The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of MIT krb5: denial of service of GSSAPI

Synthesis of the vulnerability 

An attacker can use several vulnerabilities of MIT krb5.
Vulnerable software: Debian, BIG-IP Hardware, TMOS, Fedora, AIX, MIT krb5, openSUSE, Oracle Communications, Solaris, RHEL, Ubuntu.
Severity of this announce: 2/4.
Number of vulnerabilities in this bulletin: 2.
Creation date: 21/07/2014.
Références of this computer vulnerability: cpuoct2017, CVE-2014-4341, CVE-2014-4342, DSA-3000-1, FEDORA-2014-8176, FEDORA-2014-8189, K15552, MDVSA-2014:156, MDVSA-2014:165, openSUSE-SU-2014:0977-1, RHSA-2014:1245-01, RHSA-2014:1389-02, RHSA-2015:0439-01, SOL15547, SOL15552, USN-2310-1, VIGILANCE-VUL-15079.

Description of the vulnerability 

Several vulnerabilities were announced in MIT krb5.

An attacker can inject malicious packets in a GSSAPI session, to read after a memory area, in order to trigger a denial of service. [severity:2/4; CVE-2014-4341]

An attacker can inject malicious packets in a GSSAPI session, to read after a memory area or dereference a NULL pointer, in order to trigger a denial of service. [severity:2/4; CVE-2014-4342]
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This computer vulnerability note impacts software or systems such as Debian, BIG-IP Hardware, TMOS, Fedora, AIX, MIT krb5, openSUSE, Oracle Communications, Solaris, RHEL, Ubuntu.

Our Vigil@nce team determined that the severity of this computer vulnerability announce is medium.

The trust level is of type confirmed by the editor, with an origin of intranet client.

This bulletin is about 2 vulnerabilities.

An attacker with a expert ability can exploit this cybersecurity announce.

Solutions for this threat 

MIT krb5: version 1.12.2.
The version 1.12.2 is fixed:
  http://web.mit.edu/kerberos/

MIT krb5: version 1.11.6.
The version 1.11.6 is fixed:
  http://web.mit.edu/kerberos/

MIT krb5: patch.
A patch is available in information sources.

AIX: patch for NAS.
A patch is available:
  ftp://aix.software.ibm.com/aix/efixes/security/nas1_fix.tar

Debian: new krb5 packages.
New packages are available:
  Debian 7: krb5 1.10.1+dfsg-5+deb7u2

F5 BIG-IP: fixed versions for MIT Kerberos 5.
Fixed versions are indicated in information sources.

Fedora: new krb5 packages.
New packages are available:
  Fedora 20: krb5 1.11.5-10.fc20
  Fedora 19: krb5 1.11.3-24.fc19

Mandriva: new krb5 packages.
New packages are available:
  Mandriva BS1: krb5 1.9.2-3.5.mbs1

Mandriva: new ocsinventory packages.
New packages are available:
  Mandriva BS1: ocsinventory 2.0.4-3.1.mbs1

openSUSE: new krb5 packages.
New packages are available:
  openSUSE 13.1: krb5 1.11.3-3.8.1
  openSUSE 12.3: krb5 1.10.2-10.26.1

Oracle Communications: CPU of October 2017.
A Critical Patch Update is available.

RHEL 5: new krb5 packages.
New packages are available:
  RHEL 5: krb5 1.6.1-78.el5

RHEL 6: new krb5 packages.
New packages are available:
  RHEL 6: krb5 1.10.3-33.el6

RHEL 7: new krb5 packages.
New packages are available:
  RHEL 7: krb5 1.12.2-14.el7

Solaris 10: patch for Kerberos.
A patch is available:
  SPARC: 147793-15
  X86: 147794-15

Solaris: version 11.2.5.5.0.
The version 11.2.5.5.0 is fixed:
  https://support.oracle.com/rs?type=doc&id=1914034.1

Ubuntu: new krb5 packages.
New packages are available, as indicated in information sources.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a software vulnerabilities watch. Each administrator can customize the list of products for which he wants to receive vulnerability alerts.