RHBA-2006:0404 - Bug Fix Advisory

Topic

Updated krb5 packages are now available for Red Hat Enterprise Linux 3.
This update corrects a crash that could occur if the Kerberos-aware FTP
client was used in PORT mode and contains a backported fix for an issue
that would cause unusual behavior in the krb5_parse_name() function.

Description

Kerberos is a network authentication system in which clients and servers
authenticate to each other with the help of a trusted third party.

FTP clients support two methods for establishing the data connection, which
is used to transfer all data which is not sent over the control connection.
There are two methods by which the data connection can be established,
differentiated by which system initiates the data connection. For
connections where the client accepts a connection from the server ("PORT"
connections), the client would attempt to dereference a NULL pointer and
crash. This update fixes the bug.

The krb5_parse_name() function is used to convert the string representation
of a Kerberos principal name into a krb5_principal structure. When the
string representation of a user's principal did not explicitly include a
realm name, krb5_parse_name() would use the name of the system's default
realm, even if the calling application had previously used the
krb5_set_default_realm() function to override this value. This update
includes a backported fix to address this bug.

Users of krb5 are advised to upgrade to the updated packages, which resolve
these issues.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via Red Hat Network. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

Affected Products

• Red Hat Enterprise Linux Server 3 x86_64
• Red Hat Enterprise Linux Server 3 ia64
• Red Hat Enterprise Linux Server 3 i386
• Red Hat Enterprise Linux Workstation 3 x86_64
• Red Hat Enterprise Linux Workstation 3 ia64
• Red Hat Enterprise Linux Workstation 3 i386
• Red Hat Enterprise Linux Desktop 3 x86_64
• Red Hat Enterprise Linux Desktop 3 i386
• Red Hat Enterprise Linux for IBM z Systems 3 s390x
• Red Hat Enterprise Linux for IBM z Systems 3 s390
• Red Hat Enterprise Linux for Power, big endian 3 ppc

Fixes

• BZ - 99310 - LTC3487 - ftp causes segmentation fault
• BZ - 117214 - [PATCH] krb5_parse_name() doesn't track changes to default realm

CVEs

(none)

References

(none)