Return-Path: owner-freebsd-security@FreeBSD.ORG X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Thu, 18 May 2000 14:44:20 -0700 (PDT) From: Kris Kennaway To: Derek Werthmuller Cc: security@FreeBSD.ORG Subject: Re: Any Advisory for the recent Kerberos 5 buffer overflow ? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk -----BEGIN PGP SIGNED MESSAGE----- On Thu, 18 May 2000, Kris Kennaway wrote: > I'm going to try and get a formal advisory written tonight, but in the > meantime here's what I sent to bugtraq: An addendum: Robert Watson pointed out to me that FreeBSD used to use a closely-derived version of MIT Kerberos called eBones to provide Kerberos functionality. Looking at the CVS history, it seems that FreeBSD 2.2 systems from before 1998 (i.e. 2.2.5-RELEASE and earlier) may be vulnerable to this problem if you installed the eBones (Kerberos) distribution. If anyone still has such a system in production you're strongly advised to upgrade it at least to 2.2.8-STABLE (2.2.6-RELEASE replaced eBones with KTH Kerberos). Note however that 2.2 systems are no longer officially supported for security fixes and not all such fixes are backported (3.4 and later are the only supported releases). Kris - ---- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Comment: Made with pgp4pine 1.74 Charset: noconv iQCVAwUBOSRkQFUuHi5z0oilAQEivQP9EizKCIUkxiqk/7cakvBjU4ABL94yLXUk +iW78qAvFnNTa/jNUPn+namQ2e/ddqUX+EJS7ZAjni2lcaXQFAwnFVLYtuwf+g9k olMPfyJR/pb4hdXGYsMeH+WqskF44vNQjVESBBL/CLT4kBPY0+JhFIpN1F4zi/Z6 uby/UyNvQ8c= =T5q2 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message