[CVE-2007-5971] Kerberos vulnerability

Bug #210172 reported by disabled.user
254
Affects Status Importance Assigned to Milestone
krb5 (Ubuntu)
Fix Released
Medium
Ubuntu Backporters

Bug Description

Binary package hint: libkrb53

References:
GLSA 200803-31 (http://www.gentoo.org/security/en/glsa/glsa-200803-31.xml)
MDVSA-2008:069 (http://www.mandriva.com/en/security/advisories?name=MDVSA-2008:069)

Quoting GLSA 200803-31:
"Venustech AD-LAB discovered multiple vulnerabilities in the GSSAPI library: usage of a freed variable in the gss_indicate_mechs() function (CVE-2007-5901) and a double free() vulnerability in the gss_krb5int_make_seal_token_v3() function (CVE-2007-5971)."

Quoting MDVSA-2008:069:
"Multiple memory management flaws were found in the GSSAPI library
used by Kerberos that could result in the use of already freed memory
or an attempt to free already freed memory, possibly leading to a
crash or allowing the execution of arbitrary code (CVE-2007-5901,
CVE-2007-5971)."

Revision history for this message
Morten Kjeldgaard (mok0) wrote :

The CVEs addressed in this bug have been resolved in the version now uploaded to hardy (1.6.dfsg.3~beta1-2ubuntu1). However, that version should be backported to the remaining supported releases.

Changed in krb5:
assignee: nobody → ubuntu-backporters
importance: Undecided → Medium
status: New → Triaged
Revision history for this message
Jamie Strandboge (jdstrand) wrote :
Changed in krb5 (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.