Red Hat Product Errata RHSA-2012:0306 - Security Advisory
Issued:
2012-02-21
Updated:
2012-02-21

RHSA-2012:0306 - Security Advisory

Synopsis

Low: krb5 security and bug fix update

Type/Severity

Security Advisory: Low

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

Updated krb5 packages that fix one security issue and various bugs are now
available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having low
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.

Description

Kerberos is a network authentication system which allows clients and
servers to authenticate to each other using symmetric encryption and a
trusted third-party, the Key Distribution Center (KDC).

It was found that ftpd, a Kerberos-aware FTP server, did not properly drop
privileges. On Red Hat Enterprise Linux 5, the ftpd daemon did not check
for the potential failure of the effective group ID change system call. If
the group ID change failed, a remote FTP user could use this flaw to gain
unauthorized read or write access to files that are owned by the root
group. (CVE-2011-1526)

Red Hat would like to thank the MIT Kerberos project for reporting this
issue. Upstream acknowledges Tim Zingelman as the original reporter.

This update also fixes the following bugs:

  • Due to a mistake in the Kerberos libraries, a client could fail to

contact a Key Distribution Center (KDC) or terminate unexpectedly if the
client had already more than 1024 file descriptors in use. This update
backports modifications to the Kerberos libraries and the libraries use
the poll() function instead of the select() function, as poll() does not
have this limitation. (BZ#701444)

  • The KDC failed to release memory when processing a TGS (ticket-granting

server) request from a client if the client request included an
authenticator with a subkey. As a result, the KDC consumed an excessive
amount of memory. With this update, the code releasing the memory has been
added and the problem no longer occurs. (BZ#708516)

  • Under certain circumstances, if services requiring Kerberos

authentication sent two authentication requests to the authenticating
server, the second authentication request was flagged as a replay attack.
As a result, the second authentication attempt was denied. This update
applies an upstream patch that fixes this bug. (BZ#713500)

  • Previously, if Kerberos credentials had expired, the klist command could

terminate unexpectedly with a segmentation fault when invoked with the -s
option. This happened when klist encountered and failed to process an entry
with no realm name while scanning the credential cache. With this update,
the underlying code has been modified and the command handles such entries
correctly. (BZ#729067)

  • Due to a regression, multi-line FTP macros terminated prematurely with a

segmentation fault. This occurred because the previously-added patch failed
to properly support multi-line macros. This update restores the support for
multi-line macros and the problem no longer occurs. (BZ#735363, BZ#736132)

All users of krb5 are advised to upgrade to these updated packages, which
resolve these issues.

Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259

Affected Products

  • Red Hat Enterprise Linux Server 5 x86_64
  • Red Hat Enterprise Linux Server 5 ia64
  • Red Hat Enterprise Linux Server 5 i386
  • Red Hat Enterprise Linux Workstation 5 x86_64
  • Red Hat Enterprise Linux Workstation 5 i386
  • Red Hat Enterprise Linux Desktop 5 x86_64
  • Red Hat Enterprise Linux Desktop 5 i386
  • Red Hat Enterprise Linux for IBM z Systems 5 s390x
  • Red Hat Enterprise Linux for Power, big endian 5 ppc
  • Red Hat Enterprise Linux Server from RHUI 5 x86_64
  • Red Hat Enterprise Linux Server from RHUI 5 i386

Fixes

  • BZ - 701444 - Fix libkrb5 to work when > 1024 file descriptors are in use
  • BZ - 708516 - memory leak during kdc TGS request
  • BZ - 711419 - CVE-2011-1526 krb5, krb5-appl: ftpd incorrect group privilege dropping (MITKRB5-SA-2011-005)
  • BZ - 729067 - klist -s segfaults with expired credentials
  • BZ - 750823 - Newly introduced defect into krb5

Red Hat Enterprise Linux Server 5

SRPM
krb5-1.6.1-70.el5.src.rpm SHA-256: 5fbd4340f640f16d569dc6b2791613aaa91c808474bed7746d2b5a1c4a116fd3
x86_64
krb5-debuginfo-1.6.1-70.el5.i386.rpm SHA-256: f5e476f573ac51b9cd702d8935bfea5554cd71601a3db8e01e38693471339bb0
krb5-debuginfo-1.6.1-70.el5.x86_64.rpm SHA-256: 9d45df9a9fef7a4fea12e09cdcb49b5f6e509171e852c7a0b29fdf0b222a739c
krb5-devel-1.6.1-70.el5.i386.rpm SHA-256: 82f0f7f0a54af2492282b18eeb94cbc47ce76e64c71fcc9bbc99d2a2a66c5838
krb5-devel-1.6.1-70.el5.x86_64.rpm SHA-256: ba5092f9bb4e0411bde4dd78ad4f3ddf37152fdabd02e18d7496efc203a636b8
krb5-libs-1.6.1-70.el5.i386.rpm SHA-256: 4daf5670b8697637e93d197e324b4a3854bf533caa4680bbcb659c82878fda68
krb5-libs-1.6.1-70.el5.x86_64.rpm SHA-256: f4205c573f80b6dbcb2ea8ec24e55c2d57b2987be6cdede564fcc790fb5d82f6
krb5-server-1.6.1-70.el5.x86_64.rpm SHA-256: 87ae0b100fdf4bd8107dd7c40668e16b0b4eb319ed54bb9f6038ddcc23a9384b
krb5-server-ldap-1.6.1-70.el5.x86_64.rpm SHA-256: 390d835e0fca2e437bb1a81e0cba955a16d017be2a99eed0aad068b4920ef7a6
krb5-workstation-1.6.1-70.el5.x86_64.rpm SHA-256: ae8089a7f01e66ef5fb4d94bab0fa6914780665eb474c5e97ef1c16deeb710bf
ia64
krb5-debuginfo-1.6.1-70.el5.i386.rpm SHA-256: f5e476f573ac51b9cd702d8935bfea5554cd71601a3db8e01e38693471339bb0
krb5-debuginfo-1.6.1-70.el5.ia64.rpm SHA-256: f82b18cdb1d0dcfc1410f4b5fbea8f9302ad3b9e3e9d2b6c17456e12f05cc87a
krb5-devel-1.6.1-70.el5.ia64.rpm SHA-256: 81e0d8cb8681cc2f702495a096dba62fa0ecf118e59a04536a8f40977588d6f9
krb5-libs-1.6.1-70.el5.i386.rpm SHA-256: 4daf5670b8697637e93d197e324b4a3854bf533caa4680bbcb659c82878fda68
krb5-libs-1.6.1-70.el5.ia64.rpm SHA-256: 9d5bf5f87c2a69d232bb26185ba732565ed46aac7b377e49172a8f5a15bdcc2b
krb5-server-1.6.1-70.el5.ia64.rpm SHA-256: aa382f5e7fbb9f89c93e4ac4c507c8342050854cbf1abb925e8d4460c1566ccb
krb5-server-ldap-1.6.1-70.el5.ia64.rpm SHA-256: 536c4bb7ee2ce347663416af06d162357002b667ccdeba3c7b0646183f526877
krb5-workstation-1.6.1-70.el5.ia64.rpm SHA-256: 3da2a82afa246928e4796fe831bff9fb0396863112059c636de884242e4d6a2c
i386
krb5-debuginfo-1.6.1-70.el5.i386.rpm SHA-256: f5e476f573ac51b9cd702d8935bfea5554cd71601a3db8e01e38693471339bb0
krb5-devel-1.6.1-70.el5.i386.rpm SHA-256: 82f0f7f0a54af2492282b18eeb94cbc47ce76e64c71fcc9bbc99d2a2a66c5838
krb5-libs-1.6.1-70.el5.i386.rpm SHA-256: 4daf5670b8697637e93d197e324b4a3854bf533caa4680bbcb659c82878fda68
krb5-server-1.6.1-70.el5.i386.rpm SHA-256: 9337caf697f0cec814a07e58af307f060e627c0765f88f7d86bc067bba5b5e93
krb5-server-ldap-1.6.1-70.el5.i386.rpm SHA-256: 19528db8fefdce1dcf7d14e2e463a24f0b29e7207b35f06ead84fa6e300918a4
krb5-workstation-1.6.1-70.el5.i386.rpm SHA-256: 5101e4a5dcc5603c3353c9259f818448a4c8e7b2479fced656e90987bc1ba30f

Red Hat Enterprise Linux Workstation 5

SRPM
krb5-1.6.1-70.el5.src.rpm SHA-256: 5fbd4340f640f16d569dc6b2791613aaa91c808474bed7746d2b5a1c4a116fd3
x86_64
krb5-debuginfo-1.6.1-70.el5.i386.rpm SHA-256: f5e476f573ac51b9cd702d8935bfea5554cd71601a3db8e01e38693471339bb0
krb5-debuginfo-1.6.1-70.el5.i386.rpm SHA-256: f5e476f573ac51b9cd702d8935bfea5554cd71601a3db8e01e38693471339bb0
krb5-debuginfo-1.6.1-70.el5.x86_64.rpm SHA-256: 9d45df9a9fef7a4fea12e09cdcb49b5f6e509171e852c7a0b29fdf0b222a739c
krb5-debuginfo-1.6.1-70.el5.x86_64.rpm SHA-256: 9d45df9a9fef7a4fea12e09cdcb49b5f6e509171e852c7a0b29fdf0b222a739c
krb5-devel-1.6.1-70.el5.i386.rpm SHA-256: 82f0f7f0a54af2492282b18eeb94cbc47ce76e64c71fcc9bbc99d2a2a66c5838
krb5-devel-1.6.1-70.el5.x86_64.rpm SHA-256: ba5092f9bb4e0411bde4dd78ad4f3ddf37152fdabd02e18d7496efc203a636b8
krb5-libs-1.6.1-70.el5.i386.rpm SHA-256: 4daf5670b8697637e93d197e324b4a3854bf533caa4680bbcb659c82878fda68
krb5-libs-1.6.1-70.el5.x86_64.rpm SHA-256: f4205c573f80b6dbcb2ea8ec24e55c2d57b2987be6cdede564fcc790fb5d82f6
krb5-server-1.6.1-70.el5.x86_64.rpm SHA-256: 87ae0b100fdf4bd8107dd7c40668e16b0b4eb319ed54bb9f6038ddcc23a9384b
krb5-server-ldap-1.6.1-70.el5.x86_64.rpm SHA-256: 390d835e0fca2e437bb1a81e0cba955a16d017be2a99eed0aad068b4920ef7a6
krb5-workstation-1.6.1-70.el5.x86_64.rpm SHA-256: ae8089a7f01e66ef5fb4d94bab0fa6914780665eb474c5e97ef1c16deeb710bf
i386
krb5-debuginfo-1.6.1-70.el5.i386.rpm SHA-256: f5e476f573ac51b9cd702d8935bfea5554cd71601a3db8e01e38693471339bb0
krb5-debuginfo-1.6.1-70.el5.i386.rpm SHA-256: f5e476f573ac51b9cd702d8935bfea5554cd71601a3db8e01e38693471339bb0
krb5-devel-1.6.1-70.el5.i386.rpm SHA-256: 82f0f7f0a54af2492282b18eeb94cbc47ce76e64c71fcc9bbc99d2a2a66c5838
krb5-libs-1.6.1-70.el5.i386.rpm SHA-256: 4daf5670b8697637e93d197e324b4a3854bf533caa4680bbcb659c82878fda68
krb5-server-1.6.1-70.el5.i386.rpm SHA-256: 9337caf697f0cec814a07e58af307f060e627c0765f88f7d86bc067bba5b5e93
krb5-server-ldap-1.6.1-70.el5.i386.rpm SHA-256: 19528db8fefdce1dcf7d14e2e463a24f0b29e7207b35f06ead84fa6e300918a4
krb5-workstation-1.6.1-70.el5.i386.rpm SHA-256: 5101e4a5dcc5603c3353c9259f818448a4c8e7b2479fced656e90987bc1ba30f

Red Hat Enterprise Linux Desktop 5

SRPM
krb5-1.6.1-70.el5.src.rpm SHA-256: 5fbd4340f640f16d569dc6b2791613aaa91c808474bed7746d2b5a1c4a116fd3
x86_64
krb5-debuginfo-1.6.1-70.el5.i386.rpm SHA-256: f5e476f573ac51b9cd702d8935bfea5554cd71601a3db8e01e38693471339bb0
krb5-debuginfo-1.6.1-70.el5.x86_64.rpm SHA-256: 9d45df9a9fef7a4fea12e09cdcb49b5f6e509171e852c7a0b29fdf0b222a739c
krb5-libs-1.6.1-70.el5.i386.rpm SHA-256: 4daf5670b8697637e93d197e324b4a3854bf533caa4680bbcb659c82878fda68
krb5-libs-1.6.1-70.el5.x86_64.rpm SHA-256: f4205c573f80b6dbcb2ea8ec24e55c2d57b2987be6cdede564fcc790fb5d82f6
krb5-workstation-1.6.1-70.el5.x86_64.rpm SHA-256: ae8089a7f01e66ef5fb4d94bab0fa6914780665eb474c5e97ef1c16deeb710bf
i386
krb5-debuginfo-1.6.1-70.el5.i386.rpm SHA-256: f5e476f573ac51b9cd702d8935bfea5554cd71601a3db8e01e38693471339bb0
krb5-libs-1.6.1-70.el5.i386.rpm SHA-256: 4daf5670b8697637e93d197e324b4a3854bf533caa4680bbcb659c82878fda68
krb5-workstation-1.6.1-70.el5.i386.rpm SHA-256: 5101e4a5dcc5603c3353c9259f818448a4c8e7b2479fced656e90987bc1ba30f

Red Hat Enterprise Linux for IBM z Systems 5

SRPM
krb5-1.6.1-70.el5.src.rpm SHA-256: 5fbd4340f640f16d569dc6b2791613aaa91c808474bed7746d2b5a1c4a116fd3
s390x
krb5-debuginfo-1.6.1-70.el5.s390.rpm SHA-256: e5a0e5397ba159f951a13694c3ca84a9ec6590cb237e759e73233c9bf63ba156
krb5-debuginfo-1.6.1-70.el5.s390x.rpm SHA-256: 2329888e186b5534d80a24259399e1615d896a599ead2405dbc15461a2483b0f
krb5-devel-1.6.1-70.el5.s390.rpm SHA-256: 7ed31ca98f28ad6505113d6cd516dcbb34b4f2da09a273db394dc80af59ef437
krb5-devel-1.6.1-70.el5.s390x.rpm SHA-256: 3edd016fce79f8c5c006f3c29ea799d32925ffa7898517c582ca237b587dcae8
krb5-libs-1.6.1-70.el5.s390.rpm SHA-256: 2e61b4e056c3eff8b8f2d0918774d69ee2cc7ad283aa530134b5ac391c567c81
krb5-libs-1.6.1-70.el5.s390x.rpm SHA-256: f655ab55bab7a43f6e0f604e640f0f52479d0730e52fc8d03e3dee7e5870da48
krb5-server-1.6.1-70.el5.s390x.rpm SHA-256: fa6a0ed3eae66ed476f25bcf7bd027c467fe70fd5c2bec014e4bc78ae6c41c1b
krb5-server-ldap-1.6.1-70.el5.s390x.rpm SHA-256: c2633294424e74f3bd55556d8eeace7b694aec4ff178a90b7c8d792088939b89
krb5-workstation-1.6.1-70.el5.s390x.rpm SHA-256: e4b02aa8574ac161a23ad756d2e314eaf5be557a0cae4baaef0b8c3dbc292736

Red Hat Enterprise Linux for Power, big endian 5

SRPM
krb5-1.6.1-70.el5.src.rpm SHA-256: 5fbd4340f640f16d569dc6b2791613aaa91c808474bed7746d2b5a1c4a116fd3
ppc
krb5-debuginfo-1.6.1-70.el5.ppc.rpm SHA-256: 14ec09a03e3d42a7a1f714811ac0e114ef56a4d1f98659ce644c323add3572a0
krb5-debuginfo-1.6.1-70.el5.ppc64.rpm SHA-256: 4f1894813a93fd5e568a93a75fb2bc0cdb47c81b06b2a5f93dd8e08e9578e68a
krb5-devel-1.6.1-70.el5.ppc.rpm SHA-256: 9e2cc12b1dac7fd9b820457c55cb9160579e8c1acb29248518060e3037b7b2b2
krb5-devel-1.6.1-70.el5.ppc64.rpm SHA-256: 5a556c77188e7f6a77acc54b254a8b449cd1190cc3a82383a0c10f287de3fb78
krb5-libs-1.6.1-70.el5.ppc.rpm SHA-256: d384c91b3c972cbc86a8d457405ee8e7d4dda46868343dab05e4adea819bf234
krb5-libs-1.6.1-70.el5.ppc64.rpm SHA-256: a2f25845357db6415619d7458f216bf6460eec50a7f1cbbc5bbbc48327bf2bbb
krb5-server-1.6.1-70.el5.ppc.rpm SHA-256: 6d5f93090af2b258848d6da48dce1a4753a3bad588c855f5d72f8109468783ce
krb5-server-ldap-1.6.1-70.el5.ppc.rpm SHA-256: 87dbfe168c0c263d516df52320e7ba63358576da5c2e5bacf512cc8d8778487e
krb5-workstation-1.6.1-70.el5.ppc.rpm SHA-256: 2427c8945560af56e62edf3a0f7c2676d7bc276aba60b52db94538ccb0577dc8

Red Hat Enterprise Linux Server from RHUI 5

SRPM
krb5-1.6.1-70.el5.src.rpm SHA-256: 5fbd4340f640f16d569dc6b2791613aaa91c808474bed7746d2b5a1c4a116fd3
x86_64
krb5-debuginfo-1.6.1-70.el5.i386.rpm SHA-256: f5e476f573ac51b9cd702d8935bfea5554cd71601a3db8e01e38693471339bb0
krb5-debuginfo-1.6.1-70.el5.x86_64.rpm SHA-256: 9d45df9a9fef7a4fea12e09cdcb49b5f6e509171e852c7a0b29fdf0b222a739c
krb5-devel-1.6.1-70.el5.i386.rpm SHA-256: 82f0f7f0a54af2492282b18eeb94cbc47ce76e64c71fcc9bbc99d2a2a66c5838
krb5-devel-1.6.1-70.el5.x86_64.rpm SHA-256: ba5092f9bb4e0411bde4dd78ad4f3ddf37152fdabd02e18d7496efc203a636b8
krb5-libs-1.6.1-70.el5.i386.rpm SHA-256: 4daf5670b8697637e93d197e324b4a3854bf533caa4680bbcb659c82878fda68
krb5-libs-1.6.1-70.el5.x86_64.rpm SHA-256: f4205c573f80b6dbcb2ea8ec24e55c2d57b2987be6cdede564fcc790fb5d82f6
krb5-server-1.6.1-70.el5.x86_64.rpm SHA-256: 87ae0b100fdf4bd8107dd7c40668e16b0b4eb319ed54bb9f6038ddcc23a9384b
krb5-server-ldap-1.6.1-70.el5.x86_64.rpm SHA-256: 390d835e0fca2e437bb1a81e0cba955a16d017be2a99eed0aad068b4920ef7a6
krb5-workstation-1.6.1-70.el5.x86_64.rpm SHA-256: ae8089a7f01e66ef5fb4d94bab0fa6914780665eb474c5e97ef1c16deeb710bf
i386
krb5-debuginfo-1.6.1-70.el5.i386.rpm SHA-256: f5e476f573ac51b9cd702d8935bfea5554cd71601a3db8e01e38693471339bb0
krb5-devel-1.6.1-70.el5.i386.rpm SHA-256: 82f0f7f0a54af2492282b18eeb94cbc47ce76e64c71fcc9bbc99d2a2a66c5838
krb5-libs-1.6.1-70.el5.i386.rpm SHA-256: 4daf5670b8697637e93d197e324b4a3854bf533caa4680bbcb659c82878fda68
krb5-server-1.6.1-70.el5.i386.rpm SHA-256: 9337caf697f0cec814a07e58af307f060e627c0765f88f7d86bc067bba5b5e93
krb5-server-ldap-1.6.1-70.el5.i386.rpm SHA-256: 19528db8fefdce1dcf7d14e2e463a24f0b29e7207b35f06ead84fa6e300918a4
krb5-workstation-1.6.1-70.el5.i386.rpm SHA-256: 5101e4a5dcc5603c3353c9259f818448a4c8e7b2479fced656e90987bc1ba30f

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.