Ubuntu
krb5 package

[CVE-2007-5971] Kerberos vulnerability

Bug #210172 reported by disabled.user on 2008-04-01

254

Affects		Status	Importance	Assigned to	Milestone
	krb5 (Ubuntu)	Fix Released	Medium	Ubuntu Backporters

Bug Description

Binary package hint: libkrb53

References:
GLSA 200803-31 (http://www.gentoo.org/security/en/glsa/glsa-200803-31.xml)
MDVSA-2008:069 (http://www.mandriva.com/en/security/advisories?name=MDVSA-2008:069)

Quoting GLSA 200803-31:
"Venustech AD-LAB discovered multiple vulnerabilities in the GSSAPI library: usage of a freed variable in the gss_indicate_mechs() function (CVE-2007-5901) and a double free() vulnerability in the gss_krb5int_make_seal_token_v3() function (CVE-2007-5971)."

Quoting MDVSA-2008:069:
"Multiple memory management flaws were found in the GSSAPI library
used by Kerberos that could result in the use of already freed memory
or an attempt to free already freed memory, possibly leading to a
crash or allowing the execution of arbitrary code (CVE-2007-5901,
CVE-2007-5971)."

CVE References

Revision history for this message

Morten Kjeldgaard (mok0) wrote on 2008-04-07:

The CVEs addressed in this bug have been resolved in the version now uploaded to hardy (1.6.dfsg.3~beta1-2ubuntu1). However, that version should be backported to the remaining supported releases.

Changed in krb5:
assignee:	nobody → ubuntu-backporters
importance:	Undecided → Medium
status:	New → Triaged

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2011-04-27:

http://www.ubuntu.com/usn/usn-924-1
http://www.ubuntu.com/usn/usn-940-1

Changed in krb5 (Ubuntu):
status:	Triaged → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntukrb5 package