Return-Path: owner-freebsd-security@FreeBSD.ORG X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Thu, 18 May 2000 13:25:49 -0700 (PDT) From: Kris Kennaway To: Derek Werthmuller Cc: security@FreeBSD.ORG Subject: Re: Any Advisory for the recent Kerberos 5 buffer overflow ? In-Reply-To: <7A71D0D43B9ED1119EC10008C756C3042F7717@ctg-nt.ctg.albany.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- I'm going to try and get a formal advisory written tonight, but in the meantime here's what I sent to bugtraq: On Tue, 16 May 2000, Jeffrey I. Schiller wrote: > SUMMARY: > > Serious buffer overrun vulnerabilities exist in many implementations > of Kerberos 4, including implementations included for backwards > compatibility in Kerberos 5 implementations. Other less serious > buffer overrun vulnerabilites have also been discovered. ALL KNOWN > KERBEROS 4 IMPLEMENTATIONS derived from MIT sources are believed to be > vulnerable. For some reason CERT only gave the FreeBSD Security Officer team less than 5 hours last night (from 5:30PM EST when we were sent the draft to 10:30PM EST when their advisory was released) to respond with vendor status, so let me repeat it here for curious Bugtraq readers wondering why we were absent from the advisory: FreeBSD is not vulnerable by default: Kerberos is not installed by default, and the base system uses KTH Kerberos, not MIT Kerberos, which is not believed to be vulnerable. We do include a port of MIT Kerberos 5 in the FreeBSD Ports Collection which was vulnerable, but has been patched to address the known problems (from patches posted here and in the initial advisory). All users who have chosen to install the /usr/ports/security/krb5 port should immediately update their ports collection and reinstall the port. Kris FreeBSD Ports Security Officer - ---- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Comment: Made with pgp4pine 1.74 Charset: noconv iQCVAwUBOSRR3FUuHi5z0oilAQG3UwQAjXCROQrnzpY2HoVmDeazrf8Pp5FmUYcH +8nAIYGo743vq1W04/uhatH66m9kYva2amt5fCG0ZdbWaGyziuEun4giXHVazoA+ cGYMefK+vHcfoY6N8DvRKmsEIE7p/S1JudGv6YHq6OGvw3mjUNWWkOL99GPPXmiD 5892ZWdWQlU= =SW+k -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message