Bulletin d'alerte Debian

DSA-2129-1 krb5 -- Faiblesse dans la vérification de somme de contrôle

Date du rapport :
1er décembre 2010
Paquets concernés :
krb5
Vulnérabilité :
Oui
Références dans la base de données de sécurité :
Dans le dictionnaire CVE du Mitre : CVE-2010-1323.
Plus de précisions :

Une vulnérabilité a été découverte dans krb5, l'implémentation du MIT de Kerberos.

Les clients krb5 MIT acceptent, à tort, des sommes de contrôle sans clef dans le challenge de préauthentification SAM-2 : un attaquant distant non authentifié peut modifier un challenge SAM-2, atteignant le texte d'invite vu par l'utilisateur ou le type de réponse envoyé au KDC. Dans certaines circonstances, cela peut annuler l'intérêt de sécurité incrémentielle du mécanisme d'authentification par jeton unique.

krb5 MIT accepte inexactement les sommes de contrôle de dérivation de clef de la RFC 3961 en utilisant des clefs RC4 lors de la vérification des messages KRB-SAFE : un attaquant distant non authentifié a une chance sur 256 de contrefaire des messages KRB-SAFE dans un protocole d'application si la session préexistante ciblée utilise une clef de session RC4. Peu de protocoles d'application utilisent des messages KRB-SAFE.

Le projet « Common Vulnerabilities and Exposures » (CVE) a attribué le CVE-2010-1323 à ces problèmes.

Pour la distribution stable (Lenny), ce problème a été corrigé dans la version 1.6.dfsg.4~beta1-5lenny6.

Les constructions pour l'architecture mips ne font pas partie de cette annonce. Elles seront publiées dès qu'elles seront disponibles.

Pour la distribution testing (Squeeze) et la distribution unstable (Sid), ce problème a été corrigé dans la version 1.8.3+dfsg-3.

Nous vous recommandons de mettre à jour vos paquets krb5.

Corrigé dans :

Debian GNU/Linux 5.0 (lenny)

Source :
http://security.debian.org/pool/updates/main/k/krb5/krb5_1.6.dfsg.4~beta1-5lenny6.dsc
http://security.debian.org/pool/updates/main/k/krb5/krb5_1.6.dfsg.4~beta1-5lenny6.diff.gz
http://security.debian.org/pool/updates/main/k/krb5/krb5_1.6.dfsg.4~beta1.orig.tar.gz
Composant indépendant de l'architecture :
http://security.debian.org/pool/updates/main/k/krb5/krb5-doc_1.6.dfsg.4~beta1-5lenny6_all.deb
Alpha:
http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.6.dfsg.4~beta1-5lenny6_alpha.deb
http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.6.dfsg.4~beta1-5lenny6_alpha.deb
http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.6.dfsg.4~beta1-5lenny6_alpha.deb
http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.6.dfsg.4~beta1-5lenny6_alpha.deb
http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.6.dfsg.4~beta1-5lenny6_alpha.deb
http://security.debian.org/pool/updates/main/k/krb5/krb5-pkinit_1.6.dfsg.4~beta1-5lenny6_alpha.deb
http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.6.dfsg.4~beta1-5lenny6_alpha.deb
http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.6.dfsg.4~beta1-5lenny6_alpha.deb
http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dbg_1.6.dfsg.4~beta1-5lenny6_alpha.deb
http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.6.dfsg.4~beta1-5lenny6_alpha.deb
http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc-ldap_1.6.dfsg.4~beta1-5lenny6_alpha.deb
http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.6.dfsg.4~beta1-5lenny6_alpha.deb
http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.6.dfsg.4~beta1-5lenny6_alpha.deb
AMD64:
http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.6.dfsg.4~beta1-5lenny6_amd64.deb
http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.6.dfsg.4~beta1-5lenny6_amd64.deb
http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dbg_1.6.dfsg.4~beta1-5lenny6_amd64.deb
http://security.debian.org/pool/updates/main/k/krb5/krb5-pkinit_1.6.dfsg.4~beta1-5lenny6_amd64.deb
http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc-ldap_1.6.dfsg.4~beta1-5lenny6_amd64.deb
http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.6.dfsg.4~beta1-5lenny6_amd64.deb
http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.6.dfsg.4~beta1-5lenny6_amd64.deb
http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.6.dfsg.4~beta1-5lenny6_amd64.deb
http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.6.dfsg.4~beta1-5lenny6_amd64.deb
http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.6.dfsg.4~beta1-5lenny6_amd64.deb
http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.6.dfsg.4~beta1-5lenny6_amd64.deb
http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.6.dfsg.4~beta1-5lenny6_amd64.deb
http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.6.dfsg.4~beta1-5lenny6_amd64.deb
ARM:
http://security.debian.org/pool/updates/main/k/krb5/krb5-pkinit_1.6.dfsg.4~beta1-5lenny6_arm.deb
http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.6.dfsg.4~beta1-5lenny6_arm.deb
http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.6.dfsg.4~beta1-5lenny6_arm.deb
http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dbg_1.6.dfsg.4~beta1-5lenny6_arm.deb
http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.6.dfsg.4~beta1-5lenny6_arm.deb
http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.6.dfsg.4~beta1-5lenny6_arm.deb
http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.6.dfsg.4~beta1-5lenny6_arm.deb
http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc-ldap_1.6.dfsg.4~beta1-5lenny6_arm.deb
http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.6.dfsg.4~beta1-5lenny6_arm.deb
http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.6.dfsg.4~beta1-5lenny6_arm.deb
http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.6.dfsg.4~beta1-5lenny6_arm.deb
http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.6.dfsg.4~beta1-5lenny6_arm.deb
http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.6.dfsg.4~beta1-5lenny6_arm.deb
ARM EABI:
http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.6.dfsg.4~beta1-5lenny6_armel.deb
http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.6.dfsg.4~beta1-5lenny6_armel.deb
http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.6.dfsg.4~beta1-5lenny6_armel.deb
http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dbg_1.6.dfsg.4~beta1-5lenny6_armel.deb
http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.6.dfsg.4~beta1-5lenny6_armel.deb
http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.6.dfsg.4~beta1-5lenny6_armel.deb
http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc-ldap_1.6.dfsg.4~beta1-5lenny6_armel.deb
http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.6.dfsg.4~beta1-5lenny6_armel.deb
http://security.debian.org/pool/updates/main/k/krb5/krb5-pkinit_1.6.dfsg.4~beta1-5lenny6_armel.deb
http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.6.dfsg.4~beta1-5lenny6_armel.deb
http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.6.dfsg.4~beta1-5lenny6_armel.deb
http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.6.dfsg.4~beta1-5lenny6_armel.deb
http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.6.dfsg.4~beta1-5lenny6_armel.deb
HP Precision:
http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.6.dfsg.4~beta1-5lenny6_hppa.deb
http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.6.dfsg.4~beta1-5lenny6_hppa.deb
http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.6.dfsg.4~beta1-5lenny6_hppa.deb
http://security.debian.org/pool/updates/main/k/krb5/krb5-pkinit_1.6.dfsg.4~beta1-5lenny6_hppa.deb
http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.6.dfsg.4~beta1-5lenny6_hppa.deb
http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.6.dfsg.4~beta1-5lenny6_hppa.deb
http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.6.dfsg.4~beta1-5lenny6_hppa.deb
http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc-ldap_1.6.dfsg.4~beta1-5lenny6_hppa.deb
http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.6.dfsg.4~beta1-5lenny6_hppa.deb
http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.6.dfsg.4~beta1-5lenny6_hppa.deb
http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.6.dfsg.4~beta1-5lenny6_hppa.deb
http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dbg_1.6.dfsg.4~beta1-5lenny6_hppa.deb
http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.6.dfsg.4~beta1-5lenny6_hppa.deb
Intel IA-32:
http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.6.dfsg.4~beta1-5lenny6_i386.deb
http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dbg_1.6.dfsg.4~beta1-5lenny6_i386.deb
http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.6.dfsg.4~beta1-5lenny6_i386.deb
http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.6.dfsg.4~beta1-5lenny6_i386.deb
http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.6.dfsg.4~beta1-5lenny6_i386.deb
http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc-ldap_1.6.dfsg.4~beta1-5lenny6_i386.deb
http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.6.dfsg.4~beta1-5lenny6_i386.deb
http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.6.dfsg.4~beta1-5lenny6_i386.deb
http://security.debian.org/pool/updates/main/k/krb5/krb5-pkinit_1.6.dfsg.4~beta1-5lenny6_i386.deb
http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.6.dfsg.4~beta1-5lenny6_i386.deb
http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.6.dfsg.4~beta1-5lenny6_i386.deb
http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.6.dfsg.4~beta1-5lenny6_i386.deb
http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.6.dfsg.4~beta1-5lenny6_i386.deb
Intel IA-64:
http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.6.dfsg.4~beta1-5lenny6_ia64.deb
http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.6.dfsg.4~beta1-5lenny6_ia64.deb
http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.6.dfsg.4~beta1-5lenny6_ia64.deb
http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.6.dfsg.4~beta1-5lenny6_ia64.deb
http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.6.dfsg.4~beta1-5lenny6_ia64.deb
http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.6.dfsg.4~beta1-5lenny6_ia64.deb
http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.6.dfsg.4~beta1-5lenny6_ia64.deb
http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc-ldap_1.6.dfsg.4~beta1-5lenny6_ia64.deb
http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dbg_1.6.dfsg.4~beta1-5lenny6_ia64.deb
http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.6.dfsg.4~beta1-5lenny6_ia64.deb
http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.6.dfsg.4~beta1-5lenny6_ia64.deb
http://security.debian.org/pool/updates/main/k/krb5/krb5-pkinit_1.6.dfsg.4~beta1-5lenny6_ia64.deb
http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.6.dfsg.4~beta1-5lenny6_ia64.deb
Little-endian MIPS:
http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.6.dfsg.4~beta1-5lenny6_mipsel.deb
http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.6.dfsg.4~beta1-5lenny6_mipsel.deb
http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.6.dfsg.4~beta1-5lenny6_mipsel.deb
http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.6.dfsg.4~beta1-5lenny6_mipsel.deb
http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc-ldap_1.6.dfsg.4~beta1-5lenny6_mipsel.deb
http://security.debian.org/pool/updates/main/k/krb5/krb5-pkinit_1.6.dfsg.4~beta1-5lenny6_mipsel.deb
http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dbg_1.6.dfsg.4~beta1-5lenny6_mipsel.deb
http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.6.dfsg.4~beta1-5lenny6_mipsel.deb
http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.6.dfsg.4~beta1-5lenny6_mipsel.deb
http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.6.dfsg.4~beta1-5lenny6_mipsel.deb
http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.6.dfsg.4~beta1-5lenny6_mipsel.deb
http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.6.dfsg.4~beta1-5lenny6_mipsel.deb
http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.6.dfsg.4~beta1-5lenny6_mipsel.deb
PowerPC:
http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.6.dfsg.4~beta1-5lenny6_powerpc.deb
http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dbg_1.6.dfsg.4~beta1-5lenny6_powerpc.deb
http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.6.dfsg.4~beta1-5lenny6_powerpc.deb
http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.6.dfsg.4~beta1-5lenny6_powerpc.deb
http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.6.dfsg.4~beta1-5lenny6_powerpc.deb
http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.6.dfsg.4~beta1-5lenny6_powerpc.deb
http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.6.dfsg.4~beta1-5lenny6_powerpc.deb
http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.6.dfsg.4~beta1-5lenny6_powerpc.deb
http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.6.dfsg.4~beta1-5lenny6_powerpc.deb
http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.6.dfsg.4~beta1-5lenny6_powerpc.deb
http://security.debian.org/pool/updates/main/k/krb5/krb5-pkinit_1.6.dfsg.4~beta1-5lenny6_powerpc.deb
http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.6.dfsg.4~beta1-5lenny6_powerpc.deb
http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc-ldap_1.6.dfsg.4~beta1-5lenny6_powerpc.deb
IBM S/390:
http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.6.dfsg.4~beta1-5lenny6_s390.deb
http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.6.dfsg.4~beta1-5lenny6_s390.deb
http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.6.dfsg.4~beta1-5lenny6_s390.deb
http://security.debian.org/pool/updates/main/k/krb5/krb5-pkinit_1.6.dfsg.4~beta1-5lenny6_s390.deb
http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.6.dfsg.4~beta1-5lenny6_s390.deb
http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.6.dfsg.4~beta1-5lenny6_s390.deb
http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc-ldap_1.6.dfsg.4~beta1-5lenny6_s390.deb
http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.6.dfsg.4~beta1-5lenny6_s390.deb
http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.6.dfsg.4~beta1-5lenny6_s390.deb
http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dbg_1.6.dfsg.4~beta1-5lenny6_s390.deb
http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.6.dfsg.4~beta1-5lenny6_s390.deb
http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.6.dfsg.4~beta1-5lenny6_s390.deb
http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.6.dfsg.4~beta1-5lenny6_s390.deb
Sun Sparc:
http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.6.dfsg.4~beta1-5lenny6_sparc.deb
http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dbg_1.6.dfsg.4~beta1-5lenny6_sparc.deb
http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.6.dfsg.4~beta1-5lenny6_sparc.deb
http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc-ldap_1.6.dfsg.4~beta1-5lenny6_sparc.deb
http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.6.dfsg.4~beta1-5lenny6_sparc.deb
http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.6.dfsg.4~beta1-5lenny6_sparc.deb
http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.6.dfsg.4~beta1-5lenny6_sparc.deb
http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.6.dfsg.4~beta1-5lenny6_sparc.deb
http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.6.dfsg.4~beta1-5lenny6_sparc.deb
http://security.debian.org/pool/updates/main/k/krb5/krb5-pkinit_1.6.dfsg.4~beta1-5lenny6_sparc.deb
http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.6.dfsg.4~beta1-5lenny6_sparc.deb
http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.6.dfsg.4~beta1-5lenny6_sparc.deb
http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.6.dfsg.4~beta1-5lenny6_sparc.deb

Les sommes MD5 des fichiers indiqués sont disponibles sur la page originale de l'alerte de sécurité.