In association with heise online

22 November 2006, 11:12

Hole in Kerberos module threatens Apache web server

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

The Kerberos authentication protocol is intended to make networks more secure, but a security hole in the mod_auth_kerb Apache module means that it has exactly the opposite effect. Attackers could used specially prepared Kerberos queries to crash web servers with version 5.0, 5.1 or 5.2 installed – or even plant and execute arbitrary code. Other versions of the module may also potentially be affected.

No more precise details about the bug are available as yet, but it is purportedly related to a heap overflow in the spnegokrb5/der_get.c module in the der_get_oid function. No official update has been released. It seems likely that the Linux distributors will release updated packages soon, however.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit