If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
|
Thread Tools | Display Modes |
#1
|
|||
|
|||
US CERT Advisory - MIT KERBEROS
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA08-079B MIT Kerberos Updates for Multiple Vulnerabilities Original release date: March 19, 2008 Last revised: -- Source: US-CERT Systems Affected * MIT Kerberos Overview The MIT Kerberos implementation contains several vulnerabilities. Exploitation of these vulnerabilities could allow a remote, unauthenticated attacker to execute arbitrary code, compromise the key database or cause a denial of service on a vulnerable system. I. Description The MIT Kerberos Development Team has released MIT krb5 Security Advisory 2008-002 to address vulnerabilities in multiple versions of MIT Kerberos. More information about these vulnerabilities can be found in VU#895609 and VU#374121. II. Impact Potential consequences include arbitrary code execution, key database compromise, and denial of service. III. Solution Install updates from your vendor Check with your vendors for patches or updates. For information about a vendor, please see the systems affected section in vulnerability notes VU#895609 and VU#374121 or contact your vendor directly. Administrators who compile MIT Kerberos from source should refer to MIT Security Advisory 2008-002 for more information. IV. References * US-CERT Vulnerability Note VU#895609 - http://www.kb.cert.org/vuls/id/895609 * US-CERT Vulnerability Note VU#374121 - http://www.kb.cert.org/vuls/id/374121 * MIT krb5 Security Advisory 2008-002 - http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2008-002.txt2 __________________________________________________ _______________ The most recent version of this document can be found at: http://www.us-cert.gov/cas/techalerts/TA08-079B.html __________________________________________________ _______________ Feedback can be directed to US-CERT Technical Staff. Please send email to with "TA08-079B Feedback VU#895609" in the subject. __________________________________________________ _______________ For instructions on subscribing to or unsubscribing from this mailing list, visit http://www.us-cert.gov/cas/signup.html. __________________________________________________ _______________ Produced 2008 by US-CERT, a government organization. Terms of use: http://www.us-cert.gov/legal.html __________________________________________________ __________________ Revision History March 19, 2008: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBR+E+pPRFkHkM87XOAQK1jwf/ZDEomMLCZvsmN7KVXa0Il5PqXlfRvG2Y jdWPUCi92qmgvm8LdqoNgAUxnUGYzCHLQzw8ebmnz37AMigDNs YIzFHStgnoJDVi iK6UGC6gHLnGJFuG+otEC9jZaVeIiUbKddB2+vzvmDWLnvIsyx zmHf6lJe0IrZlH ho/cCgpfRctgZHM5Ke+pPPqMjZZ7u0OUQnM7MIcSsZbKxw8x2CyUp aSiheMDhf8p 8JGyx+nkyvZoja6Ee4WCRq3xtVaUlp/sg8IZYY5nav2VuSh15rJXLJCWDBXUU+oV aAXPa2JEx5Cn3S0CFz8SIJ4NoLUp09usVMFyeNd57FMBKRjTAC/DBw== =4wkz -----END PGP SIGNATURE----- -- MEB http://peoplescounsel.orgfree.com -- _________ |
#3
|
|||
|
|||
US CERT Advisory - MIT KERBEROS
"David H. Lipman" wrote in message ... | From: "MEB" meb@not | | | -----BEGIN PGP SIGNED MESSAGE----- | | Hash: SHA1 | | | | National Cyber Alert System | | | | Technical Cyber Security Alert TA08-079B | | | | MIT Kerberos Updates for Multiple Vulnerabilities | | | | Original release date: March 19, 2008 | | Last revised: -- | | Source: US-CERT | | | | Systems Affected | | | | * MIT Kerberos | | | | Since when is Kerberos used in Win9x/ME ? | | -- | Dave http://web.mit.edu/Kerberos/dist/ - Welcome to the MIT Kerberos Distribution Page! Don't tell me you didn't know... -- MEB http://peoplescounsel.orgfree.com -- _________ |
#4
|
|||
|
|||
US CERT Advisory - MIT KERBEROS
I should have added:
1. The warning is more for dual booters who may be using one of MIT's versions. 2. To indicate flaws in KEREBOS generally, regardless of version. -- MEB http://peoplescounsel.orgfree.com -- _________ |
#5
|
|||
|
|||
US CERT Advisory - MIT KERBEROS
|
#6
|
|||
|
|||
US CERT Advisory - MIT KERBEROS
From: "MEB" meb@not
| I should have added: | | 1. The warning is more for dual booters who may be using one of MIT's | versions. | | 2. To indicate flaws in KEREBOS generally, regardless of version. | | -- | MEB | http://peoplescounsel.orgfree.com That's just it. Kerberos authentication is not used in Win9x/ME. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp |
#7
|
|||
|
|||
US CERT Advisory - MIT KERBEROS
"David H. Lipman" wrote in message ... | From: "MEB" meb@not | | | I should have added: | | | | 1. The warning is more for dual booters who may be using one of MIT's | | versions. | | | | 2. To indicate flaws in KEREBOS generally, regardless of version. | | | | -- | | MEB | | http://peoplescounsel.orgfree.com | | That's just it. Kerberos authentication is not used in Win9x/ME. | | -- | Dave | http://www.claymania.com/removal-trojan-adware.html | Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp | | You should have at least used the link I provided before rambling on about things you apparently don't know. MIT Kerberos for Windows 2.6.5 MIT Kerberos for Windows (KfW) includes Kerberos v4, Kerberos v5, Leash32, KClient, and an in-memory credentials cache. It runs on Windows 98/98SE/ME/NT4/2000/XP/2003. (Windows 95 is not supported). http://web.mit.edu/kerberos/dist/historic.html Just as any third party program may not have YOUR usage or your backing: MIT did produce a few versions for 9X/ME {to 2.6.5}, just as they produced a good suite of PGP and tools which worked with Kerberos and 98*E/ME. Kerberos is NOT the private domain of Windows Servers, in fact Microsoft's Windows and servers were late to the Kerberos idea and ACTUAL standards{as usual Microsoft tried to produce its own standards; Server 2000/Win2K, in fact, included a broken attempt}. Just because you don't use the program, and apparently know nothing pertaining to it in the 98*E/ME environment, doesn't mean there are not others on this planet who may have used it, and perhaps still use it in their 98*E/ME environment. Several programmers are still working on the Linux to 98/ME ports, though they are difficult to find [I include no links as these are experimental.]. Microsoft TRIED to include parts of it in its NTLM protocol, and Winsock 2.0. RNR20.DLL provides an attempt of some of the ideas, as does MSXML3.DLL, WININET.DLL, two of Microsoft's JAVA packages, and several other files included in those systems related to networking. Kerberos is actually assigned ports in SERVICES, btw -- MEB http://peoplescounsel.orgfree.com -- _________ |
#8
|
|||
|
|||
US CERT Advisory - MIT KERBEROS
From: "MEB" meb@not
| You should have at least used the link I provided before rambling on about | things you apparently don't know. | MIT Kerberos for Windows 2.6.5 | MIT Kerberos for Windows (KfW) includes Kerberos v4, Kerberos v5, Leash32, | KClient, and an in-memory credentials cache. It runs on Windows | 98/98SE/ME/NT4/2000/XP/2003. (Windows 95 is not supported). | http://web.mit.edu/kerberos/dist/historic.html | | Just as any third party program may not have YOUR usage or your backing: | MIT did produce a few versions for 9X/ME {to 2.6.5}, just as they produced a | good suite of PGP and tools which worked with Kerberos and 98*E/ME. | Kerberos is NOT the private domain of Windows Servers, in fact Microsoft's | Windows and servers were late to the Kerberos idea and ACTUAL standards{as | usual Microsoft tried to produce its own standards; Server 2000/Win2K, in | fact, included a broken attempt}. | Just because you don't use the program, and apparently know nothing | pertaining to it in the 98*E/ME environment, doesn't mean there are not | others on this planet who may have used it, and perhaps still use it in | their 98*E/ME environment. Several programmers are still working on the | Linux to 98/ME ports, though they are difficult to find [I include no links | as these are experimental.]. | Microsoft TRIED to include parts of it in its NTLM protocol, and Winsock | 2.0. RNR20.DLL provides an attempt of some of the ideas, as does MSXML3.DLL, | WININET.DLL, two of Microsoft's JAVA packages, and several other files | included in those systems related to networking. Kerberos is actually | assigned ports in SERVICES, btw | | -- | MEB | http://peoplescounsel.orgfree.com OK, I'll admit it may be used in third party software but it is not natively implemented in Win9x/ME. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp |
#9
|
|||
|
|||
US CERT Advisory - MIT KERBEROS
"David H. Lipman" wrote in message ... | From: "MEB" meb@not | | | | You should have at least used the link I provided before rambling on about | | things you apparently don't know. | | MIT Kerberos for Windows 2.6.5 | | MIT Kerberos for Windows (KfW) includes Kerberos v4, Kerberos v5, Leash32, | | KClient, and an in-memory credentials cache. It runs on Windows | | 98/98SE/ME/NT4/2000/XP/2003. (Windows 95 is not supported). | | http://web.mit.edu/kerberos/dist/historic.html | | | | Just as any third party program may not have YOUR usage or your backing: | | MIT did produce a few versions for 9X/ME {to 2.6.5}, just as they produced a | | good suite of PGP and tools which worked with Kerberos and 98*E/ME. | | Kerberos is NOT the private domain of Windows Servers, in fact Microsoft's | | Windows and servers were late to the Kerberos idea and ACTUAL standards{as | | usual Microsoft tried to produce its own standards; Server 2000/Win2K, in | | fact, included a broken attempt}. | | Just because you don't use the program, and apparently know nothing | | pertaining to it in the 98*E/ME environment, doesn't mean there are not | | others on this planet who may have used it, and perhaps still use it in | | their 98*E/ME environment. Several programmers are still working on the | | Linux to 98/ME ports, though they are difficult to find [I include no links | | as these are experimental.]. | | Microsoft TRIED to include parts of it in its NTLM protocol, and Winsock | | 2.0. RNR20.DLL provides an attempt of some of the ideas, as does MSXML3.DLL, | | WININET.DLL, two of Microsoft's JAVA packages, and several other files | | included in those systems related to networking. Kerberos is actually | | assigned ports in SERVICES, btw | | | | -- | | MEB | | http://peoplescounsel.orgfree.com | | OK, I'll admit it may be used in third party software but it is not natively implemented in | Win9x/ME. | | -- | Dave Ah, you missed the lower part of that apparently,,, Microsoft ATTEMPTED to bring parts of Kerberos into Windows 98. It never *fully* supported it natively. None the less, 98 does have Kerberos aspects [just not named such] included within it. Segments were used in SSL as well. Microsoft didn't CLAIM Kerberos compatibility included [and main authentication] until Server 2000/win2K or via addins. As usual, Microsoft's programmers use ideas and code provided in the outside world within its OSs, and Microsoft users swooned over it.. -- MEB http://peoplescounsel.orgfree.com -- _________ |
#10
|
|||
|
|||
US CERT Advisory - MIT KERBEROS
From: "MEB" meb@not
| | Ah, you missed the lower part of that apparently,,, Microsoft ATTEMPTED to | bring parts of Kerberos into Windows 98. It never *fully* supported it | natively. None the less, 98 does have Kerberos aspects [just not named such] | included within it. | Segments were used in SSL as well. | Microsoft didn't CLAIM Kerberos compatibility included [and main | authentication] until Server 2000/win2K or via addins. As usual, Microsoft's | programmers use ideas and code provided in the outside world within its OSs, | and Microsoft users swooned over it.. | | -- | MEB | http://peoplescounsel.orgfree.com Fair enough. BTW: I receive the same email :-) -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp |
|
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
CERT Alert - SUN JAVA - JRE 5 and 6 | MEB[_2_] | General | 1 | March 7th 08 12:19 PM |
Office-VISTA firewall-Adobe Flash-other vulnerabilities - US-Cert-combined | MEB[_2_] | General | 14 | December 23rd 07 07:19 AM |
us.cert.gov bulletin - Vulnerability Summary for the Week of May 14, 2007 | MEB | General | 0 | May 22nd 07 01:32 AM |
cert. of authenticity for windows xp | sue | General | 1 | May 20th 04 09:11 PM |
contact advisory settings suck! | bambismith | Software & Applications | 1 | May 14th 04 11:11 PM |