Synopsis: Important: krb5 security update
Issue Date: 2011-02-08
CVE Numbers: CVE-2011-0281
Kerberos is a network authentication system which allows clients and
servers to authenticate to each other using symmetric encryption and a
trusted third-party, the Key Distribution Center (KDC).
A NULL pointer dereference flaw was found in the way the MIT Kerberos KDC
processed principal names that were not null terminated, when the KDC was
configured to use an LDAP back end. A remote attacker could use this flaw
to crash the KDC via a specially-crafted request. (CVE-2011-0282)
A denial of service flaw was found in the way the MIT Kerberos KDC
processed certain principal names when the KDC was configured to use an
LDAP back end. A remote attacker could use this flaw to cause the KDC to
hang via a specially-crafted request. (CVE-2011-0281)
Red Hat would like to thank the MIT Kerberos Team for reporting these
issues. Upstream acknowledges Kevin Longfellow of Oracle Corporation as the
original reporter of the CVE-2011-0281 issue.
All krb5 users should upgrade to these updated packages, which contain a
backported patch to correct these issues. After installing the updated
packages, the krb5kdc daemon will be restarted automatically.
– Scientific Linux Development Team