Debian DSA-543-1 : krb5 - several vulnerabilities

high Nessus Plugin ID 15380

Synopsis

The remote Debian host is missing a security-related update.

Description

The MIT Kerberos Development Team has discovered a number of vulnerabilities in the MIT Kerberos Version 5 software. The Common Vulnerabilities and Exposures project identifies the following vulnerabilities :

- CAN-2004-0642 [VU#795632] A double-free error may allow unauthenticated remote attackers to execute arbitrary code on KDC or clients.

- CAN-2004-0643 [VU#866472]

Several double-free errors may allow authenticated attackers to execute arbitrary code on Kerberos application servers.

- CAN-2004-0644 [VU#550464]

A remotely exploitable denial of service vulnerability has been found in the KDC and libraries.

- CAN-2004-0772 [VU#350792]

Several double-free errors may allow remote attackers to execute arbitrary code on the server. This does not affect the version in woody.

Solution

Upgrade the krb5 packages.

For the stable distribution (woody) these problems have been fixed in version 1.2.4-5woody6.

See Also

http://www.debian.org/security/2004/dsa-543

Plugin Details

Severity: High

ID: 15380

File Name: debian_DSA-543.nasl

Version: 1.26

Type: local

Agent: unix

Published: 9/29/2004

Updated: 1/4/2021

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: cpe:/o:debian:debian_linux:3.0, p-cpe:/a:debian:debian_linux:krb5

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Patch Publication Date: 8/31/2004

Vulnerability Publication Date: 8/31/2004

Reference Information

CVE: CVE-2004-0642, CVE-2004-0643, CVE-2004-0644, CVE-2004-0772

CWE: 119

CERT: 350792, 550464, 795632, 866472

DSA: 543