Amazon Linux Local Security Checks : Amazon Linux: Security Advisory (ALAS-2015-518)

Búsqueda de Vulnerabilidad		Buscar 324607 Descripciones CVE y 145615 Descripciones de Pruebas, accesos 10,000+ referencias cruzadas.
	Pruebas CVE Todos

ID de Prueba: 1.3.6.1.4.1.25623.1.0.120539

Categoría: Amazon Linux Local Security Checks

Título: Amazon Linux: Security Advisory (ALAS-2015-518)

Resumen: The remote host is missing an update for the 'krb5' package(s) announced via the ALAS-2015-518 advisory.

Descripción: Summary:
The remote host is missing an update for the 'krb5' package(s) announced via the ALAS-2015-518 advisory.

Vulnerability Insight:
A use-after-free flaw was found in the way the MIT Kerberos libgssapi_krb5 library processed valid context deletion tokens. An attacker able to make an application using the GSS-API library (libgssapi) could call the gss_process_context_token() function and use this flaw to crash that application. (CVE-2014-5352)

If kadmind were used with an LDAP back end for the KDC database, a remote, authenticated attacker who has the permissions to set the password policy could crash kadmind by attempting to use a named ticket policy object as a password policy for a principal. (CVE-2014-5353)

It was found that the krb5_read_message() function of MIT Kerberos did not correctly sanitize input, and could create invalid krb5_data objects. A remote, unauthenticated attacker could use this flaw to crash a Kerberos child process via a specially crafted request. (CVE-2014-5355)

A double-free flaw was found in the way MIT Kerberos handled invalid External Data Representation (XDR) data. An authenticated user could use this flaw to crash the MIT Kerberos administration server (kadmind), or other applications using Kerberos libraries, via specially crafted XDR packets. (CVE-2014-9421)

It was found that the MIT Kerberos administration server (kadmind) incorrectly accepted certain authentication requests for two-component server principal names. A remote attacker able to acquire a key with a particularly named principal (such as 'kad/x') could use this flaw to impersonate any user to kadmind, and perform administrative actions as that user. (CVE-2014-9422)

Affected Software/OS:
'krb5' package(s) on Amazon Linux.

Solution:
Please install the updated package(s).

CVSS Score:
9.0

CVSS Vector:
AV:N/AC:L/Au:S/C:C/I:C/A:C

Referencia Cruzada: Common Vulnerability Exposure (CVE) ID: CVE-2014-5352
BugTraq ID: 72495
http://www.securityfocus.com/bid/72495
Debian Security Information: DSA-3153 (Google Search)
http://www.debian.org/security/2015/dsa-3153
http://lists.fedoraproject.org/pipermail/package-announce/2015-March/151437.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-March/151103.html
http://www.mandriva.com/security/advisories?name=MDVSA-2015:069
RedHat Security Advisories: RHSA-2015:0439
http://rhn.redhat.com/errata/RHSA-2015-0439.html
RedHat Security Advisories: RHSA-2015:0794
http://rhn.redhat.com/errata/RHSA-2015-0794.html
SuSE Security Announcement: SUSE-SU-2015:0257 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00011.html
SuSE Security Announcement: SUSE-SU-2015:0290 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00016.html
SuSE Security Announcement: openSUSE-SU-2015:0255 (Google Search)
http://lists.opensuse.org/opensuse-updates/2015-02/msg00044.html
http://www.ubuntu.com/usn/USN-2498-1
Common Vulnerability Exposure (CVE) ID: CVE-2014-5353
BugTraq ID: 71679
http://www.securityfocus.com/bid/71679
http://lists.fedoraproject.org/pipermail/package-announce/2015-April/155828.html
http://www.mandriva.com/security/advisories?name=MDVSA-2015:009
https://lists.debian.org/debian-lts-announce/2018/01/msg00040.html
http://www.securitytracker.com/id/1031376
SuSE Security Announcement: openSUSE-SU-2015:0542 (Google Search)
http://lists.opensuse.org/opensuse-updates/2015-03/msg00061.html
Common Vulnerability Exposure (CVE) ID: CVE-2014-5355
BugTraq ID: 74042
http://www.securityfocus.com/bid/74042
http://www.ubuntu.com/usn/USN-2810-1
Common Vulnerability Exposure (CVE) ID: CVE-2014-9421
BugTraq ID: 72496
http://www.securityfocus.com/bid/72496
Common Vulnerability Exposure (CVE) ID: CVE-2014-9422
BugTraq ID: 72494
http://www.securityfocus.com/bid/72494

Copyright Copyright (C) 2015 Greenbone AG

Esta es sólo una de 145615 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.
Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.

ID de Prueba:	1.3.6.1.4.1.25623.1.0.120539
Categoría:	Amazon Linux Local Security Checks
Título:	Amazon Linux: Security Advisory (ALAS-2015-518)
Resumen:	The remote host is missing an update for the 'krb5' package(s) announced via the ALAS-2015-518 advisory.
Descripción:	Summary: The remote host is missing an update for the 'krb5' package(s) announced via the ALAS-2015-518 advisory. Vulnerability Insight: A use-after-free flaw was found in the way the MIT Kerberos libgssapi_krb5 library processed valid context deletion tokens. An attacker able to make an application using the GSS-API library (libgssapi) could call the gss_process_context_token() function and use this flaw to crash that application. (CVE-2014-5352) If kadmind were used with an LDAP back end for the KDC database, a remote, authenticated attacker who has the permissions to set the password policy could crash kadmind by attempting to use a named ticket policy object as a password policy for a principal. (CVE-2014-5353) It was found that the krb5_read_message() function of MIT Kerberos did not correctly sanitize input, and could create invalid krb5_data objects. A remote, unauthenticated attacker could use this flaw to crash a Kerberos child process via a specially crafted request. (CVE-2014-5355) A double-free flaw was found in the way MIT Kerberos handled invalid External Data Representation (XDR) data. An authenticated user could use this flaw to crash the MIT Kerberos administration server (kadmind), or other applications using Kerberos libraries, via specially crafted XDR packets. (CVE-2014-9421) It was found that the MIT Kerberos administration server (kadmind) incorrectly accepted certain authentication requests for two-component server principal names. A remote attacker able to acquire a key with a particularly named principal (such as 'kad/x') could use this flaw to impersonate any user to kadmind, and perform administrative actions as that user. (CVE-2014-9422) Affected Software/OS: 'krb5' package(s) on Amazon Linux. Solution: Please install the updated package(s). CVSS Score: 9.0 CVSS Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2014-5352 BugTraq ID: 72495 http://www.securityfocus.com/bid/72495 Debian Security Information: DSA-3153 (Google Search) http://www.debian.org/security/2015/dsa-3153 http://lists.fedoraproject.org/pipermail/package-announce/2015-March/151437.html http://lists.fedoraproject.org/pipermail/package-announce/2015-March/151103.html http://www.mandriva.com/security/advisories?name=MDVSA-2015:069 RedHat Security Advisories: RHSA-2015:0439 http://rhn.redhat.com/errata/RHSA-2015-0439.html RedHat Security Advisories: RHSA-2015:0794 http://rhn.redhat.com/errata/RHSA-2015-0794.html SuSE Security Announcement: SUSE-SU-2015:0257 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00011.html SuSE Security Announcement: SUSE-SU-2015:0290 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00016.html SuSE Security Announcement: openSUSE-SU-2015:0255 (Google Search) http://lists.opensuse.org/opensuse-updates/2015-02/msg00044.html http://www.ubuntu.com/usn/USN-2498-1 Common Vulnerability Exposure (CVE) ID: CVE-2014-5353 BugTraq ID: 71679 http://www.securityfocus.com/bid/71679 http://lists.fedoraproject.org/pipermail/package-announce/2015-April/155828.html http://www.mandriva.com/security/advisories?name=MDVSA-2015:009 https://lists.debian.org/debian-lts-announce/2018/01/msg00040.html http://www.securitytracker.com/id/1031376 SuSE Security Announcement: openSUSE-SU-2015:0542 (Google Search) http://lists.opensuse.org/opensuse-updates/2015-03/msg00061.html Common Vulnerability Exposure (CVE) ID: CVE-2014-5355 BugTraq ID: 74042 http://www.securityfocus.com/bid/74042 http://www.ubuntu.com/usn/USN-2810-1 Common Vulnerability Exposure (CVE) ID: CVE-2014-9421 BugTraq ID: 72496 http://www.securityfocus.com/bid/72496 Common Vulnerability Exposure (CVE) ID: CVE-2014-9422 BugTraq ID: 72494 http://www.securityfocus.com/bid/72494
Copyright	Copyright (C) 2015 Greenbone AG