Red Hat Product Errata RHSA-2009:0408 - Security Advisory
Issued:
2009-04-07
Updated:
2009-04-07

RHSA-2009:0408 - Security Advisory

Synopsis

Important: krb5 security update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

Updated krb5 packages that fix various security issues are now available
for Red Hat Enterprise Linux 5.

This update has been rated as having important security impact by the Red
Hat Security Response Team.

Description

Kerberos is a network authentication system which allows clients and
servers to authenticate to each other using symmetric encryption and a
trusted third party, the Key Distribution Center (KDC). The Generic
Security Service Application Program Interface (GSS-API) definition
provides security services to callers (protocols) in a generic fashion. The
Simple and Protected GSS-API Negotiation (SPNEGO) mechanism is used by
GSS-API peers to choose from a common set of security mechanisms.

An input validation flaw was found in the ASN.1 (Abstract Syntax Notation
One) decoder used by MIT Kerberos. A remote attacker could use this flaw to
crash a network service using the MIT Kerberos library, such as kadmind or
krb5kdc, by causing it to dereference or free an uninitialized pointer.
(CVE-2009-0846)

Multiple input validation flaws were found in the MIT Kerberos GSS-API
library's implementation of the SPNEGO mechanism. A remote attacker could
use these flaws to crash any network service utilizing the MIT Kerberos
GSS-API library to authenticate users or, possibly, leak portions of the
service's memory. (CVE-2009-0844, CVE-2009-0845)

All krb5 users should upgrade to these updated packages, which contain
backported patches to correct these issues. All running services using the
MIT Kerberos libraries must be restarted for the update to take effect.

Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Affected Products

  • Red Hat Enterprise Linux Server 5 x86_64
  • Red Hat Enterprise Linux Server 5 ia64
  • Red Hat Enterprise Linux Server 5 i386
  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 5.3 x86_64
  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 5.3 ia64
  • Red Hat Enterprise Linux for x86_64 - Extended Update Support 5.3 i386
  • Red Hat Enterprise Linux Workstation 5 x86_64
  • Red Hat Enterprise Linux Workstation 5 i386
  • Red Hat Enterprise Linux Desktop 5 i386
  • Red Hat Enterprise Linux for IBM z Systems 5 s390x
  • Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 5.3 s390x
  • Red Hat Enterprise Linux for Power, big endian 5 ppc
  • Red Hat Enterprise Linux Server from RHUI 5 x86_64
  • Red Hat Enterprise Linux Server from RHUI 5 i386
  • Red Hat Enterprise Linux Server - AUS 5.3 x86_64
  • Red Hat Enterprise Linux Server - AUS 5.3 ia64
  • Red Hat Enterprise Linux Server - AUS 5.3 i386
  • Red Hat Enterprise Linux Desktop 5 x86_64
  • Red Hat Enterprise Linux for Power, big endian - Extended Update Support 5.3 ppc

Fixes

  • BZ - 490634 - CVE-2009-0845 krb5: NULL pointer dereference in GSSAPI SPNEGO (MITKRB5-SA-2009-001)
  • BZ - 491033 - CVE-2009-0844 krb5: buffer over-read in SPNEGO GSS-API mechanism (MITKRB5-SA-2009-001)
  • BZ - 491036 - CVE-2009-0846 krb5: ASN.1 decoder can free uninitialized pointer when decoding an invalid encoding (MITKRB5-SA-2009-002)

Red Hat Enterprise Linux Server 5

SRPM
krb5-1.6.1-31.el5_3.3.src.rpm SHA-256: 3dcce1fa8c2c091ef50cb98337d92e49f16cd589b3a5f420dfe3e9f45ccc8f9a
x86_64
krb5-devel-1.6.1-31.el5_3.3.i386.rpm SHA-256: c2afc551dab5b70ebcf1345b454b22c4234d5e9f55988a5cbebf789bf70bb57c
krb5-devel-1.6.1-31.el5_3.3.x86_64.rpm SHA-256: daa43bd42cbd937592e7d7671b5bc6d6836d245fe868bf998494238c210dd930
krb5-libs-1.6.1-31.el5_3.3.i386.rpm SHA-256: 3f1d22f235a1ddcc94b6d98e7be0371d6223a3d52443b9bce58e9febb1210726
krb5-libs-1.6.1-31.el5_3.3.x86_64.rpm SHA-256: 511e4082f33b3c27a0ddbde9d3c8cd32ce48b29a18370f9f59c5007a5d59e423
krb5-server-1.6.1-31.el5_3.3.x86_64.rpm SHA-256: 0678f4d444fedb36a30102585a61fc6fdc175cfba82922325e7646c6177cfaf5
krb5-workstation-1.6.1-31.el5_3.3.x86_64.rpm SHA-256: 3bfcaa70197701e5a24a1605a424e7edaccccf11c54eab840409a2cf0c789b22
ia64
krb5-devel-1.6.1-31.el5_3.3.ia64.rpm SHA-256: 0c18a966c676dd978674d9deca2908e22b75e81008a654c864674d9819985df6
krb5-libs-1.6.1-31.el5_3.3.i386.rpm SHA-256: 3f1d22f235a1ddcc94b6d98e7be0371d6223a3d52443b9bce58e9febb1210726
krb5-libs-1.6.1-31.el5_3.3.ia64.rpm SHA-256: 7adc9a3aa050e9e035e52a37ac7bc8a630aec021dd783ab4ae4f75a09c842f79
krb5-server-1.6.1-31.el5_3.3.ia64.rpm SHA-256: e315163ace99b43cc17c688a27256901dd7b3157cf7a3b2a6d0e00a63f55b942
krb5-workstation-1.6.1-31.el5_3.3.ia64.rpm SHA-256: 467e07f9f623690d0a38c08085723d0d5f3ba11ae0e243b2811bf8d7d7a2d196
i386
krb5-devel-1.6.1-31.el5_3.3.i386.rpm SHA-256: c2afc551dab5b70ebcf1345b454b22c4234d5e9f55988a5cbebf789bf70bb57c
krb5-libs-1.6.1-31.el5_3.3.i386.rpm SHA-256: 3f1d22f235a1ddcc94b6d98e7be0371d6223a3d52443b9bce58e9febb1210726
krb5-server-1.6.1-31.el5_3.3.i386.rpm SHA-256: 0be65fa913baec467b82cecde1a7144299f7178c048211d26a0de2f56d953be1
krb5-workstation-1.6.1-31.el5_3.3.i386.rpm SHA-256: 855b3d4a2344270dc9c25c534bd67b2fc9258180f3e8ffdff3dd8504af468ccc

Red Hat Enterprise Linux for x86_64 - Extended Update Support 5.3

SRPM
x86_64
ia64
i386

Red Hat Enterprise Linux Server - AUS 5.3

SRPM
ia64
i386
x86_64

Red Hat Enterprise Linux Workstation 5

SRPM
krb5-1.6.1-31.el5_3.3.src.rpm SHA-256: 3dcce1fa8c2c091ef50cb98337d92e49f16cd589b3a5f420dfe3e9f45ccc8f9a
x86_64
krb5-devel-1.6.1-31.el5_3.3.i386.rpm SHA-256: c2afc551dab5b70ebcf1345b454b22c4234d5e9f55988a5cbebf789bf70bb57c
krb5-devel-1.6.1-31.el5_3.3.x86_64.rpm SHA-256: daa43bd42cbd937592e7d7671b5bc6d6836d245fe868bf998494238c210dd930
krb5-libs-1.6.1-31.el5_3.3.i386.rpm SHA-256: 3f1d22f235a1ddcc94b6d98e7be0371d6223a3d52443b9bce58e9febb1210726
krb5-libs-1.6.1-31.el5_3.3.x86_64.rpm SHA-256: 511e4082f33b3c27a0ddbde9d3c8cd32ce48b29a18370f9f59c5007a5d59e423
krb5-server-1.6.1-31.el5_3.3.x86_64.rpm SHA-256: 0678f4d444fedb36a30102585a61fc6fdc175cfba82922325e7646c6177cfaf5
krb5-workstation-1.6.1-31.el5_3.3.x86_64.rpm SHA-256: 3bfcaa70197701e5a24a1605a424e7edaccccf11c54eab840409a2cf0c789b22
i386
krb5-devel-1.6.1-31.el5_3.3.i386.rpm SHA-256: c2afc551dab5b70ebcf1345b454b22c4234d5e9f55988a5cbebf789bf70bb57c
krb5-libs-1.6.1-31.el5_3.3.i386.rpm SHA-256: 3f1d22f235a1ddcc94b6d98e7be0371d6223a3d52443b9bce58e9febb1210726
krb5-server-1.6.1-31.el5_3.3.i386.rpm SHA-256: 0be65fa913baec467b82cecde1a7144299f7178c048211d26a0de2f56d953be1
krb5-workstation-1.6.1-31.el5_3.3.i386.rpm SHA-256: 855b3d4a2344270dc9c25c534bd67b2fc9258180f3e8ffdff3dd8504af468ccc

Red Hat Enterprise Linux Desktop 5

SRPM
krb5-1.6.1-31.el5_3.3.src.rpm SHA-256: 3dcce1fa8c2c091ef50cb98337d92e49f16cd589b3a5f420dfe3e9f45ccc8f9a
x86_64
krb5-libs-1.6.1-31.el5_3.3.i386.rpm SHA-256: 3f1d22f235a1ddcc94b6d98e7be0371d6223a3d52443b9bce58e9febb1210726
krb5-libs-1.6.1-31.el5_3.3.x86_64.rpm SHA-256: 511e4082f33b3c27a0ddbde9d3c8cd32ce48b29a18370f9f59c5007a5d59e423
krb5-workstation-1.6.1-31.el5_3.3.x86_64.rpm SHA-256: 3bfcaa70197701e5a24a1605a424e7edaccccf11c54eab840409a2cf0c789b22
i386
krb5-libs-1.6.1-31.el5_3.3.i386.rpm SHA-256: 3f1d22f235a1ddcc94b6d98e7be0371d6223a3d52443b9bce58e9febb1210726
krb5-workstation-1.6.1-31.el5_3.3.i386.rpm SHA-256: 855b3d4a2344270dc9c25c534bd67b2fc9258180f3e8ffdff3dd8504af468ccc

Red Hat Enterprise Linux for IBM z Systems 5

SRPM
krb5-1.6.1-31.el5_3.3.src.rpm SHA-256: 3dcce1fa8c2c091ef50cb98337d92e49f16cd589b3a5f420dfe3e9f45ccc8f9a
s390x
krb5-devel-1.6.1-31.el5_3.3.s390.rpm SHA-256: 22eef0e7b81b99af97c5d9fe6a7e50025356d89e4fc9d9cd964b4984f01d02ab
krb5-devel-1.6.1-31.el5_3.3.s390x.rpm SHA-256: 8b74babf113e582a36801b004bfc88b9acdb8dbb8b8d7e849a0bb499f16102ef
krb5-libs-1.6.1-31.el5_3.3.s390.rpm SHA-256: 0b1f505c6b45e942bc9380daee636d3f73d5f83cb3c988f06b5ba48ece88873c
krb5-libs-1.6.1-31.el5_3.3.s390x.rpm SHA-256: 8cc1911d064bce42620d282d96710960548c95ae445510bf5c9e48eb065f0658
krb5-server-1.6.1-31.el5_3.3.s390x.rpm SHA-256: 130e6ae3380a3282151e44171ef2b96656b905a57eed71b11d5a53814add6fd8
krb5-workstation-1.6.1-31.el5_3.3.s390x.rpm SHA-256: 03cb6f70e906bab0cc3f35c33191268a1066fa1e430c0485e059e30200378a14

Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 5.3

SRPM
s390x

Red Hat Enterprise Linux for Power, big endian 5

SRPM
krb5-1.6.1-31.el5_3.3.src.rpm SHA-256: 3dcce1fa8c2c091ef50cb98337d92e49f16cd589b3a5f420dfe3e9f45ccc8f9a
ppc
krb5-devel-1.6.1-31.el5_3.3.ppc.rpm SHA-256: 4948eb3d8d8c8dd1351d0eedf8d37607e59f2d63954aae5f38d67c3187af5d6c
krb5-devel-1.6.1-31.el5_3.3.ppc64.rpm SHA-256: d5e06a87963f38c22a6541052c73049550aed5733b816dc4d52d588947f6109e
krb5-libs-1.6.1-31.el5_3.3.ppc.rpm SHA-256: 6db761ead9ca5e9187b3138054c50f96b7b0196c9b2d89e7100c3856828ffcfb
krb5-libs-1.6.1-31.el5_3.3.ppc64.rpm SHA-256: d04b76436476c8939118230dcfa21ec6dde855947c744bd8e12b98d4c9d0da36
krb5-server-1.6.1-31.el5_3.3.ppc.rpm SHA-256: cfd24ba0b9c26d54b47f7dfd9f0091c0a9c2ebb995442f9819e8fcb30ad7f5fe
krb5-workstation-1.6.1-31.el5_3.3.ppc.rpm SHA-256: 98495ac32f50b294057a23a7b9776afb4c71f041bb3316eafafb24f858dc6930

Red Hat Enterprise Linux Server from RHUI 5

SRPM
krb5-1.6.1-31.el5_3.3.src.rpm SHA-256: 3dcce1fa8c2c091ef50cb98337d92e49f16cd589b3a5f420dfe3e9f45ccc8f9a
x86_64
krb5-devel-1.6.1-31.el5_3.3.i386.rpm SHA-256: c2afc551dab5b70ebcf1345b454b22c4234d5e9f55988a5cbebf789bf70bb57c
krb5-devel-1.6.1-31.el5_3.3.x86_64.rpm SHA-256: daa43bd42cbd937592e7d7671b5bc6d6836d245fe868bf998494238c210dd930
krb5-libs-1.6.1-31.el5_3.3.i386.rpm SHA-256: 3f1d22f235a1ddcc94b6d98e7be0371d6223a3d52443b9bce58e9febb1210726
krb5-libs-1.6.1-31.el5_3.3.x86_64.rpm SHA-256: 511e4082f33b3c27a0ddbde9d3c8cd32ce48b29a18370f9f59c5007a5d59e423
krb5-server-1.6.1-31.el5_3.3.x86_64.rpm SHA-256: 0678f4d444fedb36a30102585a61fc6fdc175cfba82922325e7646c6177cfaf5
krb5-workstation-1.6.1-31.el5_3.3.x86_64.rpm SHA-256: 3bfcaa70197701e5a24a1605a424e7edaccccf11c54eab840409a2cf0c789b22
i386
krb5-devel-1.6.1-31.el5_3.3.i386.rpm SHA-256: c2afc551dab5b70ebcf1345b454b22c4234d5e9f55988a5cbebf789bf70bb57c
krb5-libs-1.6.1-31.el5_3.3.i386.rpm SHA-256: 3f1d22f235a1ddcc94b6d98e7be0371d6223a3d52443b9bce58e9febb1210726
krb5-server-1.6.1-31.el5_3.3.i386.rpm SHA-256: 0be65fa913baec467b82cecde1a7144299f7178c048211d26a0de2f56d953be1
krb5-workstation-1.6.1-31.el5_3.3.i386.rpm SHA-256: 855b3d4a2344270dc9c25c534bd67b2fc9258180f3e8ffdff3dd8504af468ccc

Red Hat Enterprise Linux for Power, big endian - Extended Update Support 5.3

SRPM
ppc

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.