceb6670ffe
http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.6.dfsg.4~beta1-5lenny6_alpha.deb
Size/MD5 checksum: 219658 01d18db8606f3b0df1e573663bfa3304
http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc-ldap_1.6.dfsg.4~beta1-5lenny6_alpha.deb
Size/MD5 checksum: 113144 9d90e615677c2e53902e85465cbd8765
http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.6.dfsg.4~beta1-5lenny6_alpha.deb
Size/MD5 checksum: 255778 75c8eef8f51aeae3fe00e861a369958b
http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.6.dfsg.4~beta1-5lenny6_alpha.deb
Size/MD5 checksum: 98788 780c1bcf6bccd01c5ab309be264917cc

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.6.dfsg.4~beta1-5lenny6_amd64.deb
Size/MD5 checksum: 199668 205aee381d50d20e538e13c399269b24
http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.6.dfsg.4~beta1-5lenny6_amd64.deb
Size/MD5 checksum: 238594 093eb931610c5e4dd7a85f64782c1aab
http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dbg_1.6.dfsg.4~beta1-5lenny6_amd64.deb
Size/MD5 checksum: 1474680 6410656466c3300e86ed0c319c48f3b5
http://security.debian.org/pool/updates/main/k/krb5/krb5-pkinit_1.6.dfsg.4~beta1-5lenny6_amd64.deb
Size/MD5 checksum: 68234 0f4adafd1029f012d8f1048bc76e2c69
http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc-ldap_1.6.dfsg.4~beta1-5lenny6_amd64.deb
Size/MD5 checksum: 108488 f173adaf924918436a1923f83cad2694
http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.6.dfsg.4~beta1-5lenny6_amd64.deb
Size/MD5 checksum: 519714 2b3e3ba20811e361a01428945c7af509

[continued in next message]

--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)

Who's Online
Recent Visitors
- Furryboy
  Sat Jun 6 10:56:29 2026
  from Romania, Galati via SSH
- Centurion
  Fri Jun 5 22:28:01 2026
  from Berea, Ohio via Telnet
- Ab Cadd
  Fri Jun 5 17:52:51 2026
  from Sheboygan, Wi via Telnet
- Gwylbert
  Fri Jun 5 06:28:52 2026
  from Sydney, Nsw via Telnet
- Centurion
  Thu Jun 4 23:42:23 2026
  from Berea, Ohio via Telnet
- Michal Wronka
  Thu Jun 4 23:19:58 2026
  from Wroclaw, Poland via Telnet
- Michal Wronka
  Thu Jun 4 23:17:20 2026
  from Wroclaw, Poland via SSH
- Michal Wronka
  Thu Jun 4 23:13:51 2026
  from Wroclaw, Poland via SSH

System Info

Sysop:	Keyop
Location:	Huddersfield, West Yorkshire, UK
Users:	714
Nodes:	16 (2 / 14)
Uptime:	142:14:42
Calls:	12,088
Calls today:	1
Files:	14,998
Messages:	6,517,451

[SECURITY] [DSA-2129-1] New krb5 packages fix checksum verification wea

Who's Online

Recent Visitors

System Info