Return-Path: owner-freebsd-security@FreeBSD.ORG
X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs
Date: Thu, 18 May 2000 13:25:49 -0700 (PDT)
From: Kris Kennaway <kris@FreeBSD.ORG>
To: Derek Werthmuller <dwerthmu@ctg.albany.edu>
Cc: security@FreeBSD.ORG
Subject: Re: Any Advisory for the recent Kerberos 5 buffer overflow ?
In-Reply-To: <7A71D0D43B9ED1119EC10008C756C3042F7717@ctg-nt.ctg.albany.edu>
Message-ID: <Pine.BSF.4.21.0005181324310.63413-100000@freefall.freebsd.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

-----BEGIN PGP SIGNED MESSAGE-----

I'm going to try and get a formal advisory written tonight, but in the
meantime here's what I sent to bugtraq:

On Tue, 16 May 2000, Jeffrey I. Schiller wrote:

> SUMMARY:
> 
> Serious buffer overrun vulnerabilities exist in many implementations
> of Kerberos 4, including implementations included for backwards
> compatibility in Kerberos 5 implementations.  Other less serious
> buffer overrun vulnerabilites have also been discovered.  ALL KNOWN
> KERBEROS 4 IMPLEMENTATIONS derived from MIT sources are believed to be
> vulnerable.

For some reason CERT only gave the FreeBSD Security Officer team less than
5 hours last night (from 5:30PM EST when we were sent the draft to 10:30PM
EST when their advisory was released) to respond with vendor status, so
let me repeat it here for curious Bugtraq readers wondering why we were
absent from the advisory:

FreeBSD is not vulnerable by default: Kerberos is not installed by
default, and the base system uses KTH Kerberos, not MIT Kerberos, which is
not believed to be vulnerable. We do include a port of MIT Kerberos 5 in
the FreeBSD Ports Collection which was vulnerable, but has been patched to
address the known problems (from patches posted here and in the initial
advisory). All users who have chosen to install the
/usr/ports/security/krb5 port should immediately update their ports
collection and reinstall the port.

Kris
FreeBSD Ports Security Officer

- ----
In God we Trust -- all others must submit an X.509 certificate.
    -- Charles Forsythe <forsythe@alum.mit.edu>

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
Comment: Made with pgp4pine 1.74
Charset: noconv

iQCVAwUBOSRR3FUuHi5z0oilAQG3UwQAjXCROQrnzpY2HoVmDeazrf8Pp5FmUYcH
+8nAIYGo743vq1W04/uhatH66m9kYva2amt5fCG0ZdbWaGyziuEun4giXHVazoA+
cGYMefK+vHcfoY6N8DvRKmsEIE7p/S1JudGv6YHq6OGvw3mjUNWWkOL99GPPXmiD
5892ZWdWQlU=
=SW+k
-----END PGP SIGNATURE-----




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message