Remote Bug Found In Ubuntu Kerberos

Trailrunner7 writes "There's a remote vulnerability in the Kerberos implementation in several versions of Ubuntu, which could allow an attacker to cause a denial-of-service on vulnerable servers. The bug is in Ubuntu 8.04, Ubuntu 9.10, Ubuntu 10.04 and Ubuntu 10.10. The bug is in the Ubuntu implementation of the Kerberos authentication protocol. Ubuntu has released a slew of new packages to fix the flaw. The group said that in most cases, a normal system update will add the new fixes."

ftfa

[Lehk228]

Keiichi Mori discovered that the MIT krb5 KDC database propagation daemon (kpropd) is vulnerable to a denial of service attack due to improper logic when a worker child process exited because of invalid network input.

Kevin Longfellow and others discovered that the MIT krb5 Key Distribution Center (KDC) daemon is vulnerable to denial of service attacks when using an LDAP back end due to improper handling of network input.

certainly not a good thing, but this isn't a remote hole

Kerberos issue, Denial of Service, not critical

[seifried]

This is a Kerberos (server side) issue affecting vendors shipping Kerberos, not an Ubuntu specific issue. All 4 of the issues are denial of service only (which is bad for authentication infrastructure since you can basically prevent everyone from getting any work done). Nothing to get terribly worked up about.

http://www.mit.edu/afs/athena/astaff/project/kerberos/www/advisories/MITKRB5-SA-2011-001.txt

http://www.mit.edu/afs/athena/astaff/project/kerberos/www/advisories/MITKRB5-SA-2011-002.txt