Slashdot Mirror

← Back to Stories (view on slashdot.org)

Remote Bug Found In Ubuntu Kerberos

Posted by timothy on from the owning-up-to-it dept.

Trailrunner7 writes "There's a remote vulnerability in the Kerberos implementation in several versions of Ubuntu, which could allow an attacker to cause a denial-of-service on vulnerable servers. The bug is in Ubuntu 8.04, Ubuntu 9.10, Ubuntu 10.04 and Ubuntu 10.10. The bug is in the Ubuntu implementation of the Kerberos authentication protocol. Ubuntu has released a slew of new packages to fix the flaw. The group said that in most cases, a normal system update will add the new fixes."

9 of 93 comments (clear)

  1. Re:Just asking by scdeimos · · Score: 4, Informative

    Just to answer my own question, it seems Cannonical have their own maintainers for this. http://packages.ubuntu.com/maverick-updates/i386/krb5-kdc

  2. ftfa by Lehk228 · · Score: 5, Informative

    Keiichi Mori discovered that the MIT krb5 KDC database propagation daemon (kpropd) is vulnerable to a denial of service attack due to improper logic when a worker child process exited because of invalid network input.

    Kevin Longfellow and others discovered that the MIT krb5 Key Distribution Center (KDC) daemon is vulnerable to denial of service attacks when using an LDAP back end due to improper handling of network input.

    certainly not a good thing, but this isn't a remote hole

    --
    Snowden and Manning are heroes.
  3. Re:Just asking by un1xl0ser · · Score: 4, Informative

    It is MIT Kerberos, so yes. This came out last week.

    http://web.mit.edu/Kerberos/advisories/MITKRB5-SA-2011-002.txt

    --
    v4sw6PU$hw6ln6pr4F$ck 4/6$ma3+6u7LNS$w2m4l7U$i2e4+7en6a2X h
  4. Kerberos issue, Denial of Service, not critical by seifried · · Score: 5, Informative

    This is a Kerberos (server side) issue affecting vendors shipping Kerberos, not an Ubuntu specific issue. All 4 of the issues are denial of service only (which is bad for authentication infrastructure since you can basically prevent everyone from getting any work done). Nothing to get terribly worked up about.

    http://www.mit.edu/afs/athena/astaff/project/kerberos/www/advisories/MITKRB5-SA-2011-001.txt

    http://www.mit.edu/afs/athena/astaff/project/kerberos/www/advisories/MITKRB5-SA-2011-002.txt

  5. Re:Responsible disclosure by isopropanol · · Score: 3, Informative

    Kerberos is not in the Linux Kernel.

  6. Re:Responsible disclosure by 0123456 · · Score: 4, Informative

    The updates usually only fix things on disk and won't affect in-memory images of running executables.

    post-install script: /sbin/service restart thing-i-just-fixed

    Fortunately Linux doesn't have three zillion things running in the background that can't easily be restarted, unlike Windows.

  7. Re:Dear MS trolls: by Anonymous Coward · · Score: 3, Informative

    Except that here back in reality we have multitudes of real, published news stories about the building animosity between MS and whitehats who try to disclose bugs that MS doesn't care about and/or recognize, or possibly just ignore until they get around to it. There's problem #1 with your argument.

  8. Gosh, denial is a popular place by SmallFurryCreature · · Score: 4, Informative

    Except for the countless times that people have disclosed security problems to MS, found that MS didn't give a toss and finally after months release it to the public because if THEY know it, some one else might ALSO know it and be exploiting it.

    But I guess a MS fanboy truly believes ignorance is bliss.

    --

    MMO Quests are like orgasms:

    You may solo them, I prefer them in a group.

  9. This is news? by mr_lizard13 · · Score: 3, Informative

    Bug in software. Update fixes bug.

    Doesn't this happen all the time?

    --
    "We live in a global world" - Harvey Pitt, former Securities and Exchange Commission Chairman