Immunix Security Team
08/04/03, 17:35
--r5Pyd7+fXNt84Ff3
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
-----------------------------------------------------------------------
Immunix Secured OS Security Advisory
Packages updated: Kerberos 5
Affected products: ImmunixOS 7.0, 7+
Bugs fixed: CAN-2003-0139 CAN-2003-0138 CAN-2003-0028 CAN-2003-0082
Date: Mon Apr 7 2003
Advisory ID: IMNX-2003-7+-007-01
Author: Seth Arnold <sarnold@wirex.com>
-----------------------------------------------------------------------
Description:
Multiple vulnerabilities have been found in the MIT Kerberos suite.
This release removes triple-DES support in Kerberos IV and cross-realm
authentication in Kerberos IV, as both are known to be insecure. This
release also fixes two denial of service attacks against the Kerberos
daemons.
All Kerberos users should upgrade to these packages, with the caveat
that organizations relying on Kerberos IV cross-realm authentication
should upgrade to Kerberos 5 first.
References: http://web.mit.edu/kerberos/www/advisories/
http://www.securityfocus.com/archive/1/317239/2003-03-29/2003-04-04/0
Package names and locations:
Precompiled binary packages for Immunix 7+ are available at:
http://download.immunix.org/ImmunixOS/7+/Updates/RPMS/krb5-devel-1.2.5-1_=
imnx_1.i386.rpm
http://download.immunix.org/ImmunixOS/7+/Updates/RPMS/krb5-libs-1.2.5-1_i=
mnx_1.i386.rpm
http://download.immunix.org/ImmunixOS/7+/Updates/RPMS/krb5-server-1.2.5-1=
_imnx_1.i386.rpm
http://download.immunix.org/ImmunixOS/7+/Updates/RPMS/krb5-workstation-1.=
2.5-1_imnx_1.i386.rpm
Immunix OS 7+ md5sums:
bf99edf8d08c5c06dd233b14ad0a83a3 krb5-devel-1.2.5-1_imnx_1.i386.rpm
568ad8140cb696ac928659a1c4011e9e krb5-libs-1.2.5-1_imnx_1.i386.rpm
54bbd2710288984a881df5aee9afcfca krb5-server-1.2.5-1_imnx_1.i386.rpm
6cc7d97598232886f314e4c5dc9b2540 krb5-workstation-1.2.5-1_imnx_1.i386.rpm
GPG verification: =
=20
Our public key is available at <http://wirex.com/security/GPG_KEY>. =
=20
NOTE:
Ibiblio is graciously mirroring our updates, so if the links above are
slow, please try:
ftp://ftp.ibiblio.org/pub/Linux/distributions/immunix/
or one of the many mirrors available at:
http://www.ibiblio.org/pub/Linux/MIRRORS.html
ImmunixOS 6.2 is no longer officially supported.
ImmunixOS 7.0 is no longer officially supported.
Contact information:
To report vulnerabilities, please contact security@wirex.com. WireX=20
attempts to conform to the RFP vulnerability disclosure protocol
<http://www.wiretrip.net/rfp/policy.html>.
--r5Pyd7+fXNt84Ff3
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iEYEARECAAYFAj6SJY0ACgkQVQcWL60UVMuy9wCghYNE9LtgBJ uBlmN3czdZ6AIu
nGsAoIUgWhqHb3Jh9SlG0g59CIa6+kFK
=X0/p
-----END PGP SIGNATURE-----
--r5Pyd7+fXNt84Ff3--
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
-----------------------------------------------------------------------
Immunix Secured OS Security Advisory
Packages updated: Kerberos 5
Affected products: ImmunixOS 7.0, 7+
Bugs fixed: CAN-2003-0139 CAN-2003-0138 CAN-2003-0028 CAN-2003-0082
Date: Mon Apr 7 2003
Advisory ID: IMNX-2003-7+-007-01
Author: Seth Arnold <sarnold@wirex.com>
-----------------------------------------------------------------------
Description:
Multiple vulnerabilities have been found in the MIT Kerberos suite.
This release removes triple-DES support in Kerberos IV and cross-realm
authentication in Kerberos IV, as both are known to be insecure. This
release also fixes two denial of service attacks against the Kerberos
daemons.
All Kerberos users should upgrade to these packages, with the caveat
that organizations relying on Kerberos IV cross-realm authentication
should upgrade to Kerberos 5 first.
References: http://web.mit.edu/kerberos/www/advisories/
http://www.securityfocus.com/archive/1/317239/2003-03-29/2003-04-04/0
Package names and locations:
Precompiled binary packages for Immunix 7+ are available at:
http://download.immunix.org/ImmunixOS/7+/Updates/RPMS/krb5-devel-1.2.5-1_=
imnx_1.i386.rpm
http://download.immunix.org/ImmunixOS/7+/Updates/RPMS/krb5-libs-1.2.5-1_i=
mnx_1.i386.rpm
http://download.immunix.org/ImmunixOS/7+/Updates/RPMS/krb5-server-1.2.5-1=
_imnx_1.i386.rpm
http://download.immunix.org/ImmunixOS/7+/Updates/RPMS/krb5-workstation-1.=
2.5-1_imnx_1.i386.rpm
Immunix OS 7+ md5sums:
bf99edf8d08c5c06dd233b14ad0a83a3 krb5-devel-1.2.5-1_imnx_1.i386.rpm
568ad8140cb696ac928659a1c4011e9e krb5-libs-1.2.5-1_imnx_1.i386.rpm
54bbd2710288984a881df5aee9afcfca krb5-server-1.2.5-1_imnx_1.i386.rpm
6cc7d97598232886f314e4c5dc9b2540 krb5-workstation-1.2.5-1_imnx_1.i386.rpm
GPG verification: =
=20
Our public key is available at <http://wirex.com/security/GPG_KEY>. =
=20
NOTE:
Ibiblio is graciously mirroring our updates, so if the links above are
slow, please try:
ftp://ftp.ibiblio.org/pub/Linux/distributions/immunix/
or one of the many mirrors available at:
http://www.ibiblio.org/pub/Linux/MIRRORS.html
ImmunixOS 6.2 is no longer officially supported.
ImmunixOS 7.0 is no longer officially supported.
Contact information:
To report vulnerabilities, please contact security@wirex.com. WireX=20
attempts to conform to the RFP vulnerability disclosure protocol
<http://www.wiretrip.net/rfp/policy.html>.
--r5Pyd7+fXNt84Ff3
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iEYEARECAAYFAj6SJY0ACgkQVQcWL60UVMuy9wCghYNE9LtgBJ uBlmN3czdZ6AIu
nGsAoIUgWhqHb3Jh9SlG0g59CIa6+kFK
=X0/p
-----END PGP SIGNATURE-----
--r5Pyd7+fXNt84Ff3--