09 August 2006, 14:30

MIT patches Kerberos

The Massachusetts Institute of Technology has pointed out multiple vulnerabilities in its Kerberos implementation, which can be exploited by unprivileged users of a system to escalate their privileges. According to error reports, a number of applications which do not always check setuid() and seteuid() calls correctly are included in the Kerberos 5 source code distribution . These would enable an attacker to achieve root privileges.

The actual risk, however, depends on the operating system. So, for example, under Linux and AIX, only the unchecked setuid() calls present a problem. Indeed AIX is only affected if the MIT Kerberos implementation, rather than the IBM implementation, is used. The errors are present in all versions up to and including 1.5 and 1.4.x. The errors have been corrected in rb5-1.5.1 and krb5-1.4.4.

Channels

Services

MIT patches Kerberos

Also on The H:

Content Security Policy halts XSS in its tracks

Skype's ominous link checking: Facts and speculation

Password protection for everyone

Two clicks for more privacy

What's new in SUSE Linux Enterprise 11 SP3

What's new in Fedora 19

What's new in Linux 3.10

Free Software post-PRISM

Kernel Log: Coming in 3.10 (Part 4) - Drivers

The trouble with "Business Source"

Kernel Log: Coming in 3.10 (Part 3) - Infrastructure

Whatever happened to Google?

Java EE 7 at a glance

Continuous database migration with Liquibase and Flyway

Unit testing with Node.js

Ruby 2.0 - the 20th birthday present

Linux Mint 15: A better Ubuntu for the desktop

What's new in Linux 3.9

Replacing Google Reader

Attacking TrueCrypt

The H

The H Open

The H Security

The H Developer

The H Internet Toolkit