http://permalink.gmane.org/gmane.comp.encryption.kerberos.announce hourly 1 1901-01-01T00:00+00:00 http://gmane.org/img/gmane-25t.png http://gmane.org http://permalink.gmane.org/gmane.comp.encryption.kerberos.announce/134 <pre>-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The MIT Kerberos Team announces the availability of MIT Kerberos 5 Release 1.10.1. Please see below for a list of some major changes included, or consult the README file in the source tree for a more detailed list of significant changes. RETRIEVING KERBEROS 5 RELEASE 1.10.1 ==================================== You may retrieve the Kerberos 5 Release 1.10.1 source from the following URL: http://web.mit.edu/kerberos/dist/ The homepage for the krb5-1.10.1 release is: http://web.mit.edu/kerberos/krb5-1.10/ Further information about Kerberos 5 may be found at the following URL: http://web.mit.edu/kerberos/ and at the MIT Kerberos Consortium web site: http://www.kerberos.org/ DES transition ============== The Data Encryption Standard (DES) is widely recognized as weak. The krb5-1.7 release contains measures to encourage sites to migrate away - From using single-DES cryptosystems. Among these is a configuration variable tha</pre> Tom Yu 2012-03-08T21:35:56 http://permalink.gmane.org/gmane.comp.encryption.kerberos.announce/133 <pre>-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The MIT Kerberos Team announces the availability of MIT Kerberos 5 Release 1.8.6. Please see below for a list of some major changes included, or consult the README file in the source tree for a more detailed list of significant changes. RETRIEVING KERBEROS 5 RELEASE 1.8.6 =================================== You may retrieve the Kerberos 5 Release 1.8.6 source from the following URL: http://web.mit.edu/kerberos/dist/ The homepage for the krb5-1.8.6 release is: http://web.mit.edu/kerberos/krb5-1.8/ Further information about Kerberos 5 may be found at the following URL: http://web.mit.edu/kerberos/ and at the MIT Kerberos Consortium web site: http://www.kerberos.org/ DES transition ============== The krb5-1.8 release disables single-DES cryptosystems by default. As a result, you may need to add the libdefaults setting "allow_weak_crypto = true" to communicate with existing Kerberos infrastructures if they do not support </pre> Tom Yu 2012-02-07T04:19:04 http://permalink.gmane.org/gmane.comp.encryption.kerberos.announce/132 <pre>-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The MIT Kerberos Team announces the availability of MIT Kerberos 5 Release 1.9.3. Please see below for a list of some major changes included, or consult the README file in the source tree for a more detailed list of significant changes. RETRIEVING KERBEROS 5 RELEASE 1.9.3 =================================== You may retrieve the Kerberos 5 Release 1.9.3 source from the following URL: http://web.mit.edu/kerberos/dist/ The homepage for the krb5-1.9.3 release is: http://web.mit.edu/kerberos/krb5-1.9/ Further information about Kerberos 5 may be found at the following URL: http://web.mit.edu/kerberos/ and at the MIT Kerberos Consortium web site: http://www.kerberos.org/ DES transition ============== The Data Encryption Standard (DES) is widely recognized as weak. The krb5-1.7 release contains measures to encourage sites to migrate away - From using single-DES cryptosystems. Among these is a configuration variable that enab</pre> Tom Yu 2012-02-07T03:34:26 http://permalink.gmane.org/gmane.comp.encryption.kerberos.announce/131 <pre>-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The MIT Kerberos Team announces the availability of MIT Kerberos 5 Release 1.10. Please see below for a list of some major changes included, or consult the README file in the source tree for a more detailed list of significant changes. RETRIEVING KERBEROS 5 RELEASE 1.10 ================================== You may retrieve the Kerberos 5 Release 1.10 source from the following URL: http://web.mit.edu/kerberos/dist/ The homepage for the krb5-1.10 release is: http://web.mit.edu/kerberos/krb5-1.10/ Further information about Kerberos 5 may be found at the following URL: http://web.mit.edu/kerberos/ and at the MIT Kerberos Consortium web site: http://www.kerberos.org/ DES transition ============== The Data Encryption Standard (DES) is widely recognized as weak. The krb5-1.7 release contains measures to encourage sites to migrate away - From using single-DES cryptosystems. Among these is a configuration variable that enables </pre> Tom Yu 2012-01-27T21:55:27 http://permalink.gmane.org/gmane.comp.encryption.kerberos.announce/130 <pre>Version 1.0.3 of the krb5-appl package has been released. This package contains the Kerberized versions of telnet, ftp, and the rlogin suite. The new release can be found at: http://web.mit.edu/kerberos/dist/ This is a security bugfix release, with the following change: * Fix MITKRB5-SA-2011-008 (CVE-2011-4862). </pre> ghudson< at >mit.edu 2011-12-27T17:24:40 http://permalink.gmane.org/gmane.comp.encryption.kerberos.announce/129 <pre>-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 MITKRB5-SA-2011-008 MIT krb5 Security Advisory 2011-008 Original release: 2011-12-26 Last update: 2011-12-26 Topic: buffer overflow in telnetd CVE-2011-4862 CVSSv2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C CVSSv2 Base Score: 10 Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete CVSSv2 Temporal Score: 8.3 Exploitability: Functional Remediation Level: Official Fix Report Confidence: Confirmed SUMMARY ======= The telnet daemon (telnetd) in MIT krb5 (and in krb5-appl after the applications were moved to a separate distribution for krb5-1.8) is vulnerable to a buffer overflow. The flaw does not require authentication to exploit. Exploit code is reported to be actively used in the wild. IMPACT ====== An unauthenticated remote attacker can cause a buffer overflow and probably execute arbit</pre> Tom Yu 2011-12-26T21:14:12 http://permalink.gmane.org/gmane.comp.encryption.kerberos.announce/128 <pre>-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 MITKRB5-SA-2011-007 MIT krb5 Security Advisory 2011-007 Original release: 2011-12-06 Last update: 2011-12-06 Topic: KDC null pointer dereference in TGS handling CVE-2011-1530 KDC null pointer dereference in TGS handling CVSSv2 Vector: AV:N/AC:L/Au:S/C:N/I:C/A:C/E:H/RL:OF/RC:C CVSSv2 Base Score: 6.8 Access Vector: Network Access Complexity: Low Authentication: Single Confidentiality Impact: None Integrity Impact: None Availability Impact: Complete CVSSv2 Temporal Score: 5.9 Exploitability: High Remediation Level: Official Fix Report Confidence: Confirmed SUMMARY ======= In releases krb5-1.9 and later, the KDC can crash due to a null pointer dereference in code that handles TGS (Ticket Granting Service) requests. The trigger condition is trivial to produce using unmodified client software, but requires the ability to authenticate as a principal in the KDC's realm. IMPACT ====== An authen</pre> Tom Yu 2011-12-06T19:07:40 http://permalink.gmane.org/gmane.comp.encryption.kerberos.announce/127 <pre>-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The MIT Kerberos Team announces the availability of MIT Kerberos 5 Release 1.8.5. Please see below for a list of some major changes included, or consult the README file in the source tree for a more detailed list of significant changes. RETRIEVING KERBEROS 5 RELEASE 1.8.5 =================================== You may retrieve the Kerberos 5 Release 1.8.5 source from the following URL: http://web.mit.edu/kerberos/dist/ The homepage for the krb5-1.8.5 release is: http://web.mit.edu/kerberos/krb5-1.8/ Further information about Kerberos 5 may be found at the following URL: http://web.mit.edu/kerberos/ and at the MIT Kerberos Consortium web site: http://www.kerberos.org/ DES transition ============== The krb5-1.8 release disables single-DES cryptosystems by default. As a result, you may need to add the libdefaults setting "allow_weak_crypto = true" to communicate with existing Kerberos infrastructures if they do not support </pre> Tom Yu 2011-11-04T23:53:03 http://permalink.gmane.org/gmane.comp.encryption.kerberos.announce/126 <pre>-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The MIT Kerberos Team announces the availability of MIT Kerberos 5 Release 1.9.2. Please see below for a list of some major changes included, or consult the README file in the source tree for a more detailed list of significant changes. RETRIEVING KERBEROS 5 RELEASE 1.9.2 =================================== You may retrieve the Kerberos 5 Release 1.9.2 source from the following URL: http://web.mit.edu/kerberos/dist/ The homepage for the krb5-1.9.2 release is: http://web.mit.edu/kerberos/krb5-1.9/ Further information about Kerberos 5 may be found at the following URL: http://web.mit.edu/kerberos/ and at the MIT Kerberos Consortium web site: http://www.kerberos.org/ DES transition ============== The Data Encryption Standard (DES) is widely recognized as weak. The krb5-1.7 release contains measures to encourage sites to migrate away - From using single-DES cryptosystems. Among these is a configuration variable that enab</pre> Tom Yu 2011-11-02T22:56:54 http://permalink.gmane.org/gmane.comp.encryption.kerberos.announce/125 <pre>-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 MITKRB5-SA-2011-006 MIT krb5 Security Advisory 2011-006 Original release: 2011-10-18 Last update: 2011-10-18 Topic: KDC denial of service vulnerabilities CVE-2011-1527: null pointer dereference in KDC LDAP back end CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:H/RL:OF/RC:C CVSSv2 Base Score: 7.8 Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact: Complete CVSSv2 Temporal Score: 6.8 Exploitability: High Remediation Level: Official Fix Report Confidence: Confirmed CVE-2011-1528: assertion failure in multiple KDC back ends CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C CVSSv2 Base Score: 7.8 CVSSv2 Temporal Score: 6.1 CVE-2011-1529: null pointer dereference in multiple KDC back ends CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C CVSSv2 Base Score: 7.8 CVSSv2 Temporal Score: 6.1 </pre> Tom Yu 2011-10-18T18:06:02 http://permalink.gmane.org/gmane.comp.encryption.kerberos.announce/124 <pre>Version 1.0.2 of the krb5-appl package has been released. This package contains the Kerberized versions of telnet, ftp, and the rlogin suite. The new release can be found at: http://web.mit.edu/kerberos/dist/ This is a bugfix release, with the following changes: * Fix MITKRB5-SA-2011-005 (CVE-2011-1526). * Man page formatting fixes. * Portability fixes to GNU Hurd and Alpha Linux. * Correctly parse "restrict" lines in the ftpusers file. * Allow username lengths up to UT_NAMESIZE characters in rshd. </pre> ghudson< at >MIT.EDU 2011-07-11T20:00:45 http://permalink.gmane.org/gmane.comp.encryption.kerberos.announce/123 <pre>-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 MITKRB5-SA-2011-005 MIT krb5 Security Advisory 2011-005 Original release: 2011-07-05 Topic: FTP daemon fails to set effective group ID CVE-2011-1526 CVSSv2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P/E:H/RL:O/RC:C CVSSv2 Base Score: 6.5 Access Vector: Network Access Complexity: Low Authentication: Single Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial CVSSv2 Temporal Score: 5.7 Exploitability: High Remediation Level: Official Fix Report Confidence: Confirmed SUMMARY ======= A remote client of the GSS-API FTP daemon in the krb5-appl distribution can access files using the effective group ID that the FTP daemon process had when it started. IMPACT ====== An authenticated remote user can gain unauthorized read or write access to files whose group owner is the initial effective group ID of the FTP daemon process. This is often GID 0 ("root" or "wheel"). The severity of </pre> Tom Yu 2011-07-05T18:06:17 http://permalink.gmane.org/gmane.comp.encryption.kerberos.announce/122 <pre>-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The MIT Kerberos Team announces the availability of MIT Kerberos 5 Release 1.7.2. Please see below for a list of some major changes included, or consult the README file in the source tree for a more detailed list of significant changes. RETRIEVING KERBEROS 5 RELEASE 1.7.2 =================================== You may retrieve the Kerberos 5 Release 1.7.2 source from the following URL: http://web.mit.edu/kerberos/dist/ The homepage for the krb5-1.7.2 release is: http://web.mit.edu/kerberos/krb5-1.7/ Further information about Kerberos 5 may be found at the following URL: http://web.mit.edu/kerberos/ and at the MIT Kerberos Consortium web site: http://www.kerberos.org/ DES transition ============== The Data Encryption Standard (DES) is widely recognized as weak. The krb5-1.7 release will contain measures to encourage sites to migrate away from using single-DES cryptosystems. Among these is a configuration variable that en</pre> Tom Yu 2011-05-24T23:35:55 http://permalink.gmane.org/gmane.comp.encryption.kerberos.announce/121 <pre>-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The MIT Kerberos Team announces the availability of MIT Kerberos 5 Release 1.8.4. Please see below for a list of some major changes included, or consult the README file in the source tree for a more detailed list of significant changes. Note that there is a GSS-API behavior change introduced by this release: see below for additional information. RETRIEVING KERBEROS 5 RELEASE 1.8.4 =================================== You may retrieve the Kerberos 5 Release 1.8.4 source from the following URL: http://web.mit.edu/kerberos/dist/ The homepage for the krb5-1.8.4 release is: http://web.mit.edu/kerberos/krb5-1.8/ Further information about Kerberos 5 may be found at the following URL: http://web.mit.edu/kerberos/ and at the MIT Kerberos Consortium web site: http://www.kerberos.org/ DES transition ============== The krb5-1.8 release disables single-DES cryptosystems by default. As a result, you may need to add the libdefaults </pre> Tom Yu 2011-05-24T23:34:29 http://permalink.gmane.org/gmane.comp.encryption.kerberos.announce/120 <pre>-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The MIT Kerberos Team announces the availability of MIT Kerberos 5 Release 1.9.1. Please see below for a list of some major changes included, or consult the README file in the source tree for a more detailed list of significant changes. RETRIEVING KERBEROS 5 RELEASE 1.9.1 =================================== You may retrieve the Kerberos 5 Release 1.9.1 source from the following URL: http://web.mit.edu/kerberos/dist/ The homepage for the krb5-1.9.1 release is: http://web.mit.edu/kerberos/krb5-1.9/ Further information about Kerberos 5 may be found at the following URL: http://web.mit.edu/kerberos/ and at the MIT Kerberos Consortium web site: http://www.kerberos.org/ DES transition ============== The Data Encryption Standard (DES) is widely recognized as weak. The krb5-1.7 release contains measures to encourage sites to migrate away - From using single-DES cryptosystems. Among these is a configuration variable that enab</pre> Tom Yu 2011-05-05T22:28:54 http://permalink.gmane.org/gmane.comp.encryption.kerberos.announce/119 <pre>-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 MITKRB5-SA-2011-004 MIT krb5 Security Advisory 2011-004 Original release: 2011-04-12 Last update: 2011-04-12 Topic: kadmind invalid pointer free() CVE-2011-0285 CVSSv2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:OF/RC:C CVSSv2 Base Score: 10 Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete CVSSv2 Temporal Score: 7.8 Exploitability: Proof-of-Concept Remediation Level: Official Fix Report Confidence: Confirmed SUMMARY ======= The password-changing capability of the MIT krb5 administration daemon (kadmind) has a bug that can cause it to attempt to free() an invalid pointer under certain error conditions. This can cause the daemon to crash or induce the execution of arbitrary code (which is believed to be difficult). No exploit that executes arbitrary code is known to exist, but it is easy to t</pre> Tom Yu 2011-04-13T18:33:10 http://permalink.gmane.org/gmane.comp.encryption.kerberos.announce/118 <pre>-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 MITKRB5-SA-2011-003 MIT krb5 Security Advisory 2011-003 Original release: 2011-03-15 Last update: 2011-03-15 Topic: KDC vulnerable to double-free when PKINIT enabled CVE-2011-0284 CVSSv2 Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C/E:POC/RL:OF/RC:C CVSSv2 Base Score: 9.3 Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete CVSSv2 Temporal Score: 7.3 Exploitability: Proof-of-Concept Remediation Level: Official Fix Report Confidence: Confirmed SUMMARY ======= The MIT Kerberos 5 Key Distribution Center (KDC) daemon is vulnerable to a double-free condition if the Public Key Cryptography for Initial Authentication (PKINIT) capability is enabled, resulting in daemon crash or arbitrary code execution (which is believed to be difficult). IMPACT ====== An unauthenticated remote attacker can induce a double-fre</pre> Tom Yu 2011-03-15T18:06:29 http://permalink.gmane.org/gmane.comp.encryption.kerberos.announce/117 <pre>-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 MITKRB5-SA-2011-001 MIT krb5 Security Advisory 2011-001 Original release: 2011-02-08 Last update: 2011-02-08 Topic: kpropd denial of service CVE-2010-4022 CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:H/RL:OF/RC:C CVSSv2 Base Score: 5 Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact: Partial CVSSv2 Temporal Score: 4.4 Exploitability: High Remediation Level: Official Fix Report Confidence: Confirmed SUMMARY ======= The MIT krb5 KDC database propagation daemon (kpropd) is vulnerable to a denial-of-service attack triggered by invalid network input. If a kpropd worker process receives invalid input that causes it to exit with an abnormal status, it can cause the termination of the listening process that spawned it, preventing the slave KDC it was running on from receiving database updates from the master KDC. Expl</pre> Tom Yu 2011-02-08T19:53:36 http://permalink.gmane.org/gmane.comp.encryption.kerberos.announce/116 <pre>-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 MITKRB5-SA-2011-002 MIT krb5 Security Advisory 2011-002 Original release: 2011-02-08 Last update: 2011-02-08 Topic: KDC denial of service attacks CVE-2011-0281: KDC vulnerable to hang when using LDAP back end CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:H/RL:OF/RC:C CVSSv2 Base Score: 7.8 Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact: Complete CVSSv2 Temporal Score: 6.8 Exploitability: High Remediation Level: Official Fix Report Confidence: Confirmed CVE-2011-0282: KDC vulnerable to crash when using LDAP back end CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:H/RL:OF/RC:C CVSSv2 Base Score: 7.8 CVSSv2 Temporal Score: 6.8 CVE-2011-0283: krb5-1.9 KDC vulnerable to crash CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:H/RL:OF/RC:C CVSSv2 Base Score: 7.8 CVSSv2 Temporal Score: 6.8 SUMMARY ======= The MI</pre> Tom Yu 2011-02-08T19:53:59 http://permalink.gmane.org/gmane.comp.encryption.kerberos.announce/115 <pre>-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The MIT Kerberos Team announces the availability of MIT Kerberos 5 Release 1.9. Please see below for a list of some major changes included, or consult the README file in the source tree for a more detailed list of significant changes. RETRIEVING KERBEROS 5 RELEASE 1.9 ================================= You may retrieve the Kerberos 5 Release 1.9 source from the following URL: http://web.mit.edu/kerberos/dist/ The homepage for the krb5-1.9 release is: http://web.mit.edu/kerberos/krb5-1.9/ Further information about Kerberos 5 may be found at the following URL: http://web.mit.edu/kerberos/ and at the MIT Kerberos Consortium web site: http://www.kerberos.org/ DES transition ============== The Data Encryption Standard (DES) is widely recognized as weak. The krb5-1.7 release contains measures to encourage sites to migrate away - From using single-DES cryptosystems. Among these is a configuration variable that enables "weak"</pre> Tom Yu 2010-12-22T22:03:08 http://permalink.gmane.org/gmane.comp.encryption.kerberos.announce/114 <pre>-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 MITKRB5-SA-2010-007 MIT krb5 Security Advisory 2010-007 Original release: 2010-11-30 Last update: 2010-11-30 Topic: Multiple checksum handling vulnerabilities CVE-2010-1324 * krb5 GSS-API applications may accept unkeyed checksums * krb5 application services may accept unkeyed PAC checksums * krb5 KDC may accept low-entropy KrbFastArmoredReq checksums CVSSv2 Vector: AV:N/AC:M/Au:N/C:N/I:C/A:N/E:POC/RL:OF/RC:C CVSSv2 Base Score: 7.1 Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: None Integrity Impact: Complete Availability Impact: None CVSSv2 Temporal Score: 5.6 Exploitability: Proof-of-Concept Remediation Level: Official Fix Report Confidence: Confirmed CVE-2010-1323 * krb5 clients may accept unkeyed SAM-2 challenge checksums * krb5 may accept KRB-SAFE checksums with low-entropy derived keys CVSSv2 Vector: AV:N/AC:H/Au:N/C:N/I:C/A:N/E:POC/RL:OF/RC:C CVS</pre> Tom Yu 2010-11-30T19:13:42 Search the mailing list at Gmane query http://search.gmane.org/?group=$group=gmane.comp.encryption.kerberos.announce