Aviso de seguridad de Debian

DSA-184-1 krb4 -- desbordamiento de búfer

Fecha del informe:

30 de oct de 2002

Paquetes afectados:

Vulnerable:

Sí

Referencias a bases de datos de seguridad:

En el diccionario CVE de Mitre: CVE-2002-1235.
Notas y avisos de incidentes y vulnerabilidades en CERT: CA-2002-29, VU#875073.

Información adicional:

Tom Yu y Sam Hartman, del MIT, descubrieron otro desbordamiento de búfer en la función kadm_ser_wrap_in en el servidor de administración de Kerberos v4. Está circulando un código para explotar el error de kadmind, por lo que se considera serio.

Este problema se ha corregido en la versión 1.1-8-2.2 para la distribución estable actual (woody), en la versión 1.0-2.2 para la distribución estable anterior (potato) y en la versión 1.1-11-8 para la distribución inestable (sid).

Le recomendamos que actualice los paquetes de krb4 inmediatamente.

Arreglado en:

Debian GNU/Linux 2.2 (potato)

Fuentes:: http://security.debian.org/pool/updates/main/k/krb4/krb4_1.0-2.2.dsc; http://security.debian.org/pool/updates/main/k/krb4/krb4_1.0-2.2.diff.gz; http://security.debian.org/pool/updates/main/k/krb4/krb4_1.0.orig.tar.gz
Alpha:: http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-clients_1.0-2.2_alpha.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-dev_1.0-2.2_alpha.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-kdc_1.0-2.2_alpha.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-services_1.0-2.2_alpha.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-user_1.0-2.2_alpha.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-x11_1.0-2.2_alpha.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth1_1.0-2.2_alpha.deb
ARM:: http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-clients_1.0-2.2_arm.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-dev_1.0-2.2_arm.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-kdc_1.0-2.2_arm.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-services_1.0-2.2_arm.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-user_1.0-2.2_arm.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-x11_1.0-2.2_arm.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth1_1.0-2.2_arm.deb
Intel IA-32:: http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-clients_1.0-2.2_i386.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-dev_1.0-2.2_i386.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-kdc_1.0-2.2_i386.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-services_1.0-2.2_i386.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-user_1.0-2.2_i386.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-x11_1.0-2.2_i386.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth1_1.0-2.2_i386.deb
Motorola 680x0:: http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-clients_1.0-2.2_m68k.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-dev_1.0-2.2_m68k.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-kdc_1.0-2.2_m68k.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-services_1.0-2.2_m68k.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-user_1.0-2.2_m68k.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-x11_1.0-2.2_m68k.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth1_1.0-2.2_m68k.deb
Sun Sparc:: http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-clients_1.0-2.2_sparc.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-dev_1.0-2.2_sparc.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-kdc_1.0-2.2_sparc.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-services_1.0-2.2_sparc.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-user_1.0-2.2_sparc.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-x11_1.0-2.2_sparc.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth1_1.0-2.2_sparc.deb

Debian GNU/Linux 3.0 (woody)

Fuentes:: http://security.debian.org/pool/updates/main/k/krb4/krb4_1.1-8-2.2.dsc; http://security.debian.org/pool/updates/main/k/krb4/krb4_1.1-8-2.2.tar.gz
Componentes independientes de la arquitectura:: http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-docs_1.1-8-2.2_all.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-services_1.1-8-2.2_all.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-user_1.1-8-2.2_all.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-x11_1.1-8-2.2_all.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth1_1.1-8-2.2_all.deb
Alpha:: http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-clients_1.1-8-2.2_alpha.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-clients-x_1.1-8-2.2_alpha.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-dev_1.1-8-2.2_alpha.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-dev-common_1.1-8-2.2_alpha.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-kdc_1.1-8-2.2_alpha.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-kip_1.1-8-2.2_alpha.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-servers_1.1-8-2.2_alpha.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-servers-x_1.1-8-2.2_alpha.deb; http://security.debian.org/pool/updates/main/k/krb4/libacl1-kerberos4kth_1.1-8-2.2_alpha.deb; http://security.debian.org/pool/updates/main/k/krb4/libkadm1-kerberos4kth_1.1-8-2.2_alpha.deb; http://security.debian.org/pool/updates/main/k/krb4/libkdb-1-kerberos4kth_1.1-8-2.2_alpha.deb; http://security.debian.org/pool/updates/main/k/krb4/libkrb-1-kerberos4kth_1.1-8-2.2_alpha.deb
ARM:: http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-clients_1.1-8-2.2_arm.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-clients-x_1.1-8-2.2_arm.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-dev_1.1-8-2.2_arm.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-dev-common_1.1-8-2.2_arm.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-kdc_1.1-8-2.2_arm.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-kip_1.1-8-2.2_arm.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-servers_1.1-8-2.2_arm.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-servers-x_1.1-8-2.2_arm.deb; http://security.debian.org/pool/updates/main/k/krb4/libacl1-kerberos4kth_1.1-8-2.2_arm.deb; http://security.debian.org/pool/updates/main/k/krb4/libkadm1-kerberos4kth_1.1-8-2.2_arm.deb; http://security.debian.org/pool/updates/main/k/krb4/libkdb-1-kerberos4kth_1.1-8-2.2_arm.deb; http://security.debian.org/pool/updates/main/k/krb4/libkrb-1-kerberos4kth_1.1-8-2.2_arm.deb
Intel IA-32:: http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-clients_1.1-8-2.2_i386.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-clients-x_1.1-8-2.2_i386.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-dev_1.1-8-2.2_i386.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-dev-common_1.1-8-2.2_i386.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-kdc_1.1-8-2.2_i386.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-kip_1.1-8-2.2_i386.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-servers_1.1-8-2.2_i386.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-servers-x_1.1-8-2.2_i386.deb; http://security.debian.org/pool/updates/main/k/krb4/libacl1-kerberos4kth_1.1-8-2.2_i386.deb; http://security.debian.org/pool/updates/main/k/krb4/libkadm1-kerberos4kth_1.1-8-2.2_i386.deb; http://security.debian.org/pool/updates/main/k/krb4/libkdb-1-kerberos4kth_1.1-8-2.2_i386.deb; http://security.debian.org/pool/updates/main/k/krb4/libkrb-1-kerberos4kth_1.1-8-2.2_i386.deb
Intel IA-64:: http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-clients_1.1-8-2.2_ia64.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-clients-x_1.1-8-2.2_ia64.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-dev_1.1-8-2.2_ia64.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-dev-common_1.1-8-2.2_ia64.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-kdc_1.1-8-2.2_ia64.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-kip_1.1-8-2.2_ia64.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-servers_1.1-8-2.2_ia64.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-servers-x_1.1-8-2.2_ia64.deb; http://security.debian.org/pool/updates/main/k/krb4/libacl1-kerberos4kth_1.1-8-2.2_ia64.deb; http://security.debian.org/pool/updates/main/k/krb4/libkadm1-kerberos4kth_1.1-8-2.2_ia64.deb; http://security.debian.org/pool/updates/main/k/krb4/libkdb-1-kerberos4kth_1.1-8-2.2_ia64.deb; http://security.debian.org/pool/updates/main/k/krb4/libkrb-1-kerberos4kth_1.1-8-2.2_ia64.deb
HP Precision:: http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-clients_1.1-8-2.2_hppa.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-clients-x_1.1-8-2.2_hppa.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-dev_1.1-8-2.2_hppa.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-dev-common_1.1-8-2.2_hppa.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-kdc_1.1-8-2.2_hppa.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-kip_1.1-8-2.2_hppa.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-servers_1.1-8-2.2_hppa.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-servers-x_1.1-8-2.2_hppa.deb; http://security.debian.org/pool/updates/main/k/krb4/libacl1-kerberos4kth_1.1-8-2.2_hppa.deb; http://security.debian.org/pool/updates/main/k/krb4/libkadm1-kerberos4kth_1.1-8-2.2_hppa.deb; http://security.debian.org/pool/updates/main/k/krb4/libkdb-1-kerberos4kth_1.1-8-2.2_hppa.deb; http://security.debian.org/pool/updates/main/k/krb4/libkrb-1-kerberos4kth_1.1-8-2.2_hppa.deb
Motorola 680x0:: http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-clients_1.1-8-2.2_m68k.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-clients-x_1.1-8-2.2_m68k.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-dev_1.1-8-2.2_m68k.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-dev-common_1.1-8-2.2_m68k.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-kdc_1.1-8-2.2_m68k.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-kip_1.1-8-2.2_m68k.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-servers_1.1-8-2.2_m68k.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-servers-x_1.1-8-2.2_m68k.deb; http://security.debian.org/pool/updates/main/k/krb4/libacl1-kerberos4kth_1.1-8-2.2_m68k.deb; http://security.debian.org/pool/updates/main/k/krb4/libkadm1-kerberos4kth_1.1-8-2.2_m68k.deb; http://security.debian.org/pool/updates/main/k/krb4/libkdb-1-kerberos4kth_1.1-8-2.2_m68k.deb; http://security.debian.org/pool/updates/main/k/krb4/libkrb-1-kerberos4kth_1.1-8-2.2_m68k.deb
Big endian MIPS:: http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-clients_1.1-8-2.2_mips.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-clients-x_1.1-8-2.2_mips.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-dev_1.1-8-2.2_mips.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-dev-common_1.1-8-2.2_mips.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-kdc_1.1-8-2.2_mips.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-kip_1.1-8-2.2_mips.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-servers_1.1-8-2.2_mips.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-servers-x_1.1-8-2.2_mips.deb; http://security.debian.org/pool/updates/main/k/krb4/libacl1-kerberos4kth_1.1-8-2.2_mips.deb; http://security.debian.org/pool/updates/main/k/krb4/libkadm1-kerberos4kth_1.1-8-2.2_mips.deb; http://security.debian.org/pool/updates/main/k/krb4/libkdb-1-kerberos4kth_1.1-8-2.2_mips.deb; http://security.debian.org/pool/updates/main/k/krb4/libkrb-1-kerberos4kth_1.1-8-2.2_mips.deb
Little endian MIPS:: http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-clients_1.1-8-2.2_mipsel.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-clients-x_1.1-8-2.2_mipsel.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-dev_1.1-8-2.2_mipsel.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-dev-common_1.1-8-2.2_mipsel.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-kdc_1.1-8-2.2_mipsel.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-kip_1.1-8-2.2_mipsel.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-servers_1.1-8-2.2_mipsel.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-servers-x_1.1-8-2.2_mipsel.deb; http://security.debian.org/pool/updates/main/k/krb4/libacl1-kerberos4kth_1.1-8-2.2_mipsel.deb; http://security.debian.org/pool/updates/main/k/krb4/libkadm1-kerberos4kth_1.1-8-2.2_mipsel.deb; http://security.debian.org/pool/updates/main/k/krb4/libkdb-1-kerberos4kth_1.1-8-2.2_mipsel.deb; http://security.debian.org/pool/updates/main/k/krb4/libkrb-1-kerberos4kth_1.1-8-2.2_mipsel.deb
PowerPC:: http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-clients_1.1-8-2.2_powerpc.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-clients-x_1.1-8-2.2_powerpc.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-dev_1.1-8-2.2_powerpc.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-dev-common_1.1-8-2.2_powerpc.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-kdc_1.1-8-2.2_powerpc.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-kip_1.1-8-2.2_powerpc.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-servers_1.1-8-2.2_powerpc.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-servers-x_1.1-8-2.2_powerpc.deb; http://security.debian.org/pool/updates/main/k/krb4/libacl1-kerberos4kth_1.1-8-2.2_powerpc.deb; http://security.debian.org/pool/updates/main/k/krb4/libkadm1-kerberos4kth_1.1-8-2.2_powerpc.deb; http://security.debian.org/pool/updates/main/k/krb4/libkdb-1-kerberos4kth_1.1-8-2.2_powerpc.deb; http://security.debian.org/pool/updates/main/k/krb4/libkrb-1-kerberos4kth_1.1-8-2.2_powerpc.deb
IBM S/390:: http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-clients_1.1-8-2.2_s390.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-clients-x_1.1-8-2.2_s390.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-dev_1.1-8-2.2_s390.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-dev-common_1.1-8-2.2_s390.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-kdc_1.1-8-2.2_s390.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-kip_1.1-8-2.2_s390.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-servers_1.1-8-2.2_s390.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-servers-x_1.1-8-2.2_s390.deb; http://security.debian.org/pool/updates/main/k/krb4/libacl1-kerberos4kth_1.1-8-2.2_s390.deb; http://security.debian.org/pool/updates/main/k/krb4/libkadm1-kerberos4kth_1.1-8-2.2_s390.deb; http://security.debian.org/pool/updates/main/k/krb4/libkdb-1-kerberos4kth_1.1-8-2.2_s390.deb; http://security.debian.org/pool/updates/main/k/krb4/libkrb-1-kerberos4kth_1.1-8-2.2_s390.deb
Sun Sparc:: http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-clients_1.1-8-2.2_sparc.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-clients-x_1.1-8-2.2_sparc.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-dev_1.1-8-2.2_sparc.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-dev-common_1.1-8-2.2_sparc.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-kdc_1.1-8-2.2_sparc.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-kip_1.1-8-2.2_sparc.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-servers_1.1-8-2.2_sparc.deb; http://security.debian.org/pool/updates/main/k/krb4/kerberos4kth-servers-x_1.1-8-2.2_sparc.deb; http://security.debian.org/pool/updates/main/k/krb4/libacl1-kerberos4kth_1.1-8-2.2_sparc.deb; http://security.debian.org/pool/updates/main/k/krb4/libkadm1-kerberos4kth_1.1-8-2.2_sparc.deb; http://security.debian.org/pool/updates/main/k/krb4/libkdb-1-kerberos4kth_1.1-8-2.2_sparc.deb; http://security.debian.org/pool/updates/main/k/krb4/libkrb-1-kerberos4kth_1.1-8-2.2_sparc.deb

Las sumas MD5 de los ficheros que se listan están disponibles en el aviso original.