Remote Bug Found In Ubuntu Kerberos

Trailrunner7 writes "There's a remote vulnerability in the Kerberos implementation in several versions of Ubuntu, which could allow an attacker to cause a denial-of-service on vulnerable servers. The bug is in Ubuntu 8.04, Ubuntu 9.10, Ubuntu 10.04 and Ubuntu 10.10. The bug is in the Ubuntu implementation of the Kerberos authentication protocol. Ubuntu has released a slew of new packages to fix the flaw. The group said that in most cases, a normal system update will add the new fixes."

Re:Just asking

[scdeimos]

Just to answer my own question, it seems Cannonical have their own maintainers for this. http://packages.ubuntu.com/maverick-updates/i386/krb5-kdc

ftfa

[Lehk228]

Keiichi Mori discovered that the MIT krb5 KDC database propagation daemon (kpropd) is vulnerable to a denial of service attack due to improper logic when a worker child process exited because of invalid network input.

Kevin Longfellow and others discovered that the MIT krb5 Key Distribution Center (KDC) daemon is vulnerable to denial of service attacks when using an LDAP back end due to improper handling of network input.

certainly not a good thing, but this isn't a remote hole

Re:Just asking

[un1xl0ser]

It is MIT Kerberos, so yes. This came out last week.

http://web.mit.edu/Kerberos/advisories/MITKRB5-SA-2011-002.txt

Kerberos issue, Denial of Service, not critical

[seifried]

This is a Kerberos (server side) issue affecting vendors shipping Kerberos, not an Ubuntu specific issue. All 4 of the issues are denial of service only (which is bad for authentication infrastructure since you can basically prevent everyone from getting any work done). Nothing to get terribly worked up about.

http://www.mit.edu/afs/athena/astaff/project/kerberos/www/advisories/MITKRB5-SA-2011-001.txt

http://www.mit.edu/afs/athena/astaff/project/kerberos/www/advisories/MITKRB5-SA-2011-002.txt

Re:Responsible disclosure

[0123456]

The updates usually only fix things on disk and won't affect in-memory images of running executables.

post-install script: /sbin/service restart thing-i-just-fixed

Fortunately Linux doesn't have three zillion things running in the background that can't easily be restarted, unlike Windows.

Gosh, denial is a popular place

[SmallFurryCreature]

Except for the countless times that people have disclosed security problems to MS, found that MS didn't give a toss and finally after months release it to the public because if THEY know it, some one else might ALSO know it and be exploiting it.

But I guess a MS fanboy truly believes ignorance is bliss.

Re:Gosh, denial is a popular place

[unapersson]

Does your rant have any basis in reality?

I'm not used Mac OSX for any significant length of time, but have been using Windows and Linux for years. Plenty of Windows software breaks on updates and/or becomes abandonware when the vendor goes out of business or stops making drivers for the older hardware on newer versions. One of the reasons I shifted my home PC to Linux was to escape all that nonsense of stuff you'd bought just suddenly stopping working on upgrade. Or degrading over time unless you do a complete re-install. I've always found Linux with it's updates a breath of fresh air compared to the hassles of keeping Windows up and running. My hardware and peripherals keeps working through many OS updates, user facing software is updated frequently. I assure you that Linux users would definitely be upset if user facing programs suddenly stopped working on update, so that seems a bizarre distinction to make.

And billions of dollars of software does run on Linux, I know we've got millions of dollars worth of software running on Linux just where I'm working. And there is that choice between running the latest and greatest, for stable but behind the curve which strong support from vendors.

Microsoft tends to tie its wagons together, despite having separate server and consumer versions.