Advisory MITKRB5-SA-2007-004 concerns the following vulnerabilities:
CVE-2007-2442:
CVE-2007-2443:
An unauthenticated remote user may be able to cause a host running
kadmind to execute arbitrary code. CVE-2007-2442 is more likely to
lead to arbitrary code execution than CVE-2007-2443.
Successful exploitation can compromise the Kerberos key database and
host security on the host running these programs. (kadmind typically
runs as root.) Unsuccessful exploitation attempts will likely result
in the affected program crashing.
Third-party applications calling the RPC library provided with MIT
krb5 may be vulnerable. Other RPC libraries derived from SunRPC may
be vulnerable.
This vulnerability affects MIT krb5 releases up to and including
krb5-1.6.1. It can affect third-party applications using the RPC
library provided with MIT krb5 releases up to and including
krb5-1.6.1.
Copyright (C) 2007 Massachusetts Institute of Technology IDENTIFIER = WIND00108245
Patch WIND00108257 is for 1.4
Patch WIND00108263 is for 1.5
1. Unzip the patch under [install_dir]/updates
2. Install the patch CD by entering the patch CD directory and run setup_linux.
3. This is a source only patch so you will have to build the kernel
4. Issue a make fs and make the kernel in a configured directory.
5. Upload the kernel and rootfs into the target and boot it up.
