krb5-1.13.2-12.el7

エラータID: AXSA:2016-190:01

Release date: 
Friday, April 1, 2016 - 03:36
Subject: 
krb5-1.13.2-12.el7
Affected Channels: 
Asianux Server 7 for x86_64
Severity: 
Moderate
Description: 

Kerberos V5 is a trusted-third-party network authentication system,
which can improve your network's security by eliminating the insecure
practice of sending passwords over the network in unencrypted form.

Security issues fixed with this release:

CVE-2015-8629
The xdr_nullstring function in lib/kadm5/kadm_rpc_xdr.c in kadmind in
MIT Kerberos 5 (aka krb5) before 1.13.4 and 1.14.x before 1.14.1 does
not verify whether '\0' characters exist as expected, which allows
remote authenticated users to obtain sensitive information or cause a
denial of service (out-of-bounds read) via a crafted string.
CVE-2015-8630
The (1) kadm5_create_principal_3 and (2) kadm5_modify_principal
functions in lib/kadm5/srv/svr_principal.c in kadmind in MIT Kerberos
5 (aka krb5) 1.12.x and 1.13.x before 1.13.4 and 1.14.x before 1.14.1
allow remote authenticated users to cause a denial of service (NULL
pointer dereference and daemon crash) by specifying KADM5_POLICY with
a NULL policy name.
CVE-2015-8631
Multiple memory leaks in kadmin/server/server_stubs.c in kadmind in
MIT Kerberos 5 (aka krb5) before 1.13.4 and 1.14.x before 1.14.1 allow
remote authenticated users to cause a denial of service (memory
consumption) via a request specifying a NULL principal name.

Security Fix(es):

Solution: 

Update packages.

CVEs: 
CVE-2015-8629
The xdr_nullstring function in lib/kadm5/kadm_rpc_xdr.c in kadmind in MIT Kerberos 5 (aka krb5) before 1.13.4 and 1.14.x before 1.14.1 does not verify whether '\0' characters exist as expected, which allows remote authenticated users to obtain sensitive information or cause a denial of service (out-of-bounds read) via a crafted string.
CVE-2015-8630
The (1) kadm5_create_principal_3 and (2) kadm5_modify_principal functions in lib/kadm5/srv/svr_principal.c in kadmind in MIT Kerberos 5 (aka krb5) 1.12.x and 1.13.x before 1.13.4 and 1.14.x before 1.14.1 allow remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) by specifying KADM5_POLICY with a NULL policy name.
CVE-2015-8631
Multiple memory leaks in kadmin/server/server_stubs.c in kadmind in MIT Kerberos 5 (aka krb5) before 1.13.4 and 1.14.x before 1.14.1 allow remote authenticated users to cause a denial of service (memory consumption) via a request specifying a NULL principal name.
Additional Info: 

N/A

Download: 

SRPMS
  1. krb5-1.13.2-12.el7.src.rpm
    MD5: 5ef6531f09b0b6cc5d15bc98bfbfeabc
    SHA-256: b4b750a9e93ca221af4dc1c64af9767435de0b8f0313aebf66ebc4b3087e925f
    Size: 13.24 MB

Asianux Server 7 for x86_64
  1. krb5-devel-1.13.2-12.el7.x86_64.rpm
    MD5: 80a881be9db621b57f0c4679ead498c1
    SHA-256: b98ad06d9de3513efc9130fadd670269829286081cfd3e19dff65d93e5f4a18e
    Size: 648.53 kB
  2. krb5-libs-1.13.2-12.el7.x86_64.rpm
    MD5: 7b82c5d287a781659923ca654d192b83
    SHA-256: a9aa884de6a13f090c7bf6d01d7bbf27e6b28f6a1989fe37b2a784e61d811625
    Size: 842.35 kB
  3. krb5-server-1.13.2-12.el7.x86_64.rpm
    MD5: d8fe560d23e1144e627bba22c258eb58
    SHA-256: 4347ffc15c43fd9621ce9a92a3f15df1a520a7e2721abeb84aaee7b25e0e69b1
    Size: 919.82 kB
  4. krb5-server-ldap-1.13.2-12.el7.x86_64.rpm
    MD5: 3a9089d693b263d465cbbffe520bbab8
    SHA-256: 22f78b1dca76db97d02cbd28cdb3e09348eb3d99b29f6916c824a1bf5c8a1cd7
    Size: 181.20 kB
  5. krb5-workstation-1.13.2-12.el7.x86_64.rpm
    MD5: 247a768305e04696a7030f0cc945a0ff
    SHA-256: 43ad04a32d1119ccda2d847d7cff71ea9fea501a5ef29679cb7660b2e3aa21cc
    Size: 764.43 kB
  6. krb5-devel-1.13.2-12.el7.i686.rpm
    MD5: 1b45f6d9a12af7a408c4b4f6aa571602
    SHA-256: 6e798de7fcce791f12e90df67556da1c0d7a2429279943fa05e948a878cab937
    Size: 647.48 kB
  7. krb5-libs-1.13.2-12.el7.i686.rpm
    MD5: a5fbd59413cbd7deaf74c02ed7e19e52
    SHA-256: 7661030b2cba1b4f4e8625629cab61bb0016069297182968d7b0aeb95405a22f
    Size: 836.78 kB